fix(auth): skip impersonate universe domain check if empty (#11086)

auth/credentials/impersonate/impersonate.go

@@ -76,10 +76,8 @@ func NewCredentials(opts *CredentialsOptions) (*auth.Credentials, error) {
 				return nil, err
 			}
 		}
-		client, err = httptransport.NewClient(&httptransport.Options{
-			Credentials:    creds,
-			UniverseDomain: opts.UniverseDomain,
-		})
+
+		client, err = httptransport.NewClient(transportOpts(opts, creds))
 		if err != nil {
 			return nil, err
 		}
@@ -124,6 +122,24 @@ func NewCredentials(opts *CredentialsOptions) (*auth.Credentials, error) {
 	}), nil
 }
 
+// transportOpts returns options for httptransport.NewClient. If opts.UniverseDomain
+// is provided, it will be used in the transport for a validation ensuring that it
+// matches the universe domain in the base credentials. If opts.UniverseDomain
+// is not provided, this validation will be skipped.
+func transportOpts(opts *CredentialsOptions, creds *auth.Credentials) *httptransport.Options {
+	tOpts := &httptransport.Options{
+		Credentials: creds,
+	}
+	if opts.UniverseDomain == "" {
+		tOpts.InternalOptions = &httptransport.InternalOptions{
+			SkipUniverseDomainValidation: true,
+		}
+	} else {
+		tOpts.UniverseDomain = opts.UniverseDomain
+	}
+	return tOpts
+}
+
 // resolveUniverseDomainProvider returns the default service domain for a given
 // Cloud universe. This is the universe domain configured for the credentials,
 // which will be used in endpoint(s), and compared to the universe domain that

auth/httptransport/httptransport.go

@@ -147,8 +147,13 @@ type InternalOptions struct {
 	// service.
 	DefaultScopes []string
 	// SkipValidation bypasses validation on Options. It should only be used
-	// internally for clients that needs more control over their transport.
+	// internally for clients that need more control over their transport.
 	SkipValidation bool
+	// SkipUniverseDomainValidation skips the verification that the universe
+	// domain configured for the client matches the universe domain configured
+	// for the credentials. It should only be used internally for clients that
+	// need more control over their transport. The default is false.
+	SkipUniverseDomainValidation bool
 }
 
 // AddAuthorizationMiddleware adds a middleware to the provided client's

auth/httptransport/transport.go

@@ -86,11 +86,16 @@ func newTransport(base http.RoundTripper, opts *Options) (http.RoundTripper, err
 				headers.Set(quotaProjectHeaderKey, qp)
 			}
 		}
+		var skipUD bool
+		if iOpts := opts.InternalOptions; iOpts != nil {
+			skipUD = iOpts.SkipUniverseDomainValidation
+		}
 		creds.TokenProvider = auth.NewCachedTokenProvider(creds.TokenProvider, nil)
 		trans = &authTransport{
-			base:                 trans,
-			creds:                creds,
-			clientUniverseDomain: opts.UniverseDomain,
+			base:                         trans,
+			creds:                        creds,
+			clientUniverseDomain:         opts.UniverseDomain,
+			skipUniverseDomainValidation: skipUD,
 		}
 	}
 	return trans, nil
@@ -185,9 +190,10 @@ func addOCTransport(trans http.RoundTripper, opts *Options) http.RoundTripper {
 }
 
 type authTransport struct {
-	creds                *auth.Credentials
-	base                 http.RoundTripper
-	clientUniverseDomain string
+	creds                        *auth.Credentials
+	base                         http.RoundTripper
+	clientUniverseDomain         string
+	skipUniverseDomainValidation bool
 }
 
 // getClientUniverseDomain returns the default service domain for a given Cloud
@@ -226,7 +232,7 @@ func (t *authTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	if token.MetadataString("auth.google.tokenSource") != "compute-metadata" {
+	if !t.skipUniverseDomainValidation && token.MetadataString("auth.google.tokenSource") != "compute-metadata" {
 		credentialsUniverseDomain, err := t.creds.UniverseDomain(req.Context())
 		if err != nil {
 			return nil, err