Merge branch 'main' into sajwtcreds-universe-domain

Author: mpeddada1

oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

@@ -407,9 +407,9 @@ public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.O
         documentUrl.set("format", "full");
       }
       if (options.contains(IdTokenProvider.Option.LICENSES_TRUE)) {
-        // license will only get returned if format is also full
+        // licenses will only get returned if format is also full
         documentUrl.set("format", "full");
-        documentUrl.set("license", "TRUE");
+        documentUrl.set("licenses", "TRUE");
       }
     }
     documentUrl.set("audience", targetAudience);

oauth2_http/java/com/google/auth/oauth2/UserAuthorizer.java

@@ -206,7 +206,7 @@ public URL getAuthorizationUrl(
       url.put("state", state);
     }
     url.put("access_type", "offline");
-    url.put("approval_prompt", "force");
+    url.put("prompt", "consent");
     if (userId != null) {
       url.put("login_hint", userId);
     }

oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java

@@ -103,19 +103,19 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
           + "20iLCJzdWIiOiIxMTIxNzkwNjI3MjAzOTEzMDU4ODUifQ.redacted";
 
   // Id Token which includes GCE extended claims and any VM License data (if applicable)
-  public static final String FULL_ID_TOKEN_WITH_LICENSE =
+  public static final String FULL_ID_TOKEN_WITH_LICENSES =
       "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOG"
           + "I3OTIyOTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.ew0KICAiYXVkIjogImh0dHBzOi8"
           + "vZm9vLmJhciIsDQogICJhenAiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1IiwNCiAgImVtYWlsIjogIjEyMzQ1Ni1"
           + "jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwNCiAgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSw"
           + "NCiAgImV4cCI6IDE1NjQ1MTk0OTYsDQogICJnb29nbGUiOiB7DQogICAgImNvbXB1dGVfZW5naW5lIjogew0KICA"
           + "gICAgImluc3RhbmNlX2NyZWF0aW9uX3RpbWVzdGFtcCI6IDE1NjMyMzA5MDcsDQogICAgICAiaW5zdGFuY2VfaWQ"
-          + "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgInB"
-          + "yb2plY3RfaWQiOiAiZm9vLWJhci04MjAiLA0KICAgICAgInByb2plY3RfbnVtYmVyIjogMTA3MTI4NDE4NDQzNiw"
-          + "NCiAgICAgICJ6b25lIjogInVzLWNlbnRyYWwxLWEiDQogICAgfSwNCiAgICAibGljZW5zZSI6IFsNCiAgICAgICA"
-          + "iTElDRU5TRV8xIiwNCiAgICAgICAiTElDRU5TRV8yIg0KICAgIF0NCiAgfSwNCiAgImlhdCI6IDE1NjQ1MTU4OTY"
-          + "sDQogICJpc3MiOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwNCiAgInN1YiI6ICIxMTIxNzkwNjI3MjA"
-          + "zOTEzMDU4ODUiDQp9.redacted";
+          + "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgImx"
+          + "pY2Vuc2VfaWQiOiBbDQogICAgICAgICIxMDAxMDAwIiwNCiAgICAgICAgIjEwMDEwMDEiLA0KICAgICAgICAiMTA"
+          + "wMTAwOCINCiAgICAgIF0sDQogICAgICAicHJvamVjdF9pZCI6ICJmb28tYmFyLTgyMCIsDQogICAgICAicHJvamV"
+          + "jdF9udW1iZXIiOiAxMDcxMjg0MTg0NDM2LA0KICAgICAgInpvbmUiOiAidXMtY2VudHJhbDEtYSINCiAgICB9DQo"
+          + "gIH0sDQogICJpYXQiOiAxNTY0NTE1ODk2LA0KICAiaXNzIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSI"
+          + "sDQogICJzdWIiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1Ig0KfQ.redacted";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final List<String> SCOPES = Arrays.asList("foo", "bar");
   private static final String ACCESS_TOKEN_WITH_SCOPES = "1/MkSJoj1xsli0AccessTokenScoped_NKPY2";
@@ -1066,7 +1066,8 @@ public void idTokenWithAudience_full() throws IOException {
     tokenCredential.refresh();
     Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
     assertTrue("Full ID Token format not provided", p.containsKey("google"));
-    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
+    ArrayMap<String, ArrayMap<String, ?>> googleClaim =
+        (ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
     assertTrue(googleClaim.containsKey("compute_engine"));
 
     // verify metrics header
@@ -1076,7 +1077,7 @@ public void idTokenWithAudience_full() throws IOException {
 
   @Test
   @SuppressWarnings("unchecked")
-  public void idTokenWithAudience_license() throws IOException {
+  public void idTokenWithAudience_licenses() throws IOException {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
     ComputeEngineCredentials credentials =
         ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
@@ -1093,8 +1094,12 @@ public void idTokenWithAudience_license() throws IOException {
     tokenCredential.refresh();
     Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
     assertTrue("Full ID Token format not provided", p.containsKey("google"));
-    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
-    assertTrue(googleClaim.containsKey("license"));
+    ArrayMap<String, ArrayMap<String, ?>> googleClaim =
+        (ArrayMap<String, ArrayMap<String, ?>>) p.get("google");
+    assertTrue(googleClaim.containsKey("compute_engine"));
+    ArrayMap<String, ?> computeEngineClaim =
+        (ArrayMap<String, ?>) googleClaim.get("compute_engine");
+    assertTrue(computeEngineClaim.containsKey("license_id"));
   }
 
   @Test

oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java

@@ -50,12 +50,16 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /** Transport that simulates the GCE metadata server for access tokens. */
 public class MockMetadataServerTransport extends MockHttpTransport {
 
+  private static final Pattern BOOL_PARAMETER_VALUE = Pattern.compile("on|1|(?i)y|yes|true");
+
   // key are scopes as in request url string following "?scopes="
   private Map<String, String> scopesToAccessToken;
+
   private Integer statusCode;
 
   private String serviceAccountEmail;
@@ -271,14 +275,16 @@ public LowLevelHttpResponse execute() {
     if (queryPairs.containsKey("format")) {
       if (((String) queryPairs.get("format")).equals("full")) {
 
-        // return license only if format=full is set
-        if (queryPairs.containsKey("license")) {
-          if (((String) queryPairs.get("license")).equals("TRUE")) {
+        // return licenses only if format=full is set
+        if (queryPairs.containsKey("licenses")) {
+          // The metadata server defaults to false and matches "on", "off" and ::absl::SimpleAtob.
+          // See https://abseil.io/docs/cpp/guides/strings#numericConversion for more information.
+          if (BOOL_PARAMETER_VALUE.matcher((String) queryPairs.get("licenses")).matches()) {
             return new MockLowLevelHttpRequest(url) {
               @Override
               public LowLevelHttpResponse execute() throws IOException {
                 return new MockLowLevelHttpResponse()
-                    .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSE);
+                    .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSES);
               }
             };
           }

oauth2_http/javatests/com/google/auth/oauth2/UserAuthorizerTest.java

@@ -207,6 +207,7 @@ public void getAuthorizationUrl() throws IOException {
     assertEquals("code", parameters.get("response_type"));
     assertEquals(pkce.getCodeChallenge(), parameters.get("code_challenge"));
     assertEquals(pkce.getCodeChallengeMethod(), parameters.get("code_challenge_method"));
+    assertEquals("consent", parameters.get("prompt"));
   }
 
   @Test

samples/snippets/pom.xml

@@ -43,7 +43,7 @@
     <dependency>
       <groupId>com.google.auth</groupId>
       <artifactId>google-auth-library-oauth2-http</artifactId>
-      <version>1.33.1</version>
+      <version>1.35.0</version>
     </dependency>
 
 <!--    IAM dependency-->