googleapis · vverman · Aug 23, 2025 · Aug 25, 2025 · Sep 28, 2025 · Sep 29, 2025
@@ -55,6 +55,8 @@
 import java.util.Date;
 import java.util.Map;
 import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
 /**
@@ -75,12 +77,19 @@
  * }
  * </pre>
  */
-public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials {
+public class ExternalAccountAuthorizedUserCredentials extends GoogleCredentials
+    implements TrustBoundaryProvider {
 
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
 
   private static final long serialVersionUID = -2181779590486283287L;
 
+  private static final String WORKFORCE_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
+  private static final Pattern WORKFORCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+
   private final String transportFactoryClassName;
   private final String audience;
   private final String tokenUrl;
@@ -210,10 +219,25 @@ public AccessToken refreshAccessToken() throws IOException {
       this.refreshToken = refreshToken;
     }
 
-    return AccessToken.newBuilder()
-        .setExpirationTime(expiresAtMilliseconds)
-        .setTokenValue(accessToken)
-        .build();
+    AccessToken newAccessToken =
+        AccessToken.newBuilder()
+            .setExpirationTime(expiresAtMilliseconds)
+            .setTokenValue(accessToken)
+            .build();
+
+    refreshTrustBoundary(newAccessToken, transportFactory);
+    return newAccessToken;
+  }
+
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
+    if (!matcher.matches()) {
+      throw new IOException(
+          "The provided audience is not in the correct format for a workforce pool.");
+    }
+    String poolId = matcher.group("pool");
+    return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
   }
 
   @Nullable

@@ -55,6 +55,7 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.Executor;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.annotation.Nullable;
 
@@ -64,7 +65,8 @@
  * <p>Handles initializing external credentials, calls to the Security Token Service, and service
  * account impersonation.
  */
-public abstract class ExternalAccountCredentials extends GoogleCredentials {
+public abstract class ExternalAccountCredentials extends GoogleCredentials
+    implements TrustBoundaryProvider {
 
   private static final long serialVersionUID = 8049126194174465023L;
 
@@ -98,6 +100,18 @@ public abstract class ExternalAccountCredentials extends GoogleCredentials {
 
   private EnvironmentProvider environmentProvider;
 
+  private static final String WORKFORCE_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/locations/global/workforcePools/%s/allowedLocations";
+  private static final String WORKLOAD_POOL_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/projects/%s/locations/global/workloadIdentityPools/%s/allowedLocations";
+
+  private static final Pattern WORKFORCE_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/locations/(?<location>[^/]+)/workforcePools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+  private static final Pattern WORKLOAD_PATTERN =
+      Pattern.compile(
+          "^//iam.googleapis.com/projects/(?<project>[^/]+)/locations/(?<location>[^/]+)/workloadIdentityPools/(?<pool>[^/]+)/providers/(?<provider>[^/]+)$");
+
   /**
    * Constructor with minimum identifying information and custom HTTP transport. Does not support
    * workforce credentials.
@@ -527,7 +541,11 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
       this.impersonatedCredentials = this.buildImpersonatedCredentials();
     }
     if (this.impersonatedCredentials != null) {
-      return this.impersonatedCredentials.refreshAccessToken();
+      AccessToken accessToken = this.impersonatedCredentials.refreshAccessToken();
+      // After the impersonated credential refreshes, its trust boundary is
+      // also refreshed. That is the trust boundary we will use.
+      setTrustBoundary(this.impersonatedCredentials.getTrustBoundary());
+      return accessToken;
     }
 
     StsRequestHandler.Builder requestHandler =
@@ -556,7 +574,9 @@ protected AccessToken exchangeExternalCredentialForAccessToken(
     }
 
     StsTokenExchangeResponse response = requestHandler.build().exchangeToken();
-    return response.getAccessToken();
+    AccessToken accessToken = response.getAccessToken();
+    refreshTrustBoundary(accessToken, transportFactory);
+    return accessToken;
   }
 
   /**
@@ -613,6 +633,29 @@ public String getServiceAccountEmail() {
     return ImpersonatedCredentials.extractTargetPrincipal(serviceAccountImpersonationUrl);
   }
 
+  // todo Add doc comment.
+  @Override
+  public String getTrustBoundaryUrl() throws IOException {
+    if (isWorkforcePoolConfiguration()) {
+      Matcher matcher = WORKFORCE_PATTERN.matcher(getAudience());
+      if (!matcher.matches()) {
+        throw new IOException(
+            "The provided audience is not in the correct format for a workforce pool.");
+      }
+      String poolId = matcher.group("pool");
+      return String.format(WORKFORCE_POOL_URL_FORMAT, poolId);
+    } else {
+      Matcher matcher = WORKLOAD_PATTERN.matcher(getAudience());
+      if (!matcher.matches()) {
+        throw new IOException(
+            "The provided audience is not in the correct format for a workload identity pool.");
+      }
+      String projectNumber = matcher.group("project");
+      String poolId = matcher.group("pool");
+      return String.format(WORKLOAD_POOL_URL_FORMAT, projectNumber, poolId);
+    }
+  }
+
   @Nullable
   public String getClientId() {
     return clientId;

@@ -339,6 +339,10 @@ TrustBoundary getTrustBoundary() {
     return trustBoundary;
   }
 
+  protected void setTrustBoundary(TrustBoundary trustBoundary) {
+    this.trustBoundary = trustBoundary;
+  }
+
   /**
    * Refreshes the trust boundary by making a call to the trust boundary URL.
    *

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -1162,6 +1162,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
     private boolean useJwtAccessWithScope = false;
     private boolean defaultRetriesEnabled = true;
+    private TrustBoundary trustBoundary;
 
     protected Builder() {}
 
@@ -1180,6 +1181,7 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.lifetime = credentials.lifetime;
       this.useJwtAccessWithScope = credentials.useJwtAccessWithScope;
       this.defaultRetriesEnabled = credentials.defaultRetriesEnabled;
+      this.trustBoundary = credentials.getTrustBoundary();
     }
 
     @CanIgnoreReturnValue

@@ -184,9 +184,7 @@ static TrustBoundary refresh(
 
     // Add the cached trust boundary header, if available.
     if (cachedTrustBoundary != null) {
-      String headerValue =
-          cachedTrustBoundary.isNoOp() ? "" : cachedTrustBoundary.getEncodedLocations();
-      request.getHeaders().set(TRUST_BOUNDARY_KEY, headerValue);
+      request.getHeaders().set(TRUST_BOUNDARY_KEY, cachedTrustBoundary.getEncodedLocations());
     }
 
     // Add retry logic

@@ -42,6 +42,7 @@
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Lists;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -64,6 +65,9 @@ public class TestUtils {
       URI.create("https://auth.cloud.google/authorize");
   public static final URI WORKFORCE_IDENTITY_FEDERATION_TOKEN_SERVER_URI =
       URI.create("https://sts.googleapis.com/v1/oauthtoken");
+  public static final String TRUST_BOUNDARY_ENCODED_LOCATION = "0x800000";
+  public static final List<String> TRUST_BOUNDARY_LOCATIONS =
+      ImmutableList.of("us-central1", "us-central2");
 
   private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
 
@@ -146,7 +150,7 @@ public static HttpResponseException buildHttpResponseException(
   public static String getDefaultExpireTime() {
     Calendar calendar = Calendar.getInstance();
     calendar.setTime(new Date());
-    calendar.add(Calendar.SECOND, 300);
+    calendar.add(Calendar.SECOND, 30000);
     return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'").format(calendar.getTime());
   }
 

@@ -1399,4 +1399,34 @@ public AwsSecurityCredentials getCredentials(ExternalAccountSupplierContext cont
       return credentials;
     }
   }
+
+  @Test
+  public void testRefresh_trustBoundarySuccess() throws IOException {
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+    MockExternalAccountCredentialsTransportFactory transportFactory =
+        new MockExternalAccountCredentialsTransportFactory();
+
+    AwsSecurityCredentialsSupplier supplier =
+        new TestAwsSecurityCredentialsSupplier("test", programmaticAwsCreds, null, null);
+
+    AwsCredentials awsCredential =
+        AwsCredentials.newBuilder()
+            .setAwsSecurityCredentialsSupplier(supplier)
+            .setHttpTransportFactory(transportFactory)
+            .setAudience(
+                "//iam.googleapis.com/projects/12345/locations/global/workloadIdentityPools/pool/providers/provider")
+            .setTokenUrl(STS_URL)
+            .setSubjectTokenType("subjectTokenType")
+            .build();
+
+    awsCredential.refreshAccessToken();
+
+    TrustBoundary trustBoundary = awsCredential.getTrustBoundary();
+    assertNotNull(trustBoundary);
+    assertEquals(TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION, trustBoundary.getEncodedLocations());
+    TrustBoundary.setEnvironmentProviderForTest(null);
+  }
 }
@@ -33,6 +33,7 @@
 
 import static com.google.auth.oauth2.ComputeEngineCredentials.METADATA_RESPONSE_EMPTY_CONTENT_ERROR_MESSAGE;
 import static com.google.auth.oauth2.ImpersonatedCredentialsTest.SA_CLIENT_EMAIL;
+import static com.google.auth.oauth2.TrustBoundary.TRUST_BOUNDARY_KEY;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -1159,15 +1160,17 @@ public void refresh_trustBoundarySuccess() throws IOException {
     String defaultAccountEmail = "[email protected]";
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
     TrustBoundary trustBoundary =
-        new TrustBoundary("0x80000", Collections.singletonList("us-central1"));
+        new TrustBoundary(
+            TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION, TestUtils.TRUST_BOUNDARY_LOCATIONS);
     transportFactory.transport.setTrustBoundary(trustBoundary);
     transportFactory.transport.setServiceAccountEmail(defaultAccountEmail);
 
     ComputeEngineCredentials credentials =
         ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
 
     Map<String, List<String>> headers = credentials.getRequestMetadata();
-    assertEquals(headers.get("x-allowed-locations"), Arrays.asList("0x80000"));
+    assertEquals(
+        headers.get(TRUST_BOUNDARY_KEY), Arrays.asList(TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION));
   }
 
   @Test

@@ -35,6 +35,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
@@ -62,6 +63,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -132,6 +134,11 @@ public void setup() {
     transportFactory = new MockExternalAccountAuthorizedUserCredentialsTransportFactory();
   }
 
+  @After
+  public void tearDown() {
+    TrustBoundary.setEnvironmentProviderForTest(null);
+  }
+
   @Test
   public void builder_allFields() throws IOException {
     ExternalAccountAuthorizedUserCredentials credentials =
@@ -1216,6 +1223,56 @@ public void toString_expectedFormat() {
     assertEquals(expectedToString, credentials.toString());
   }
 
+  @Test
+  public void testRefresh_trustBoundarySuccess() throws IOException {
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+    ExternalAccountAuthorizedUserCredentials credentials =
+        ExternalAccountAuthorizedUserCredentials.newBuilder()
+            .setHttpTransportFactory(transportFactory)
+            .setAudience(AUDIENCE)
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .setTokenUrl(TOKEN_URL)
+            .build();
+
+    credentials.refresh();
+    TrustBoundary trustBoundary = credentials.getTrustBoundary();
+    assertNotNull(trustBoundary);
+    assertEquals(TestUtils.TRUST_BOUNDARY_ENCODED_LOCATION, trustBoundary.getEncodedLocations());
+    TrustBoundary.setEnvironmentProviderForTest(null);
+  }
+
+  @Test
+  public void testRefresh_trustBoundaryFails_incorrectAudience() throws IOException {
+    TestEnvironmentProvider environmentProvider = new TestEnvironmentProvider();
+    TrustBoundary.setEnvironmentProviderForTest(environmentProvider);
+    environmentProvider.setEnv("GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT", "1");
+
+    ExternalAccountAuthorizedUserCredentials credentials =
+        ExternalAccountAuthorizedUserCredentials.newBuilder()
+            .setHttpTransportFactory(transportFactory)
+            .setAudience("audience")
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .setTokenUrl(TOKEN_URL)
+            .build();
+
+    try {
+      credentials.refresh();
+      fail("Expected IOException to be thrown.");
+    } catch (IOException e) {
+      assertEquals(
+          "The provided audience is not in the correct format for a workforce pool.",
+          e.getMessage());
+    }
+    TrustBoundary.setEnvironmentProviderForTest(null);
+  }
+
   @Test
   public void serialize() throws IOException, ClassNotFoundException {
     ExternalAccountAuthorizedUserCredentials credentials =