Merge branch 'main' into add-cumulative-hasher-grpc-flow

Author: Dhriti07

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

@@ -328,7 +328,7 @@ private InputStream getUserCredentialsStream() throws IOException {
       json.put("client_secret", clientSecret);
     }
     if (quotaProjectId != null) {
-      json.put("quota_project", clientSecret);
+      json.put("quota_project_id", quotaProjectId);
     }
     json.setFactory(JSON_FACTORY);
     String text = json.toPrettyString();

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/DefaultCredentialsProviderTest.java

@@ -387,6 +387,7 @@ void getDefaultCredentials_GdchServiceAccount() throws IOException {
     assertNotNull(((GdchCredentials) defaultCredentials).getApiAudience());
   }
 
+  @Test
   void getDefaultCredentials_quota_project() throws IOException {
     InputStream userStream =
         UserCredentialsTest.writeUserStream(

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java

@@ -1762,6 +1762,17 @@ void createScopes_existingAccessTokenInvalidated() throws IOException {
     assertNull(newAccessToken);
   }
 
+  @Test
+  void getRequestMetadata_withMultipleScopes_selfSignedJWT() throws IOException {
+    List<String> scopes = Arrays.asList("scope1", "scope2");
+    ServiceAccountCredentials credentials =
+        createDefaultBuilderWithKey(OAuth2Utils.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8))
+            .setScopes(scopes)
+            .setUseJwtAccessWithScope(true)
+            .build();
+    verifyJwtAccess(credentials.getRequestMetadata(CALL_URI), "scope1 scope2");
+  }
+
   private void verifyJwtAccess(Map<String, List<String>> metadata, String expectedScopeClaim)
       throws IOException {
     assertNotNull(metadata);
@@ -1777,6 +1788,8 @@ private void verifyJwtAccess(Map<String, List<String>> metadata, String expected
     assertNotNull(assertion, "Bearer assertion not found");
     JsonWebSignature signature =
         JsonWebSignature.parse(GsonFactory.getDefaultInstance(), assertion);
+    assertEquals("RS256", signature.getHeader().getAlgorithm());
+    assertEquals("JWT", signature.getHeader().getType());
     assertEquals(CLIENT_EMAIL, signature.getPayload().getIssuer());
     assertEquals(CLIENT_EMAIL, signature.getPayload().getSubject());
     if (expectedScopeClaim != null) {
@@ -1787,6 +1800,14 @@ private void verifyJwtAccess(Map<String, List<String>> metadata, String expected
       assertFalse(signature.getPayload().containsKey("scope"));
     }
     assertEquals(PRIVATE_KEY_ID, signature.getHeader().getKeyId());
+
+    Long iat = signature.getPayload().getIssuedAtTimeSeconds();
+    Long exp = signature.getPayload().getExpirationTimeSeconds();
+    assertNotNull(iat);
+    assertNotNull(exp);
+    assertEquals(3600L, exp - iat);
+    long currentTimeSecs = System.currentTimeMillis() / 1000;
+    assertTrue(Math.abs(currentTimeSecs - iat) < 60);
   }
 
   static GenericJson writeServiceAccountJson(

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java

@@ -914,6 +914,8 @@ private void verifyJwtAccess(Map<String, List<String>> metadata, URI expectedAud
     }
     assertNotNull(assertion, "Bearer assertion not found");
     JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion);
+    assertEquals("RS256", signature.getHeader().getAlgorithm());
+    assertEquals("JWT", signature.getHeader().getType());
     assertEquals(
         ServiceAccountJwtAccessCredentialsTest.SA_CLIENT_EMAIL, signature.getPayload().getIssuer());
     assertEquals(
@@ -922,6 +924,14 @@ private void verifyJwtAccess(Map<String, List<String>> metadata, URI expectedAud
     assertEquals(expectedAudience.toString(), signature.getPayload().getAudience());
     assertEquals(
         ServiceAccountJwtAccessCredentialsTest.SA_PRIVATE_KEY_ID, signature.getHeader().getKeyId());
+
+    Long iat = signature.getPayload().getIssuedAtTimeSeconds();
+    Long exp = signature.getPayload().getExpirationTimeSeconds();
+    assertNotNull(iat);
+    assertNotNull(exp);
+    assertEquals(3600L, exp - iat);
+    long currentTimeSecs = System.currentTimeMillis() / 1000;
+    assertTrue(Math.abs(currentTimeSecs - iat) < 60);
   }
 
   private static void testFromStreamException(InputStream stream, String expectedMessageContent) {

google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java

@@ -635,6 +635,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept
             .setClientId(CLIENT_ID)
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
+            .setQuotaProjectId(QUOTA_PROJECT)
             .build();
 
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
@@ -649,6 +650,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept
       assertEquals(userCredentials.getClientId(), restoredCredentials.getClientId());
       assertEquals(userCredentials.getClientSecret(), restoredCredentials.getClientSecret());
       assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken());
+      assertEquals(userCredentials.getQuotaProjectId(), restoredCredentials.getQuotaProjectId());
     }
   }