From 4d8eca8b0e2b1947dec46930c70d6006d2530d27 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Sat, 13 Feb 2021 22:52:49 -0800
Subject: [PATCH 01/10] feat: add self signed jwt support

---
 .../auth/oauth2/AppEngineCredentials.java     |  36 ++-
 .../auth/oauth2/ComputeEngineCredentials.java |  55 +++-
 .../oauth2/DefaultCredentialsProvider.java    |   3 +-
 .../google/auth/oauth2/GoogleCredentials.java |  14 +
 .../oauth2/ServiceAccountCredentials.java     | 240 +++++++++++++++++-
 .../auth/oauth2/AppEngineCredentialsTest.java |  25 +-
 .../oauth2/ComputeEngineCredentialsTest.java  |  17 ++
 .../oauth2/ServiceAccountCredentialsTest.java |  95 ++++++-
 8 files changed, 457 insertions(+), 28 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
index baa2f6530..92f1fde8f 100644
--- a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
@@ -69,6 +69,7 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
   private static final String GET_SIGNATURE_METHOD = "getSignature";
 
   private final Collection<String> scopes;
+  private final Collection<String> defaultScopes;
   private final boolean scopesRequired;
 
   private transient Object appIdentityService;
@@ -79,19 +80,25 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
   private transient Method getSignature;
   private transient String account;
 
-  AppEngineCredentials(Collection<String> scopes) throws IOException {
+  AppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
+      throws IOException {
     this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
-    this.scopesRequired = this.scopes.isEmpty();
+    this.defaultScopes =
+        defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
+    this.scopesRequired = this.scopes.isEmpty() && this.defaultScopes.isEmpty();
     init();
   }
 
-  AppEngineCredentials(Collection<String> scopes, AppEngineCredentials unscoped) {
+  AppEngineCredentials(
+      Collection<String> scopes, Collection<String> defaultScopes, AppEngineCredentials unscoped) {
     this.appIdentityService = unscoped.appIdentityService;
     this.getAccessToken = unscoped.getAccessToken;
     this.getAccessTokenResult = unscoped.getAccessTokenResult;
     this.getExpirationTime = unscoped.getExpirationTime;
     this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
-    this.scopesRequired = this.scopes.isEmpty();
+    this.defaultScopes =
+        defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
+    this.scopesRequired = this.scopes.isEmpty() && this.defaultScopes.isEmpty();
   }
 
   private void init() throws IOException {
@@ -129,7 +136,11 @@ public AccessToken refreshAccessToken() throws IOException {
       throw new IOException("AppEngineCredentials requires createScoped call before use.");
     }
     try {
-      Object accessTokenResult = getAccessTokenResult.invoke(appIdentityService, scopes);
+      Collection<String> scopesToUse = scopes;
+      if (scopes.isEmpty()) {
+        scopesToUse = defaultScopes;
+      }
+      Object accessTokenResult = getAccessTokenResult.invoke(appIdentityService, scopesToUse);
       String accessToken = (String) getAccessToken.invoke(accessTokenResult);
       Date expirationTime = (Date) getExpirationTime.invoke(accessTokenResult);
       return new AccessToken(accessToken, expirationTime);
@@ -145,7 +156,13 @@ public boolean createScopedRequired() {
 
   @Override
   public GoogleCredentials createScoped(Collection<String> scopes) {
-    return new AppEngineCredentials(scopes, this);
+    return new AppEngineCredentials(scopes, null, this);
+  }
+
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return new AppEngineCredentials(scopes, defaultScopes, this);
   }
 
   @Override
@@ -165,13 +182,14 @@ public byte[] sign(byte[] toSign) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(scopes, scopesRequired);
+    return Objects.hash(scopes, defaultScopes, scopesRequired);
   }
 
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)
         .add("scopes", scopes)
+        .add("defaultScopes", defaultScopes)
         .add("scopesRequired", scopesRequired)
         .toString();
   }
@@ -182,7 +200,9 @@ public boolean equals(Object obj) {
       return false;
     }
     AppEngineCredentials other = (AppEngineCredentials) obj;
-    return this.scopesRequired == other.scopesRequired && Objects.equals(this.scopes, other.scopes);
+    return this.scopesRequired == other.scopesRequired
+        && Objects.equals(this.scopes, other.scopes)
+        && Objects.equals(this.defaultScopes, other.defaultScopes);
   }
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index ede42cee9..b8cd494d9 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -99,6 +99,7 @@ public class ComputeEngineCredentials extends GoogleCredentials
   private final String transportFactoryClassName;
 
   private final Collection<String> scopes;
+  private final Collection<String> defaultScopes;
 
   private transient HttpTransportFactory transportFactory;
   private transient String serviceAccountEmail;
@@ -109,9 +110,13 @@ public class ComputeEngineCredentials extends GoogleCredentials
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
+   *     collection.
    */
   private ComputeEngineCredentials(
-      HttpTransportFactory transportFactory, Collection<String> scopes) {
+      HttpTransportFactory transportFactory,
+      Collection<String> scopes,
+      Collection<String> defaultScopes) {
     this.transportFactory =
         firstNonNull(
             transportFactory,
@@ -124,12 +129,26 @@ private ComputeEngineCredentials(
       scopeList.removeAll(Arrays.asList("", null));
       this.scopes = ImmutableSet.<String>copyOf(scopeList);
     }
+    if (defaultScopes == null) {
+      this.defaultScopes = ImmutableSet.<String>of();
+    } else {
+      List<String> scopeList = new ArrayList<String>(defaultScopes);
+      scopeList.removeAll(Arrays.asList("", null));
+      this.defaultScopes = ImmutableSet.<String>copyOf(scopeList);
+    }
   }
 
   /** Clones the compute engine account with the specified scopes. */
   @Override
   public GoogleCredentials createScoped(Collection<String> newScopes) {
-    return new ComputeEngineCredentials(this.transportFactory, newScopes);
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, null);
+  }
+
+  /** Clones the compute engine account with the specified scopes. */
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> newScopes, Collection<String> newDefaultScopes) {
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, newDefaultScopes);
   }
 
   /**
@@ -138,22 +157,30 @@ public GoogleCredentials createScoped(Collection<String> newScopes) {
    * @return new ComputeEngineCredentials
    */
   public static ComputeEngineCredentials create() {
-    return new ComputeEngineCredentials(null, null);
+    return new ComputeEngineCredentials(null, null, null);
   }
 
   public final Collection<String> getScopes() {
     return scopes;
   }
 
+  public final Collection<String> getDefaultScopes() {
+    return defaultScopes;
+  }
+
   /**
-   * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
+   * If scopes or defaultScopes is specified, add "?scopes=comma-separated-list-of-scopes" to the
+   * token url. defaultScopes is not used unless scopes is empty.
    *
-   * @return token url with the given scopes
+   * @return token url with the given scopes or defaultScopes. defaultScopes is not used unless
+   *     scopes is emtpy.
    */
   String createTokenUrlWithScopes() {
     GenericUrl tokenUrl = new GenericUrl(getTokenServerEncodedUrl());
     if (!scopes.isEmpty()) {
       tokenUrl.set("scopes", Joiner.on(',').join(scopes));
+    } else if (!defaultScopes.isEmpty()) {
+      tokenUrl.set("scopes", Joiner.on(',').join(defaultScopes));
     }
     return tokenUrl.toString();
   }
@@ -345,7 +372,8 @@ public boolean equals(Object obj) {
     }
     ComputeEngineCredentials other = (ComputeEngineCredentials) obj;
     return Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
-        && Objects.equals(this.scopes, other.scopes);
+        && Objects.equals(this.scopes, other.scopes)
+        && Objects.equals(this.defaultScopes, other.defaultScopes);
   }
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
@@ -438,12 +466,14 @@ private String getDefaultServiceAccount() throws IOException {
   public static class Builder extends GoogleCredentials.Builder {
     private HttpTransportFactory transportFactory;
     private Collection<String> scopes;
+    private Collection<String> defaultScopes;
 
     protected Builder() {}
 
     protected Builder(ComputeEngineCredentials credentials) {
       this.transportFactory = credentials.transportFactory;
       this.scopes = credentials.scopes;
+      this.defaultScopes = credentials.defaultScopes;
     }
 
     public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
@@ -453,6 +483,13 @@ public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
 
     public Builder setScopes(Collection<String> scopes) {
       this.scopes = scopes;
+      this.defaultScopes = null;
+      return this;
+    }
+
+    public Builder setScopes(Collection<String> scopes, Collection<String> defaultScopes) {
+      this.scopes = scopes;
+      this.defaultScopes = defaultScopes;
       return this;
     }
 
@@ -464,8 +501,12 @@ public Collection<String> getScopes() {
       return scopes;
     }
 
+    public Collection<String> getDefaultScopes() {
+      return defaultScopes;
+    }
+
     public ComputeEngineCredentials build() {
-      return new ComputeEngineCredentials(transportFactory, scopes);
+      return new ComputeEngineCredentials(transportFactory, scopes, defaultScopes);
     }
   }
 }
diff --git a/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java b/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
index 78ad73066..12fff6a37 100644
--- a/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
+++ b/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
@@ -301,7 +301,8 @@ private GoogleCredentials tryGetAppEngineCredential() throws IOException {
     if (!onAppEngine) {
       return null;
     }
-    return new AppEngineCredentials(Collections.<String>emptyList());
+    return new AppEngineCredentials(
+        Collections.<String>emptyList(), Collections.<String>emptyList());
   }
 
   private final GoogleCredentials tryGetComputeCredentials(HttpTransportFactory transportFactory) {
diff --git a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
index c9ea810fb..dc6e033f1 100644
--- a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
@@ -232,6 +232,20 @@ public GoogleCredentials createScoped(Collection<String> scopes) {
     return this;
   }
 
+  /**
+   * If the credentials support scopes, creates a copy of the the identity with the specified scopes
+   * and default scopes; otherwise, returns the same instance. This is mainly used by client
+   * libraries.
+   *
+   * @param scopes Collection of scopes to request.
+   * @param defaultScopes Collection of default scopes to request.
+   * @return GoogleCredentials with requested scopes.
+   */
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return this;
+  }
+
   /**
    * If the credentials support scopes, creates a copy of the the identity with the specified
    * scopes; otherwise, returns the same instance.
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index e12f8d412..2fc546cd0 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -53,6 +53,7 @@
 import com.google.api.client.util.PemReader.Section;
 import com.google.api.client.util.Preconditions;
 import com.google.api.client.util.SecurityUtils;
+import com.google.auth.RequestMetadataCallback;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.VisibleForTesting;
@@ -80,6 +81,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.concurrent.Executor;
 
 /**
  * OAuth2 credentials representing a Service Account for calling Google APIs.
@@ -104,10 +106,12 @@ public class ServiceAccountCredentials extends GoogleCredentials
   private final String transportFactoryClassName;
   private final URI tokenServerUri;
   private final Collection<String> scopes;
+  private final Collection<String> defaultScopes;
   private final String quotaProjectId;
   private final int lifetime;
 
   private transient HttpTransportFactory transportFactory;
+  private transient ServiceAccountJwtAccessCredentials jwtCredentials = null;
 
   /**
    * Constructor with minimum identifying information and custom HTTP transport.
@@ -118,6 +122,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
    * @param privateKeyId Private key identifier for the service account. May be null.
    * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
    *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens.
@@ -136,6 +142,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
       PrivateKey privateKey,
       String privateKeyId,
       Collection<String> scopes,
+      Collection<String> defaultScopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String serviceAccountUser,
@@ -147,6 +154,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
     this.privateKey = Preconditions.checkNotNull(privateKey);
     this.privateKeyId = privateKeyId;
     this.scopes = (scopes == null) ? ImmutableSet.<String>of() : ImmutableSet.copyOf(scopes);
+    this.defaultScopes =
+        (defaultScopes == null) ? ImmutableSet.<String>of() : ImmutableSet.copyOf(defaultScopes);
     this.transportFactory =
         firstNonNull(
             transportFactory,
@@ -160,6 +169,18 @@ public class ServiceAccountCredentials extends GoogleCredentials
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
     this.lifetime = lifetime;
+
+    // Use self signed JWT if scopes is not set, see https://google.aip.dev/auth/4111.
+    if (this.scopes.isEmpty()) {
+      jwtCredentials =
+          new ServiceAccountJwtAccessCredentials.Builder()
+              .setClientEmail(clientEmail)
+              .setClientId(clientId)
+              .setPrivateKey(privateKey)
+              .setPrivateKeyId(privateKeyId)
+              .setQuotaProjectId(quotaProjectId)
+              .build();
+    }
   }
 
   /**
@@ -204,6 +225,7 @@ static ServiceAccountCredentials fromJson(
         privateKeyPkcs8,
         privateKeyId,
         null,
+        null,
         transportFactory,
         tokenServerUriFromCreds,
         null,
@@ -231,7 +253,53 @@ public static ServiceAccountCredentials fromPkcs8(
       Collection<String> scopes)
       throws IOException {
     return fromPkcs8(
-        clientId, clientEmail, privateKeyPkcs8, privateKeyId, scopes, null, null, null, null, null);
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information using PKCS#8 for the private key.
+   *
+   * @param clientId Client ID of the service account from the console. May be null.
+   * @param clientEmail Client email address of the service account from the console.
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId Private key identifier for the service account. May be null.
+   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
+   * @return New ServiceAccountCredentials created from a private key.
+   * @throws IOException if the credential cannot be created from the private key.
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
+        null,
+        null,
+        null,
+        null,
+        null);
   }
 
   /**
@@ -265,6 +333,49 @@ public static ServiceAccountCredentials fromPkcs8(
         privateKeyPkcs8,
         privateKeyId,
         scopes,
+        null,
+        transportFactory,
+        tokenServerUri,
+        null,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information and custom transport using PKCS#8 for the private
+   * key.
+   *
+   * @param clientId Client ID of the service account from the console. May be null.
+   * @param clientEmail Client email address of the service account from the console.
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId Private key identifier for the service account. May be null.
+   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
+   * @param transportFactory HTTP transport factory, creates the transport used to get access
+   *     tokens.
+   * @param tokenServerUri URI of the end point that provides tokens.
+   * @return New ServiceAccountCredentials created from a private key.
+   * @throws IOException if the credential cannot be created from the private key.
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes,
+      HttpTransportFactory transportFactory,
+      URI tokenServerUri)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         null,
@@ -306,6 +417,52 @@ public static ServiceAccountCredentials fromPkcs8(
         privateKeyPkcs8,
         privateKeyId,
         scopes,
+        null,
+        transportFactory,
+        tokenServerUri,
+        serviceAccountUser,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information and custom transport using PKCS#8 for the private
+   * key.
+   *
+   * @param clientId Client ID of the service account from the console. May be null.
+   * @param clientEmail Client email address of the service account from the console.
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId Private key identifier for the service account. May be null.
+   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
+   * @param transportFactory HTTP transport factory, creates the transport used to get access
+   *     tokens.
+   * @param tokenServerUri URI of the end point that provides tokens.
+   * @param serviceAccountUser The email of the user account to impersonate, if delegating
+   *     domain-wide authority to the service account.
+   * @return New ServiceAccountCredentials created from a private key.
+   * @throws IOException if the credential cannot be created from the private key.
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes,
+      HttpTransportFactory transportFactory,
+      URI tokenServerUri,
+      String serviceAccountUser)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -319,6 +476,7 @@ static ServiceAccountCredentials fromPkcs8(
       String privateKeyPkcs8,
       String privateKeyId,
       Collection<String> scopes,
+      Collection<String> defaultScopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String serviceAccountUser,
@@ -332,6 +490,7 @@ static ServiceAccountCredentials fromPkcs8(
         privateKey,
         privateKeyId,
         scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -504,7 +663,7 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
   /** Returns whether the scopes are empty, meaning createScoped must be called before use. */
   @Override
   public boolean createScopedRequired() {
-    return scopes.isEmpty();
+    return scopes.isEmpty() && defaultScopes.isEmpty();
   }
 
   /**
@@ -514,12 +673,24 @@ public boolean createScopedRequired() {
    */
   @Override
   public GoogleCredentials createScoped(Collection<String> newScopes) {
+    return createScoped(newScopes, null);
+  }
+
+  /**
+   * Clones the service account with the specified scopes.
+   *
+   * <p>Should be called before use for instances with empty scopes.
+   */
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> newScopes, Collection<String> newDefaultScopes) {
     return new ServiceAccountCredentials(
         clientId,
         clientEmail,
         privateKey,
         privateKeyId,
         newScopes,
+        newDefaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -549,6 +720,7 @@ public GoogleCredentials createDelegated(String user) {
         privateKey,
         privateKeyId,
         scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         user,
@@ -577,6 +749,10 @@ public final Collection<String> getScopes() {
     return scopes;
   }
 
+  public final Collection<String> getDefaultScopes() {
+    return defaultScopes;
+  }
+
   public final String getServiceAccountUser() {
     return serviceAccountUser;
   }
@@ -649,6 +825,7 @@ public int hashCode() {
         transportFactoryClassName,
         tokenServerUri,
         scopes,
+        defaultScopes,
         quotaProjectId,
         lifetime);
   }
@@ -662,6 +839,7 @@ public String toString() {
         .add("transportFactoryClassName", transportFactoryClassName)
         .add("tokenServerUri", tokenServerUri)
         .add("scopes", scopes)
+        .add("defaultScopes", defaultScopes)
         .add("serviceAccountUser", serviceAccountUser)
         .add("quotaProjectId", quotaProjectId)
         .add("lifetime", lifetime)
@@ -681,6 +859,7 @@ public boolean equals(Object obj) {
         && Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
         && Objects.equals(this.tokenServerUri, other.tokenServerUri)
         && Objects.equals(this.scopes, other.scopes)
+        && Objects.equals(this.defaultScopes, other.defaultScopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId)
         && Objects.equals(this.lifetime, other.lifetime);
   }
@@ -697,7 +876,11 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
-    payload.put("scope", Joiner.on(' ').join(scopes));
+    if (!scopes.isEmpty()) {
+      payload.put("scope", Joiner.on(' ').join(scopes));
+    } else {
+      payload.put("scope", Joiner.on(' ').join(defaultScopes));
+    }
 
     if (audience == null) {
       payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString());
@@ -748,6 +931,43 @@ String createAssertionForIdToken(
     }
   }
 
+  /**
+   * Self signed JWT uses uri as audience, and it should have the "https://{host}/" format. For
+   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
+   * function returns "https://compute.googleapis.com/".
+   */
+  @VisibleForTesting
+  static URI getUriForSelfSignedJWT(URI uri) {
+    if (uri == null) {
+      return uri;
+    }
+    try {
+      return new URI(uri.getScheme(), uri.getHost(), "/", null);
+    } catch (URISyntaxException unused) {
+      return uri;
+    }
+  }
+
+  @Override
+  public void getRequestMetadata(
+      final URI uri, Executor executor, final RequestMetadataCallback callback) {
+    if (jwtCredentials != null) {
+      jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri), executor, callback);
+    } else {
+      super.getRequestMetadata(uri, executor, callback);
+    }
+  }
+
+  /** Provide the request metadata by putting an access JWT directly in the metadata. */
+  @Override
+  public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    if (jwtCredentials != null) {
+      return jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri));
+    } else {
+      return super.getRequestMetadata(uri);
+    }
+  }
+
   @SuppressWarnings("unused")
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
     // properly deserialize the transient transportFactory
@@ -778,6 +998,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private String projectId;
     private URI tokenServerUri;
     private Collection<String> scopes;
+    private Collection<String> defaultScopes;
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
@@ -790,6 +1011,7 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.privateKey = credentials.privateKey;
       this.privateKeyId = credentials.privateKeyId;
       this.scopes = credentials.scopes;
+      this.defaultScopes = credentials.defaultScopes;
       this.transportFactory = credentials.transportFactory;
       this.tokenServerUri = credentials.tokenServerUri;
       this.serviceAccountUser = credentials.serviceAccountUser;
@@ -820,6 +1042,13 @@ public Builder setPrivateKeyId(String privateKeyId) {
 
     public Builder setScopes(Collection<String> scopes) {
       this.scopes = scopes;
+      this.defaultScopes = ImmutableSet.<String>of();
+      return this;
+    }
+
+    public Builder setScopes(Collection<String> scopes, Collection<String> defaultScopes) {
+      this.scopes = scopes;
+      this.defaultScopes = defaultScopes;
       return this;
     }
 
@@ -873,6 +1102,10 @@ public Collection<String> getScopes() {
       return scopes;
     }
 
+    public Collection<String> getDefaultScopes() {
+      return defaultScopes;
+    }
+
     public String getServiceAccountUser() {
       return serviceAccountUser;
     }
@@ -904,6 +1137,7 @@ public ServiceAccountCredentials build() {
           privateKey,
           privateKeyId,
           scopes,
+          defaultScopes,
           transportFactory,
           tokenServerUri,
           serviceAccountUser,
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
index a13522a60..9e08ab563 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
@@ -130,6 +130,16 @@ public void createScoped_clonesWithScopes() throws IOException {
     assertEquals(EXPECTED_EXPIRATION_DATE, accessToken.getExpirationTime());
   }
 
+  @Test
+  public void createScoped_defaultScopes() throws IOException {
+    TestAppEngineCredentials credentials = new TestAppEngineCredentials(null, SCOPES);
+    assertFalse(credentials.createScopedRequired());
+
+    AccessToken accessToken = credentials.refreshAccessToken();
+    assertEquals(EXPECTED_ACCESS_TOKEN, accessToken.getTokenValue());
+    assertEquals(EXPECTED_EXPIRATION_DATE, accessToken.getExpirationTime());
+  }
+
   @Test
   public void equals_true() throws IOException {
     GoogleCredentials credentials = new TestAppEngineCredentials(SCOPES);
@@ -153,9 +163,11 @@ public void equals_false_scopes() throws IOException {
   public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
-            "TestAppEngineCredentials{scopes=[%s], scopesRequired=%b}", "SomeScope", false);
+            "TestAppEngineCredentials{scopes=[%s], defaultScopes=[%s], scopesRequired=%b}",
+            "SomeScope", "SomeDefaultScope", false);
     Collection<String> scopes = Collections.singleton("SomeScope");
-    AppEngineCredentials credentials = new TestAppEngineCredentials(scopes);
+    Collection<String> defaultScopes = Collections.singleton("SomeDefaultScope");
+    AppEngineCredentials credentials = new TestAppEngineCredentials(scopes, defaultScopes);
     assertEquals(expectedToString, credentials.toString());
   }
 
@@ -246,7 +258,12 @@ private static class TestAppEngineCredentials extends AppEngineCredentials {
     private List<String> forNameArgs;
 
     TestAppEngineCredentials(Collection<String> scopes) throws IOException {
-      super(scopes);
+      super(scopes, null);
+    }
+
+    TestAppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
+        throws IOException {
+      super(scopes, defaultScopes);
     }
 
     @Override
@@ -272,7 +289,7 @@ private static class TestAppEngineCredentialsNoSdk extends AppEngineCredentials
     private static final long serialVersionUID = -8987103249265111274L;
 
     TestAppEngineCredentialsNoSdk() throws IOException {
-      super(null);
+      super(null, null);
     }
 
     @Override
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index be8841cb2..20474a215 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -169,6 +169,23 @@ public void createTokenUrlWithScopes_multiple_scopes() {
     assertEquals("bar", scopes.toArray()[1]);
   }
 
+  @Test
+  public void createTokenUrlWithScopes_defaultScopes() {
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder()
+            .setScopes(null, Arrays.asList(null, "foo", "", "bar"))
+            .build();
+    Collection<String> scopes = credentials.getScopes();
+    Collection<String> defaultScopes = credentials.getDefaultScopes();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?scopes=foo,bar", tokenUrlWithScopes);
+    assertEquals(0, scopes.size());
+    assertEquals(2, defaultScopes.size());
+    assertEquals("foo", defaultScopes.toArray()[0]);
+    assertEquals("bar", defaultScopes.toArray()[1]);
+  }
+
   @Test
   public void createScoped() {
     ComputeEngineCredentials credentials =
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 77bd2862d..8f3baaaf5 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -43,6 +43,7 @@
 
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.json.webtoken.JsonWebToken;
 import com.google.api.client.testing.http.FixedClock;
@@ -51,6 +52,7 @@
 import com.google.api.client.util.Joiner;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.TestUtils;
+import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
@@ -98,10 +100,13 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
           + "==\n-----END PRIVATE KEY-----\n";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.singletonList("dummy.default.scope");
   private static final String USER = "user@example.com";
   private static final String PROJECT_ID = "project-id";
   private static final Collection<String> EMPTY_SCOPES = Collections.emptyList();
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  private static final String JWT_AUDIENCE = "http://googleapis.com/";
   private static final HttpTransportFactory DUMMY_TRANSPORT_FACTORY =
       new MockTokenServerTransportFactory();
   public static final String DEFAULT_ID_TOKEN =
@@ -113,6 +118,7 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
   private static final int INVALID_LIFETIME = 43210;
+  private static final String JWT_ACCESS_PREFIX = "Bearer ";
 
   private ServiceAccountCredentials.Builder createDefaultBuilder() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
@@ -383,15 +389,19 @@ public void createdScoped_enablesAccessTokens() throws IOException {
             null);
 
     try {
-      credentials.getRequestMetadata(CALL_URI);
-      fail("Should not be able to get token without scopes");
+      credentials.getRequestMetadata(null);
+      fail("Should not be able to get token without scopes, defaultScopes and uri");
     } catch (Exception expected) {
       // Expected
     }
 
-    GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);
+    // Since scopes are not provided, self signed JWT will be used.
+    Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
+    verifyJwtAccess(metadata);
 
-    Map<String, List<String>> metadata = scopedCredentials.getRequestMetadata(CALL_URI);
+    // Since scopes are provided, self signed JWT will not be used.
+    GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);
+    metadata = scopedCredentials.getRequestMetadata(CALL_URI);
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
   }
 
@@ -972,6 +982,7 @@ public void toString_containsFields() throws IOException {
             PRIVATE_KEY_PKCS8,
             PRIVATE_KEY_ID,
             SCOPES,
+            DEFAULT_SCOPES,
             transportFactory,
             tokenServer,
             USER,
@@ -980,7 +991,7 @@ public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
             "ServiceAccountCredentials{clientId=%s, clientEmail=%s, privateKeyId=%s, "
-                + "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, serviceAccountUser=%s, "
+                + "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, defaultScopes=%s, serviceAccountUser=%s, "
                 + "quotaProjectId=%s, lifetime=3600}",
             CLIENT_ID,
             CLIENT_EMAIL,
@@ -988,6 +999,7 @@ public void toString_containsFields() throws IOException {
             MockTokenServerTransportFactory.class.getName(),
             tokenServer,
             SCOPES,
+            DEFAULT_SCOPES,
             USER,
             QUOTA_PROJECT);
     assertEquals(expectedToString, credentials.toString());
@@ -1202,6 +1214,79 @@ public void onFailure(Throwable exception) {
     assertTrue("Should have run onSuccess() callback", success.get());
   }
 
+  @Test
+  public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(CLIENT_ID, "unused-client-secret");
+    transportFactory.transport.addServiceAccount(CLIENT_EMAIL, ACCESS_TOKEN);
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
+    GoogleCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientEmail(CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setScopes(null, DEFAULT_SCOPES)
+            .setServiceAccountUser(USER)
+            .setProjectId(PROJECT_ID)
+            .setQuotaProjectId("my-quota-project-id")
+            .setHttpTransportFactory(transportFactory)
+            .build();
+
+    final AtomicBoolean success = new AtomicBoolean(false);
+    credentials.getRequestMetadata(
+        CALL_URI,
+        null,
+        new RequestMetadataCallback() {
+          @Override
+          public void onSuccess(Map<String, List<String>> metadata) {
+            try {
+              verifyJwtAccess(metadata);
+            } catch (IOException e) {
+              fail("Should not throw a failure");
+            }
+            success.set(true);
+          }
+
+          @Override
+          public void onFailure(Throwable exception) {
+            fail("Should not throw a failure.");
+          }
+        });
+
+    assertTrue("Should have run onSuccess() callback", success.get());
+  }
+
+  @Test
+  public void getUriForSelfSignedJWT() {
+    assertNull(ServiceAccountCredentials.getUriForSelfSignedJWT(null));
+
+    URI uri = URI.create("https://compute.googleapis.com/compute/v1/projects/");
+    URI expected = URI.create("https://compute.googleapis.com/");
+    assertEquals(expected, ServiceAccountCredentials.getUriForSelfSignedJWT(uri));
+  }
+
+  private void verifyJwtAccess(Map<String, List<String>> metadata) throws IOException {
+    assertNotNull(metadata);
+    List<String> authorizations = metadata.get(AuthHttpConstants.AUTHORIZATION);
+    assertNotNull("Authorization headers not found", authorizations);
+    String assertion = null;
+    for (String authorization : authorizations) {
+      if (authorization.startsWith(JWT_ACCESS_PREFIX)) {
+        assertNull("Multiple bearer assertions found", assertion);
+        assertion = authorization.substring(JWT_ACCESS_PREFIX.length());
+      }
+    }
+    assertNotNull("Bearer assertion not found", assertion);
+    JsonWebSignature signature =
+        JsonWebSignature.parse(GsonFactory.getDefaultInstance(), assertion);
+    assertEquals(CLIENT_EMAIL, signature.getPayload().getIssuer());
+    assertEquals(CLIENT_EMAIL, signature.getPayload().getSubject());
+    assertEquals(JWT_AUDIENCE, signature.getPayload().getAudience());
+    assertEquals(PRIVATE_KEY_ID, signature.getHeader().getKeyId());
+  }
+
   static GenericJson writeServiceAccountJson(
       String clientId,
       String clientEmail,

From dbe00a146fc64651e8e344ea39e3dce201ab6d91 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Wed, 17 Feb 2021 21:04:59 -0800
Subject: [PATCH 02/10] update

---
 .../oauth2/ServiceAccountCredentials.java     | 64 +++++++++----------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index 2fc546cd0..15dfc1887 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -116,21 +116,21 @@ public class ServiceAccountCredentials extends GoogleCredentials
   /**
    * Constructor with minimum identifying information and custom HTTP transport.
    *
-   * @param clientId Client ID of the service account from the console. May be null.
-   * @param clientEmail Client email address of the service account from the console.
-   * @param privateKey RSA private key object for the service account.
-   * @param privateKeyId Private key identifier for the service account. May be null.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
+   * @param privateKey RSA private key object for the service account
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
    *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
    *     collection, which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens.
-   * @param serviceAccountUser Email of the user account to impersonate, if delegating domain-wide
+   * @param serviceAccountUser email of the user account to impersonate, if delegating domain-wide
    *     authority to the service account.
    * @param projectId the project used for billing
-   * @param quotaProjectId The project used for quota and billing purposes. May be null.
+   * @param quotaProjectId the project used for quota and billing purposes. May be null.
    * @param lifetime number of seconds the access token should be valid for. The value should be at
    *     most 43200 (12 hours). If the token is used for calling a Google API, then the value should
    *     be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used
@@ -269,16 +269,16 @@ public static ServiceAccountCredentials fromPkcs8(
   /**
    * Factory with minimum identifying information using PKCS#8 for the private key.
    *
-   * @param clientId Client ID of the service account from the console. May be null.
-   * @param clientEmail Client email address of the service account from the console.
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
    * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
-   * @param privateKeyId Private key identifier for the service account. May be null.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
    *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
    *     collection, which results in a credential that must have createScoped called before use.
-   * @return New ServiceAccountCredentials created from a private key.
-   * @throws IOException if the credential cannot be created from the private key.
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
    */
   public static ServiceAccountCredentials fromPkcs8(
       String clientId,
@@ -345,19 +345,19 @@ public static ServiceAccountCredentials fromPkcs8(
    * Factory with minimum identifying information and custom transport using PKCS#8 for the private
    * key.
    *
-   * @param clientId Client ID of the service account from the console. May be null.
-   * @param clientEmail Client email address of the service account from the console.
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
    * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
-   * @param privateKeyId Private key identifier for the service account. May be null.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
    *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
    *     collection, which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
-   * @param tokenServerUri URI of the end point that provides tokens.
-   * @return New ServiceAccountCredentials created from a private key.
-   * @throws IOException if the credential cannot be created from the private key.
+   * @param tokenServerUri URI of the end point that provides tokens
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
    */
   public static ServiceAccountCredentials fromPkcs8(
       String clientId,
@@ -429,21 +429,21 @@ public static ServiceAccountCredentials fromPkcs8(
    * Factory with minimum identifying information and custom transport using PKCS#8 for the private
    * key.
    *
-   * @param clientId Client ID of the service account from the console. May be null.
-   * @param clientEmail Client email address of the service account from the console.
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
    * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
-   * @param privateKeyId Private key identifier for the service account. May be null.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
    *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes Default scope strings for the APIs to be called. May be null or an empty
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
    *     collection, which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
-   * @param tokenServerUri URI of the end point that provides tokens.
-   * @param serviceAccountUser The email of the user account to impersonate, if delegating
+   * @param tokenServerUri URI of the end point that provides tokens
+   * @param serviceAccountUser the email of the user account to impersonate, if delegating
    *     domain-wide authority to the service account.
-   * @return New ServiceAccountCredentials created from a private key.
-   * @throws IOException if the credential cannot be created from the private key.
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
    */
   public static ServiceAccountCredentials fromPkcs8(
       String clientId,

From c235ed91088380bf9e1d7256e40599739b329565 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Wed, 17 Feb 2021 22:13:25 -0800
Subject: [PATCH 03/10] chore: add more tests

---
 .../oauth2/ServiceAccountCredentials.java     |  6 +--
 .../auth/oauth2/AppEngineCredentialsTest.java | 11 +++--
 .../oauth2/ComputeEngineCredentialsTest.java  | 15 +++++++
 .../auth/oauth2/GoogleCredentialsTest.java    |  6 +++
 .../oauth2/ServiceAccountCredentialsTest.java | 41 +++++++++++++++++++
 5 files changed, 71 insertions(+), 8 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index 15dfc1887..2af7f1077 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -876,11 +876,7 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
-    if (!scopes.isEmpty()) {
-      payload.put("scope", Joiner.on(' ').join(scopes));
-    } else {
-      payload.put("scope", Joiner.on(' ').join(defaultScopes));
-    }
+    payload.put("scope", Joiner.on(' ').join(scopes));
 
     if (audience == null) {
       payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString());
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
index 9e08ab563..25a85f4ff 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
@@ -62,6 +62,8 @@ public class AppEngineCredentialsTest extends BaseSerializationTest {
 
   private static final Collection<String> SCOPES =
       Collections.unmodifiableCollection(Arrays.asList("scope1", "scope2"));
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.unmodifiableCollection(Arrays.asList("scope3"));
 
   @Test
   public void constructor_usesAppIdentityService() throws IOException {
@@ -132,10 +134,13 @@ public void createScoped_clonesWithScopes() throws IOException {
 
   @Test
   public void createScoped_defaultScopes() throws IOException {
-    TestAppEngineCredentials credentials = new TestAppEngineCredentials(null, SCOPES);
-    assertFalse(credentials.createScopedRequired());
+    TestAppEngineCredentials credentials = new TestAppEngineCredentials(null);
+    assertTrue(credentials.createScopedRequired());
 
-    AccessToken accessToken = credentials.refreshAccessToken();
+    GoogleCredentials newCredentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
+    assertFalse(newCredentials.createScopedRequired());
+
+    AccessToken accessToken = newCredentials.refreshAccessToken();
     assertEquals(EXPECTED_ACCESS_TOKEN, accessToken.getTokenValue());
     assertEquals(EXPECTED_EXPIRATION_DATE, accessToken.getExpirationTime());
   }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 20474a215..676e0a786 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -198,6 +198,21 @@ public void createScoped() {
     assertEquals("foo", scopes.toArray()[0]);
   }
 
+  @Test
+  public void createScoped_defaultScopes() {
+    ComputeEngineCredentials.Builder builder =
+        ComputeEngineCredentials.newBuilder().setScopes(null, Arrays.asList("foo"));
+    assertEquals(1, builder.getDefaultScopes().size());
+    assertEquals("foo", builder.getDefaultScopes().toArray()[0]);
+
+    GoogleCredentials credentials =
+        ComputeEngineCredentials.create().createScoped(null, Arrays.asList("foo"));
+    Collection<String> defaultScopes = ((ComputeEngineCredentials) credentials).getDefaultScopes();
+
+    assertEquals(1, defaultScopes.size());
+    assertEquals("foo", defaultScopes.toArray()[0]);
+  }
+
   @Test
   public void getRequestMetadata_hasAccessToken() throws IOException {
     String accessToken = "1/MkSJoj1xsli0AccessToken_NKPY2";
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
index ebf60a8ce..4ae0731cb 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
@@ -77,6 +77,8 @@ public class GoogleCredentialsTest {
 
   private static final Collection<String> SCOPES =
       Collections.unmodifiableCollection(Arrays.asList("scope1", "scope2"));
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.unmodifiableCollection(Arrays.asList("scope3"));
 
   static class MockHttpTransportFactory implements HttpTransportFactory {
 
@@ -145,6 +147,10 @@ public void fromStream_serviceAccount_providesToken() throws IOException {
     credentials = credentials.createScoped(SCOPES);
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
+
+    credentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
+    metadata = credentials.getRequestMetadata(CALL_URI);
+    TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
   }
 
   @Test
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 8f3baaaf5..43402f4ce 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -405,6 +405,47 @@ public void createdScoped_enablesAccessTokens() throws IOException {
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
   }
 
+  @Test
+  public void createdScoped_defaultScopes() throws IOException {
+    final URI TOKEN_SERVER = URI.create("https://foo.com/bar");
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addServiceAccount(CLIENT_EMAIL, ACCESS_TOKEN);
+    transportFactory.transport.setTokenServerUri(TOKEN_SERVER);
+
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID, CLIENT_EMAIL, PRIVATE_KEY_PKCS8, PRIVATE_KEY_ID, SCOPES, DEFAULT_SCOPES);
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+
+    credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID,
+            CLIENT_EMAIL,
+            PRIVATE_KEY_PKCS8,
+            PRIVATE_KEY_ID,
+            SCOPES,
+            DEFAULT_SCOPES,
+            transportFactory,
+            TOKEN_SERVER);
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+
+    credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID,
+            CLIENT_EMAIL,
+            PRIVATE_KEY_PKCS8,
+            PRIVATE_KEY_ID,
+            SCOPES,
+            DEFAULT_SCOPES,
+            transportFactory,
+            TOKEN_SERVER,
+            "service_account_user");
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+  }
+
   @Test
   public void createScopedRequired_emptyScopes_true() throws IOException {
     GoogleCredentials credentials =

From bafc374d16b6a3b22c1c50db4983b2f441c5c693 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Tue, 9 Mar 2021 15:20:05 -0800
Subject: [PATCH 04/10] update

---
 .../oauth2/ServiceAccountCredentials.java     | 34 +++++++------------
 .../oauth2/ServiceAccountCredentialsTest.java | 10 +++---
 2 files changed, 18 insertions(+), 26 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index 2af7f1077..c9b205a3a 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -120,10 +120,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
    * @param clientEmail client email address of the service account from the console
    * @param privateKey RSA private key object for the service account
    * @param privateKeyId private key identifier for the service account. May be null.
-   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
-   *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
-   *     collection, which results in a credential that must have createScoped called before use.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens.
@@ -273,10 +271,8 @@ public static ServiceAccountCredentials fromPkcs8(
    * @param clientEmail client email address of the service account from the console
    * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
    * @param privateKeyId private key identifier for the service account. May be null.
-   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
-   *     which results in a credential that must have createScoped called before use.
-   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
-   *     collection, which results in a credential that must have createScoped called before use.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty.
    * @return new ServiceAccountCredentials created from a private key
    * @throws IOException if the credential cannot be created from the private key
    */
@@ -570,12 +566,6 @@ public static ServiceAccountCredentials fromStream(
    */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
-    if (createScopedRequired()) {
-      throw new IOException(
-          "Scopes not configured for service account. Scoped should be specified"
-              + " by calling createScoped or passing scopes to constructor.");
-    }
-
     JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
     long currentTime = clock.currentTimeMillis();
     String assertion = createAssertion(jsonFactory, currentTime, tokenServerUri.toString());
@@ -660,12 +650,6 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
     return IdToken.create(rawToken);
   }
 
-  /** Returns whether the scopes are empty, meaning createScoped must be called before use. */
-  @Override
-  public boolean createScopedRequired() {
-    return scopes.isEmpty() && defaultScopes.isEmpty();
-  }
-
   /**
    * Clones the service account with the specified scopes.
    *
@@ -947,7 +931,7 @@ static URI getUriForSelfSignedJWT(URI uri) {
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
-    if (jwtCredentials != null) {
+    if (jwtCredentials != null && uri != null) {
       jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri), executor, callback);
     } else {
       super.getRequestMetadata(uri, executor, callback);
@@ -957,7 +941,13 @@ public void getRequestMetadata(
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
-    if (jwtCredentials != null) {
+    if (scopes.isEmpty() && defaultScopes.isEmpty() && uri == null) {
+      throw new IOException(
+          "Scopes and uri are not configured for service account. Either pass uri"
+              + " to getRequestMetadata to use self signed JWT, or specify the scopes"
+              + " by calling createScoped or passing scopes to constructor.");
+    }
+    if (jwtCredentials != null && uri != null) {
       return jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri));
     } else {
       return super.getRequestMetadata(uri);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 43402f4ce..256618519 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -391,8 +391,10 @@ public void createdScoped_enablesAccessTokens() throws IOException {
     try {
       credentials.getRequestMetadata(null);
       fail("Should not be able to get token without scopes, defaultScopes and uri");
-    } catch (Exception expected) {
-      // Expected
+    } catch (IOException e) {
+      assertTrue(
+          "expected to fail with exception",
+          e.getMessage().contains("Scopes and uri are not configured for service account"));
     }
 
     // Since scopes are not provided, self signed JWT will be used.
@@ -447,12 +449,12 @@ public void createdScoped_defaultScopes() throws IOException {
   }
 
   @Test
-  public void createScopedRequired_emptyScopes_true() throws IOException {
+  public void createScopedRequired_emptyScopes_false() throws IOException {
     GoogleCredentials credentials =
         ServiceAccountCredentials.fromPkcs8(
             CLIENT_ID, CLIENT_EMAIL, PRIVATE_KEY_PKCS8, PRIVATE_KEY_ID, EMPTY_SCOPES);
 
-    assertTrue(credentials.createScopedRequired());
+    assertFalse(credentials.createScopedRequired());
   }
 
   @Test

From f17ce66c6f12b48b8c3a7d44e047334dc891ad0f Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Wed, 10 Mar 2021 15:55:47 -0800
Subject: [PATCH 05/10] update defaultscopes

---
 .../auth/oauth2/AppEngineCredentials.java     | 38 +++++++++----------
 .../auth/oauth2/ComputeEngineCredentials.java | 30 ++++-----------
 .../auth/oauth2/AppEngineCredentialsTest.java | 14 ++++---
 .../oauth2/ComputeEngineCredentialsTest.java  | 14 +++----
 4 files changed, 42 insertions(+), 54 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
index 92f1fde8f..861adba16 100644
--- a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
@@ -69,7 +69,6 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
   private static final String GET_SIGNATURE_METHOD = "getSignature";
 
   private final Collection<String> scopes;
-  private final Collection<String> defaultScopes;
   private final boolean scopesRequired;
 
   private transient Object appIdentityService;
@@ -82,10 +81,14 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
 
   AppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
       throws IOException {
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
-    this.defaultScopes =
-        defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
-    this.scopesRequired = this.scopes.isEmpty() && this.defaultScopes.isEmpty();
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableList.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
+    this.scopesRequired = this.scopes.isEmpty();
     init();
   }
 
@@ -95,10 +98,14 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
     this.getAccessToken = unscoped.getAccessToken;
     this.getAccessTokenResult = unscoped.getAccessTokenResult;
     this.getExpirationTime = unscoped.getExpirationTime;
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
-    this.defaultScopes =
-        defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
-    this.scopesRequired = this.scopes.isEmpty() && this.defaultScopes.isEmpty();
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
+    this.scopesRequired = this.scopes.isEmpty();
   }
 
   private void init() throws IOException {
@@ -136,11 +143,7 @@ public AccessToken refreshAccessToken() throws IOException {
       throw new IOException("AppEngineCredentials requires createScoped call before use.");
     }
     try {
-      Collection<String> scopesToUse = scopes;
-      if (scopes.isEmpty()) {
-        scopesToUse = defaultScopes;
-      }
-      Object accessTokenResult = getAccessTokenResult.invoke(appIdentityService, scopesToUse);
+      Object accessTokenResult = getAccessTokenResult.invoke(appIdentityService, scopes);
       String accessToken = (String) getAccessToken.invoke(accessTokenResult);
       Date expirationTime = (Date) getExpirationTime.invoke(accessTokenResult);
       return new AccessToken(accessToken, expirationTime);
@@ -182,14 +185,13 @@ public byte[] sign(byte[] toSign) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(scopes, defaultScopes, scopesRequired);
+    return Objects.hash(scopes, scopesRequired);
   }
 
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)
         .add("scopes", scopes)
-        .add("defaultScopes", defaultScopes)
         .add("scopesRequired", scopesRequired)
         .toString();
   }
@@ -200,9 +202,7 @@ public boolean equals(Object obj) {
       return false;
     }
     AppEngineCredentials other = (AppEngineCredentials) obj;
-    return this.scopesRequired == other.scopesRequired
-        && Objects.equals(this.scopes, other.scopes)
-        && Objects.equals(this.defaultScopes, other.defaultScopes);
+    return this.scopesRequired == other.scopesRequired && Objects.equals(this.scopes, other.scopes);
   }
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index b8cd494d9..3274dccb7 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -99,7 +99,6 @@ public class ComputeEngineCredentials extends GoogleCredentials
   private final String transportFactoryClassName;
 
   private final Collection<String> scopes;
-  private final Collection<String> defaultScopes;
 
   private transient HttpTransportFactory transportFactory;
   private transient String serviceAccountEmail;
@@ -111,7 +110,7 @@ public class ComputeEngineCredentials extends GoogleCredentials
    *     tokens.
    * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
    * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
-   *     collection.
+   *     collection. Default scopes are ignored if scopes are provided.
    */
   private ComputeEngineCredentials(
       HttpTransportFactory transportFactory,
@@ -122,6 +121,10 @@ private ComputeEngineCredentials(
             transportFactory,
             getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      scopes = defaultScopes;
+    }
     if (scopes == null) {
       this.scopes = ImmutableSet.<String>of();
     } else {
@@ -129,13 +132,6 @@ private ComputeEngineCredentials(
       scopeList.removeAll(Arrays.asList("", null));
       this.scopes = ImmutableSet.<String>copyOf(scopeList);
     }
-    if (defaultScopes == null) {
-      this.defaultScopes = ImmutableSet.<String>of();
-    } else {
-      List<String> scopeList = new ArrayList<String>(defaultScopes);
-      scopeList.removeAll(Arrays.asList("", null));
-      this.defaultScopes = ImmutableSet.<String>copyOf(scopeList);
-    }
   }
 
   /** Clones the compute engine account with the specified scopes. */
@@ -164,23 +160,15 @@ public final Collection<String> getScopes() {
     return scopes;
   }
 
-  public final Collection<String> getDefaultScopes() {
-    return defaultScopes;
-  }
-
   /**
-   * If scopes or defaultScopes is specified, add "?scopes=comma-separated-list-of-scopes" to the
-   * token url. defaultScopes is not used unless scopes is empty.
+   * If scopes is specified, add "?scopes=comma-separated-list-of-scopes" to the token url.
    *
-   * @return token url with the given scopes or defaultScopes. defaultScopes is not used unless
-   *     scopes is emtpy.
+   * @return token url with the given scopes
    */
   String createTokenUrlWithScopes() {
     GenericUrl tokenUrl = new GenericUrl(getTokenServerEncodedUrl());
     if (!scopes.isEmpty()) {
       tokenUrl.set("scopes", Joiner.on(',').join(scopes));
-    } else if (!defaultScopes.isEmpty()) {
-      tokenUrl.set("scopes", Joiner.on(',').join(defaultScopes));
     }
     return tokenUrl.toString();
   }
@@ -372,8 +360,7 @@ public boolean equals(Object obj) {
     }
     ComputeEngineCredentials other = (ComputeEngineCredentials) obj;
     return Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
-        && Objects.equals(this.scopes, other.scopes)
-        && Objects.equals(this.defaultScopes, other.defaultScopes);
+        && Objects.equals(this.scopes, other.scopes);
   }
 
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
@@ -473,7 +460,6 @@ protected Builder() {}
     protected Builder(ComputeEngineCredentials credentials) {
       this.transportFactory = credentials.transportFactory;
       this.scopes = credentials.scopes;
-      this.defaultScopes = credentials.defaultScopes;
     }
 
     public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
index 25a85f4ff..82b76d879 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
@@ -137,7 +137,13 @@ public void createScoped_defaultScopes() throws IOException {
     TestAppEngineCredentials credentials = new TestAppEngineCredentials(null);
     assertTrue(credentials.createScopedRequired());
 
-    GoogleCredentials newCredentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
+    GoogleCredentials newCredentials = credentials.createScoped(null, DEFAULT_SCOPES);
+    assertFalse(newCredentials.createScopedRequired());
+
+    newCredentials = credentials.createScoped(SCOPES, null);
+    assertFalse(newCredentials.createScopedRequired());
+
+    newCredentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
     assertFalse(newCredentials.createScopedRequired());
 
     AccessToken accessToken = newCredentials.refreshAccessToken();
@@ -168,11 +174,9 @@ public void equals_false_scopes() throws IOException {
   public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
-            "TestAppEngineCredentials{scopes=[%s], defaultScopes=[%s], scopesRequired=%b}",
-            "SomeScope", "SomeDefaultScope", false);
+            "TestAppEngineCredentials{scopes=[%s], scopesRequired=%b}", "SomeScope", false);
     Collection<String> scopes = Collections.singleton("SomeScope");
-    Collection<String> defaultScopes = Collections.singleton("SomeDefaultScope");
-    AppEngineCredentials credentials = new TestAppEngineCredentials(scopes, defaultScopes);
+    AppEngineCredentials credentials = new TestAppEngineCredentials(scopes);
     assertEquals(expectedToString, credentials.toString());
   }
 
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 676e0a786..5d56c3690 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -176,14 +176,12 @@ public void createTokenUrlWithScopes_defaultScopes() {
             .setScopes(null, Arrays.asList(null, "foo", "", "bar"))
             .build();
     Collection<String> scopes = credentials.getScopes();
-    Collection<String> defaultScopes = credentials.getDefaultScopes();
     String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
 
     assertEquals(TOKEN_URL + "?scopes=foo,bar", tokenUrlWithScopes);
-    assertEquals(0, scopes.size());
-    assertEquals(2, defaultScopes.size());
-    assertEquals("foo", defaultScopes.toArray()[0]);
-    assertEquals("bar", defaultScopes.toArray()[1]);
+    assertEquals(2, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+    assertEquals("bar", scopes.toArray()[1]);
   }
 
   @Test
@@ -207,10 +205,10 @@ public void createScoped_defaultScopes() {
 
     GoogleCredentials credentials =
         ComputeEngineCredentials.create().createScoped(null, Arrays.asList("foo"));
-    Collection<String> defaultScopes = ((ComputeEngineCredentials) credentials).getDefaultScopes();
+    Collection<String> scopes = ((ComputeEngineCredentials) credentials).getScopes();
 
-    assertEquals(1, defaultScopes.size());
-    assertEquals("foo", defaultScopes.toArray()[0]);
+    assertEquals(1, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
   }
 
   @Test

From 4754e7823281861a214b4e3fb788847ef242dc01 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Wed, 10 Mar 2021 16:45:44 -0800
Subject: [PATCH 06/10] update default scopes

---
 .../oauth2/ServiceAccountCredentials.java     |  6 +++-
 .../oauth2/ServiceAccountCredentialsTest.java | 29 +++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index c9b205a3a..8ceb59df8 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -860,7 +860,11 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
-    payload.put("scope", Joiner.on(' ').join(scopes));
+    if (scopes.isEmpty()) {
+      payload.put("scope", Joiner.on(' ').join(defaultScopes));
+    } else {
+      payload.put("scope", Joiner.on(' ').join(scopes));
+    }
 
     if (audience == null) {
       payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString());
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 256618519..96529919f 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -256,6 +256,35 @@ public void createAssertion_correct() throws IOException {
     assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
   }
 
+  @Test
+  public void createAssertion_defaultScopes_correct() throws IOException {
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
+    List<String> scopes = Arrays.asList("scope1", "scope2");
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientEmail(CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setScopes(null, scopes)
+            .setServiceAccountUser(USER)
+            .setProjectId(PROJECT_ID)
+            .build();
+
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+    long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
+    String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null);
+
+    JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
+    JsonWebToken.Payload payload = signature.getPayload();
+    assertEquals(CLIENT_EMAIL, payload.getIssuer());
+    assertEquals(OAuth2Utils.TOKEN_SERVER_URI.toString(), payload.getAudience());
+    assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds());
+    assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds());
+    assertEquals(USER, payload.getSubject());
+    assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
+  }
+
   @Test
   public void createAssertion_custom_lifetime() throws IOException {
     ServiceAccountCredentials credentials = createDefaultBuilder().setLifetime(4000).build();

From 44095071cbe2c6e55fb880e87268f2562e832ab5 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Mon, 15 Mar 2021 12:01:21 -0700
Subject: [PATCH 07/10] update

---
 .../oauth2/ServiceAccountCredentials.java     | 21 ++-----------------
 .../ServiceAccountJwtAccessCredentials.java   | 21 ++++++++++++++++++-
 .../oauth2/ServiceAccountCredentialsTest.java |  9 --------
 ...erviceAccountJwtAccessCredentialsTest.java | 16 +++++++++++---
 4 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index 8ceb59df8..aa9043611 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -915,28 +915,11 @@ String createAssertionForIdToken(
     }
   }
 
-  /**
-   * Self signed JWT uses uri as audience, and it should have the "https://{host}/" format. For
-   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
-   * function returns "https://compute.googleapis.com/".
-   */
-  @VisibleForTesting
-  static URI getUriForSelfSignedJWT(URI uri) {
-    if (uri == null) {
-      return uri;
-    }
-    try {
-      return new URI(uri.getScheme(), uri.getHost(), "/", null);
-    } catch (URISyntaxException unused) {
-      return uri;
-    }
-  }
-
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
     if (jwtCredentials != null && uri != null) {
-      jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri), executor, callback);
+      jwtCredentials.getRequestMetadata(uri, executor, callback);
     } else {
       super.getRequestMetadata(uri, executor, callback);
     }
@@ -952,7 +935,7 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
               + " by calling createScoped or passing scopes to constructor.");
     }
     if (jwtCredentials != null && uri != null) {
-      return jwtCredentials.getRequestMetadata(getUriForSelfSignedJWT(uri));
+      return jwtCredentials.getRequestMetadata(uri);
     } else {
       return super.getRequestMetadata(uri);
     }
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
index 707b657a7..c46c32218 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
@@ -54,6 +54,7 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -331,17 +332,35 @@ public boolean hasRequestMetadataOnly() {
     return true;
   }
 
+  /**
+   * Self signed JWT uses uri as audience, and it should have the "https://{host}/" format. For
+   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
+   * function returns "https://compute.googleapis.com/".
+   */
+  @VisibleForTesting
+  static URI getUriForSelfSignedJWT(URI uri) {
+    if (uri == null) {
+      return uri;
+    }
+    try {
+      return new URI(uri.getScheme(), uri.getHost(), "/", null);
+    } catch (URISyntaxException unused) {
+      return uri;
+    }
+  }
+
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
     // It doesn't use network. Only some CPU work on par with TLS handshake. So it's preferrable
     // to do it in the current thread, which is likely to be the network thread.
-    blockingGetToCallback(uri, callback);
+    blockingGetToCallback(getUriForSelfSignedJWT(uri), callback);
   }
 
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    uri = getUriForSelfSignedJWT(uri);
     if (uri == null) {
       if (defaultAudience != null) {
         uri = defaultAudience;
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 96529919f..b7368c863 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -1330,15 +1330,6 @@ public void onFailure(Throwable exception) {
     assertTrue("Should have run onSuccess() callback", success.get());
   }
 
-  @Test
-  public void getUriForSelfSignedJWT() {
-    assertNull(ServiceAccountCredentials.getUriForSelfSignedJWT(null));
-
-    URI uri = URI.create("https://compute.googleapis.com/compute/v1/projects/");
-    URI expected = URI.create("https://compute.googleapis.com/");
-    assertEquals(expected, ServiceAccountCredentials.getUriForSelfSignedJWT(uri));
-  }
-
   private void verifyJwtAccess(Map<String, List<String>> metadata) throws IOException {
     assertNotNull(metadata);
     List<String> authorizations = metadata.get(AuthHttpConstants.AUTHORIZATION);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
index 5020317f2..4e9aa93b1 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
@@ -92,6 +92,7 @@ public class ServiceAccountJwtAccessCredentialsTest extends BaseSerializationTes
   private static final String JWT_ACCESS_PREFIX =
       ServiceAccountJwtAccessCredentials.JWT_ACCESS_PREFIX;
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  private static final URI CALL_URI_AUDIENCE = URI.create("http://googleapis.com/");
   private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
 
@@ -171,6 +172,15 @@ public void getAuthenticationType_returnsJwtAccess() throws IOException {
     assertEquals(credentials.getAuthenticationType(), "JWTAccess");
   }
 
+  @Test
+  public void getUriForSelfSignedJWT() {
+    assertNull(ServiceAccountJwtAccessCredentials.getUriForSelfSignedJWT(null));
+
+    URI uri = URI.create("https://compute.googleapis.com/compute/v1/projects/");
+    URI expected = URI.create("https://compute.googleapis.com/");
+    assertEquals(expected, ServiceAccountJwtAccessCredentials.getUriForSelfSignedJWT(uri));
+  }
+
   @Test
   public void hasRequestMetadata_returnsTrue() throws IOException {
     Credentials credentials =
@@ -200,7 +210,7 @@ public void getRequestMetadata_blocking_hasJwtAccess() throws IOException {
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
 
-    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test
@@ -305,7 +315,7 @@ public void getRequestMetadata_async_hasJwtAccess() throws IOException {
     credentials.getRequestMetadata(CALL_URI, executor, callback);
     assertEquals(0, executor.numTasks());
     assertNotNull(callback.metadata);
-    verifyJwtAccess(callback.metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(callback.metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test
@@ -654,7 +664,7 @@ public void fromStream_hasJwtAccess() throws IOException {
 
     assertNotNull(credentials);
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
-    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test

From e6b6000ddcb35aab4fc91b68a7d7e8cd89fdeecc Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Mon, 15 Mar 2021 12:31:39 -0700
Subject: [PATCH 08/10] update ComputeEngineCredentials

---
 .../auth/oauth2/ComputeEngineCredentials.java      | 14 +-------------
 .../auth/oauth2/ComputeEngineCredentialsTest.java  | 13 ++++---------
 2 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index 3274dccb7..01988d1f4 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -453,7 +453,6 @@ private String getDefaultServiceAccount() throws IOException {
   public static class Builder extends GoogleCredentials.Builder {
     private HttpTransportFactory transportFactory;
     private Collection<String> scopes;
-    private Collection<String> defaultScopes;
 
     protected Builder() {}
 
@@ -469,13 +468,6 @@ public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
 
     public Builder setScopes(Collection<String> scopes) {
       this.scopes = scopes;
-      this.defaultScopes = null;
-      return this;
-    }
-
-    public Builder setScopes(Collection<String> scopes, Collection<String> defaultScopes) {
-      this.scopes = scopes;
-      this.defaultScopes = defaultScopes;
       return this;
     }
 
@@ -487,12 +479,8 @@ public Collection<String> getScopes() {
       return scopes;
     }
 
-    public Collection<String> getDefaultScopes() {
-      return defaultScopes;
-    }
-
     public ComputeEngineCredentials build() {
-      return new ComputeEngineCredentials(transportFactory, scopes, defaultScopes);
+      return new ComputeEngineCredentials(transportFactory, scopes, null);
     }
   }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 5d56c3690..41ff946b0 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -171,10 +171,10 @@ public void createTokenUrlWithScopes_multiple_scopes() {
 
   @Test
   public void createTokenUrlWithScopes_defaultScopes() {
-    ComputeEngineCredentials credentials =
-        ComputeEngineCredentials.newBuilder()
-            .setScopes(null, Arrays.asList(null, "foo", "", "bar"))
-            .build();
+    ComputeEngineCredentials credentials = ComputeEngineCredentials.newBuilder().build();
+    credentials =
+        (ComputeEngineCredentials)
+            credentials.createScoped(null, Arrays.asList(null, "foo", "", "bar"));
     Collection<String> scopes = credentials.getScopes();
     String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
 
@@ -198,11 +198,6 @@ public void createScoped() {
 
   @Test
   public void createScoped_defaultScopes() {
-    ComputeEngineCredentials.Builder builder =
-        ComputeEngineCredentials.newBuilder().setScopes(null, Arrays.asList("foo"));
-    assertEquals(1, builder.getDefaultScopes().size());
-    assertEquals("foo", builder.getDefaultScopes().toArray()[0]);
-
     GoogleCredentials credentials =
         ComputeEngineCredentials.create().createScoped(null, Arrays.asList("foo"));
     Collection<String> scopes = ((ComputeEngineCredentials) credentials).getScopes();

From 4952a70768e1d46b49468517443c6634daba39c6 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Mon, 15 Mar 2021 13:43:11 -0700
Subject: [PATCH 09/10] improve test coverage

---
 .../google/auth/oauth2/ServiceAccountCredentialsTest.java  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index b7368c863..904093154 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -260,7 +260,7 @@ public void createAssertion_correct() throws IOException {
   public void createAssertion_defaultScopes_correct() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
     List<String> scopes = Arrays.asList("scope1", "scope2");
-    ServiceAccountCredentials credentials =
+    ServiceAccountCredentials.Builder builder =
         ServiceAccountCredentials.newBuilder()
             .setClientId(CLIENT_ID)
             .setClientEmail(CLIENT_EMAIL)
@@ -268,8 +268,9 @@ public void createAssertion_defaultScopes_correct() throws IOException {
             .setPrivateKeyId(PRIVATE_KEY_ID)
             .setScopes(null, scopes)
             .setServiceAccountUser(USER)
-            .setProjectId(PROJECT_ID)
-            .build();
+            .setProjectId(PROJECT_ID);
+    assertEquals(2, builder.getDefaultScopes().size());
+    ServiceAccountCredentials credentials = builder.build();
 
     JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
     long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();

From 8af2eaae16f8b6e9042e6d90225c398807ccce34 Mon Sep 17 00:00:00 2001
From: arithmetic1728 <liusijun1985@gmail.com>
Date: Mon, 15 Mar 2021 23:12:38 -0700
Subject: [PATCH 10/10] update

---
 .../google/auth/oauth2/ServiceAccountJwtAccessCredentials.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
index c46c32218..c4f024256 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
@@ -333,7 +333,7 @@ public boolean hasRequestMetadataOnly() {
   }
 
   /**
-   * Self signed JWT uses uri as audience, and it should have the "https://{host}/" format. For
+   * Self signed JWT uses uri as audience, which should have the "https://{host}/" format. For
    * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
    * function returns "https://compute.googleapis.com/".
    */