TrustBoundaryUrl's universe domain is now configured from the client's universe domain.

vverman · vverman · commit f73786671852 · 2025-10-30T15:09:02.000-07:00
diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
@@ -100,10 +100,6 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials
 
   private EnvironmentProvider environmentProvider;
 
-  private static final String WORKFORCE_POOL_URL_FORMAT =
-      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
-  private static final String WORKLOAD_POOL_URL_FORMAT =
-      "https://iamcredentials.googleapis.com/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
 
   private static final Pattern WORKFORCE_PATTERN =
       Pattern.compile(
@@ -633,26 +629,28 @@ public String getServiceAccountEmail() {
     return ImpersonatedCredentials.extractTargetPrincipal(serviceAccountImpersonationUrl);
   }
 
-  // todo Add doc comment.
   @Override
   public String getTrustBoundaryUrl() throws IOException {
-    if (isWorkforcePoolConfiguration()) {
-      Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
-      if (!matcher.matches()) {
-        throw new IOException(
-            "The provided audience is not in the correct format for a workforce pool.");
-      }
-      String poolId = matcher.group("pool");
-      return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
+    Matcher workforceMatcher = WORKFORCE_PATTERN.matcher(getAudience());
+    Matcher workloadMatcher = WORKLOAD_PATTERN.matcher(getAudience());
+
+    if (workforceMatcher.matches()) {
+      String poolId = workforceMatcher.group("pool");
+      return String.format(
+          OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL,
+          getUniverseDomain(),
+          poolId);
+    } else if (workloadMatcher.matches()) {
+      String projectNumber = workloadMatcher.group("project");
+      String poolId = workloadMatcher.group("pool");
+      return String.format(
+          OAuth2Utils.IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL,
+          getUniverseDomain(),
+          projectNumber,
+          poolId);
     } else {
-      Matcher matcher = WORKLOAD_PATTERN.matcher(getAudience());
-      if (!matcher.matches()) {
-        throw new IOException(
-            "The provided audience is not in the correct format for a workload identity pool.");
-      }
-      String projectNumber = matcher.group("project");
-      String poolId = matcher.group("pool");
-      return String.format(WORKLOAD_POOL_URL_FORMAT, projectNumber, poolId);
+      throw new IOException(
+          "The provided audience is not in a valid format for either a workload identity pool or a workforce pool.");
     }
   }
 
diff --git a/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java b/oauth2_http/java/com/google/auth/oauth2/OAuth2Utils.java
@@ -96,6 +96,10 @@ public class OAuth2Utils {
 
   static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_SERVICE_ACCOUNT =
       "https://iamcredentials.%s/v1/projects/-/serviceAccounts/%s/allowedLocations";
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKFORCE_POOL =
+      "https://iamcredentials.%s/v1/locations/global/workforcePools/%s/allowedLocations";
+  static final String IAM_CREDENTIALS_ALLOWED_LOCATIONS_URL_FORMAT_WORKLOAD_POOL =
+      "https://iamcredentials.%s/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
   static final URI USER_AUTH_URI = URI.create("https://accounts.google.com/o/oauth2/auth");
 
   public static final String CLOUD_PLATFORM_SCOPE =
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -1162,7 +1162,6 @@ public static class Builder extends GoogleCredentials.Builder {
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
     private boolean useJwtAccessWithScope = false;
     private boolean defaultRetriesEnabled = true;
-    private TrustBoundary trustBoundary;
 
     protected Builder() {}
 
@@ -1181,7 +1180,6 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.lifetime = credentials.lifetime;
       this.useJwtAccessWithScope = credentials.useJwtAccessWithScope;
       this.defaultRetriesEnabled = credentials.defaultRetriesEnabled;
-      this.trustBoundary = credentials.getTrustBoundary();
     }
 
     @CanIgnoreReturnValue
diff --git a/oauth2_http/javatests/com/google/auth/TestUtils.java b/oauth2_http/javatests/com/google/auth/TestUtils.java
@@ -150,7 +150,7 @@ public static HttpResponseException buildHttpResponseException(
   public static String getDefaultExpireTime() {
     Calendar calendar = Calendar.getInstance();
     calendar.setTime(new Date());
-    calendar.add(Calendar.SECOND, 30000);
+    calendar.add(Calendar.SECOND, 3000);
     return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'").format(calendar.getTime());
   }
 

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ public static HttpResponseException buildHttpResponseException(`
`150`	`150`	`public static String getDefaultExpireTime() {`
`151`	`151`	`Calendar calendar = Calendar.getInstance();`
`152`	`152`	`calendar.setTime(new Date());`
`153`		`- calendar.add(Calendar.SECOND, 30000);`
	`153`	`+ calendar.add(Calendar.SECOND, 3000);`
`154`	`154`	`return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'").format(calendar.getTime());`
`155`	`155`	`}`
`156`	`156`