From 397694b482cef3c05e0ce7fc6e5843b6943dae86 Mon Sep 17 00:00:00 2001
From: Guillaume Blaqueire <guillaume.blaquiere@gmail.com>
Date: Fri, 28 Aug 2020 16:55:06 +0200
Subject: [PATCH 1/9] Feat: add signed id token capability on UserCredentials
 class.

idTokenWithAudience method not tested (I don't know how to do this to be useful)

Depend on this update https://github.com/googleapis/google-http-java-client/pull/1100
---
 .../google/auth/oauth2/UserCredentials.java   | 112 ++++++++++++++++--
 .../auth/oauth2/UserCredentialsTest.java      |  46 ++++++-
 2 files changed, 145 insertions(+), 13 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 5010a9ae6..47be683fe 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -35,34 +35,36 @@
 import static com.google.auth.oauth2.OAuth2Utils.UTF_8;
 import static com.google.common.base.MoreObjects.firstNonNull;
 
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpRequestFactory;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.UrlEncodedContent;
+import com.google.api.client.http.*;
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Preconditions;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.common.annotations.Beta;
 import com.google.common.base.MoreObjects;
+import com.google.common.collect.ImmutableSet;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider {
+public class UserCredentials extends GoogleCredentials
+    implements QuotaProjectIdProvider, IdTokenProvider {
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
   private static final long serialVersionUID = -4800758775038679176L;
+  public static final String GOOGLE_CLIENT_ID = "32555940559.apps.googleusercontent.com";
+  public static final String GOOGLE_CLIENT_SECRET = "ZmssLNjJy2998hD4CTg2ejr2";
+  public static final Collection<String> GOOGLE_DEFAULT_SCOPES =
+      ImmutableSet.<String>of(
+          "https://www.googleapis.com/auth/userinfo.email",
+          "https://www.googleapis.com/auth/accounts.reauth");
 
   private final String clientId;
   private final String clientSecret;
@@ -70,6 +72,7 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private final URI tokenServerUri;
   private final String transportFactoryClassName;
   private final String quotaProjectId;
+  private final Collection<String> scopes;
 
   private transient HttpTransportFactory transportFactory;
 
@@ -89,6 +92,7 @@ private UserCredentials(
       String clientSecret,
       String refreshToken,
       AccessToken accessToken,
+      Collection<String> scopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String quotaProjectId) {
@@ -96,6 +100,13 @@ private UserCredentials(
     this.clientId = Preconditions.checkNotNull(clientId);
     this.clientSecret = Preconditions.checkNotNull(clientSecret);
     this.refreshToken = refreshToken;
+    // Merge the scope with the default and mandatory ones.
+    Collection<String> mergedScopes = new ArrayList<>();
+    mergedScopes.addAll(GOOGLE_DEFAULT_SCOPES);
+    if (scopes != null) {
+      mergedScopes.addAll(scopes);
+    }
+    this.scopes = ImmutableSet.copyOf(mergedScopes);
     this.transportFactory =
         firstNonNull(
             transportFactory,
@@ -261,6 +272,7 @@ private InputStream getUserCredentialsStream() throws IOException {
     if (quotaProjectId != null) {
       json.put("quota_project", clientSecret);
     }
+    json.put("scopes", scopes);
     json.setFactory(JSON_FACTORY);
     String text = json.toPrettyString();
     return new ByteArrayInputStream(text.getBytes(UTF_8));
@@ -290,6 +302,7 @@ public int hashCode() {
         clientSecret,
         refreshToken,
         tokenServerUri,
+        scopes,
         transportFactoryClassName,
         quotaProjectId);
   }
@@ -304,6 +317,7 @@ public String toString() {
         .add("tokenServerUri", tokenServerUri)
         .add("transportFactoryClassName", transportFactoryClassName)
         .add("quotaProjectId", quotaProjectId)
+        .add("scopes", scopes)
         .toString();
   }
 
@@ -319,6 +333,7 @@ public boolean equals(Object obj) {
         && Objects.equals(this.refreshToken, other.refreshToken)
         && Objects.equals(this.tokenServerUri, other.tokenServerUri)
         && Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
+        && Objects.equals(this.scopes, other.scopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId);
   }
 
@@ -340,6 +355,71 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
+  /**
+   * Clone the UserCredential with the specified scopes.
+   *
+   * <p>Should be called before use for instances with empty scopes.
+   */
+  @Override
+  /*  public GoogleCredentials createScoped(Collection<String> newScopes) {
+
+    this.scopes = scopes;
+    return this;
+  }*/
+
+  public GoogleCredentials createScoped(Collection<String> newScopes) {
+    return new UserCredentials(
+        clientId,
+        clientSecret,
+        refreshToken,
+        getAccessToken(),
+        newScopes,
+        transportFactory,
+        tokenServerUri,
+        quotaProjectId);
+  }
+
+  /**
+   * Returns a Google ID Token from the user credential
+   *
+   * @param targetAudience currently unused for UserCredential.
+   * @param options list of Credential specific options for for the token. Currently unused for
+   *     UserCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token and expiration
+   */
+  @Beta
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
+      throws IOException {
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+
+    GenericData tokenRequest = new GenericData();
+    tokenRequest.set("grant_type", GRANT_TYPE);
+    tokenRequest.set("client_id", GOOGLE_CLIENT_ID);
+    tokenRequest.set("client_secret", GOOGLE_CLIENT_SECRET);
+    tokenRequest.set("refresh_token", this.refreshToken);
+    // build scope value
+    Iterator<String> it = this.scopes.iterator();
+    String customScopes = it.next();
+    while (it.hasNext()) {
+      customScopes += "+" + it.next();
+    }
+    tokenRequest.set("scope", customScopes);
+
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest, true);
+
+    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
+    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
+    request.setParser(new JsonObjectParser(jsonFactory));
+    request.setCurlLoggingEnabled(true);
+    HttpResponse response = request.execute();
+
+    GenericData responseData = response.parseAs(GenericData.class);
+    String rawToken = OAuth2Utils.validateString(responseData, "id_token", PARSE_ERROR_PREFIX);
+    return IdToken.create(rawToken);
+  }
+
   public static class Builder extends GoogleCredentials.Builder {
 
     private String clientId;
@@ -348,6 +428,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private URI tokenServerUri;
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
+    private Collection<String> scopes;
 
     protected Builder() {}
 
@@ -358,6 +439,7 @@ protected Builder(UserCredentials credentials) {
       this.transportFactory = credentials.transportFactory;
       this.tokenServerUri = credentials.tokenServerUri;
       this.quotaProjectId = credentials.quotaProjectId;
+      this.scopes = credentials.scopes;
     }
 
     public Builder setClientId(String clientId) {
@@ -395,6 +477,11 @@ public Builder setQuotaProjectId(String quotaProjectId) {
       return this;
     }
 
+    public Builder setScopes(Collection<String> scopes) {
+      this.scopes = scopes;
+      return this;
+    }
+
     public String getClientId() {
       return clientId;
     }
@@ -419,12 +506,17 @@ public String getQuotaProjectId() {
       return quotaProjectId;
     }
 
+    public Collection<String> getScopes() {
+      return scopes;
+    }
+
     public UserCredentials build() {
       return new UserCredentials(
           clientId,
           clientSecret,
           refreshToken,
           getAccessToken(),
+          scopes,
           transportFactory,
           tokenServerUri,
           quotaProjectId);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 92e8ebe73..c760657cd 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -46,6 +46,7 @@
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -71,6 +72,10 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  public static final Collection<String> DEFAULT_SCOPES =
+      ImmutableSet.<String>of(
+          "https://www.googleapis.com/auth/userinfo.email",
+          "https://www.googleapis.com/auth/accounts.reauth");
 
   @Test(expected = IllegalStateException.class)
   public void constructor_accessAndRefreshTokenNull_throws() {
@@ -99,8 +104,9 @@ public void createScoped_same() {
             .setClientId(CLIENT_ID)
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
+            .setScopes(SCOPES)
             .build();
-    assertSame(userCredentials, userCredentials.createScoped(SCOPES));
+    assertEquals(userCredentials, userCredentials.createScoped(SCOPES));
   }
 
   @Test
@@ -232,6 +238,7 @@ public void equals_true() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
+            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -242,6 +249,7 @@ public void equals_true() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
+            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -331,6 +339,34 @@ public void equals_false_refreshToken() throws IOException {
     assertFalse(otherCredentials.equals(credentials));
   }
 
+  @Test
+  public void equals_false_scopes() throws IOException {
+    final URI tokenServer1 = URI.create("https://foo1.com/bar");
+    AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
+    MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
+    OAuth2Credentials credentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .setAccessToken(accessToken)
+            .setScopes(SCOPES)
+            .setHttpTransportFactory(httpTransportFactory)
+            .setTokenServerUri(tokenServer1)
+            .build();
+    OAuth2Credentials otherCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken("otherRefreshToken")
+            .setAccessToken(accessToken)
+            .setHttpTransportFactory(httpTransportFactory)
+            .setTokenServerUri(tokenServer1)
+            .build();
+    assertFalse(credentials.equals(otherCredentials));
+    assertFalse(otherCredentials.equals(credentials));
+  }
+
   @Test
   public void equals_false_accessToken() throws IOException {
     final URI tokenServer1 = URI.create("https://foo1.com/bar");
@@ -462,7 +498,7 @@ public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
             "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
-                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
+                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s, scopes=%s}",
             ImmutableMap.of(
                 AuthHttpConstants.AUTHORIZATION,
                 ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
@@ -471,7 +507,8 @@ public void toString_containsFields() throws IOException {
             REFRESH_TOKEN,
             tokenServer,
             MockTokenServerTransportFactory.class.getName(),
-            QUOTA_PROJECT);
+            QUOTA_PROJECT,
+            DEFAULT_SCOPES);
     assertEquals(expectedToString, credentials.toString());
   }
 
@@ -486,6 +523,7 @@ public void hashCode_equals() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
+            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -496,6 +534,7 @@ public void hashCode_equals() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
+            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -514,6 +553,7 @@ public void serialize() throws IOException, ClassNotFoundException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
+            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .build();

From 6e4a757647c4e29b0834527e7d8e3ad16e1c0a0b Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Fri, 28 Aug 2020 17:23:55 +0200
Subject: [PATCH 2/9] Add fully qualified package.

---
 .../com/google/auth/oauth2/UserCredentials.java    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 47be683fe..c9e46dd75 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -35,7 +35,11 @@
 import static com.google.auth.oauth2.OAuth2Utils.UTF_8;
 import static com.google.common.base.MoreObjects.firstNonNull;
 
-import com.google.api.client.http.*;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpRequestFactory;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.UrlEncodedContent;
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
@@ -50,7 +54,13 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
-import java.util.*;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.ArrayList;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
 public class UserCredentials extends GoogleCredentials

From d3a50ef207bd4f409c82e15873339410b10cdf6b Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Thu, 10 Sep 2020 22:22:43 +0200
Subject: [PATCH 3/9] Add comment Fix forgot commented code

---
 .../java/com/google/auth/oauth2/UserCredentials.java      | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index c9e46dd75..cd767d857 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -93,6 +93,8 @@ public class UserCredentials extends GoogleCredentials
    * @param clientSecret Client ID of the credential from the console.
    * @param refreshToken A refresh token resulting from a OAuth2 consent flow.
    * @param accessToken Initial or temporary access token.
+   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
+   *    which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens
@@ -371,12 +373,6 @@ public String getQuotaProjectId() {
    * <p>Should be called before use for instances with empty scopes.
    */
   @Override
-  /*  public GoogleCredentials createScoped(Collection<String> newScopes) {
-
-    this.scopes = scopes;
-    return this;
-  }*/
-
   public GoogleCredentials createScoped(Collection<String> newScopes) {
     return new UserCredentials(
         clientId,

From c94a0ce4287c4f375577521dec1e96d3316808d5 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Tue, 29 Sep 2020 21:06:49 +0200
Subject: [PATCH 4/9] Remove useless scopes.

---
 .../google/auth/oauth2/UserCredentials.java   | 59 +----------------
 .../auth/oauth2/UserCredentialsTest.java      | 66 +------------------
 2 files changed, 3 insertions(+), 122 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index cd767d857..d4de6dc24 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -71,18 +71,12 @@ public class UserCredentials extends GoogleCredentials
   private static final long serialVersionUID = -4800758775038679176L;
   public static final String GOOGLE_CLIENT_ID = "32555940559.apps.googleusercontent.com";
   public static final String GOOGLE_CLIENT_SECRET = "ZmssLNjJy2998hD4CTg2ejr2";
-  public static final Collection<String> GOOGLE_DEFAULT_SCOPES =
-      ImmutableSet.<String>of(
-          "https://www.googleapis.com/auth/userinfo.email",
-          "https://www.googleapis.com/auth/accounts.reauth");
-
   private final String clientId;
   private final String clientSecret;
   private final String refreshToken;
   private final URI tokenServerUri;
   private final String transportFactoryClassName;
   private final String quotaProjectId;
-  private final Collection<String> scopes;
 
   private transient HttpTransportFactory transportFactory;
 
@@ -93,8 +87,6 @@ public class UserCredentials extends GoogleCredentials
    * @param clientSecret Client ID of the credential from the console.
    * @param refreshToken A refresh token resulting from a OAuth2 consent flow.
    * @param accessToken Initial or temporary access token.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
-   *    which results in a credential that must have createScoped called before use.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens
@@ -104,7 +96,6 @@ private UserCredentials(
       String clientSecret,
       String refreshToken,
       AccessToken accessToken,
-      Collection<String> scopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String quotaProjectId) {
@@ -112,13 +103,6 @@ private UserCredentials(
     this.clientId = Preconditions.checkNotNull(clientId);
     this.clientSecret = Preconditions.checkNotNull(clientSecret);
     this.refreshToken = refreshToken;
-    // Merge the scope with the default and mandatory ones.
-    Collection<String> mergedScopes = new ArrayList<>();
-    mergedScopes.addAll(GOOGLE_DEFAULT_SCOPES);
-    if (scopes != null) {
-      mergedScopes.addAll(scopes);
-    }
-    this.scopes = ImmutableSet.copyOf(mergedScopes);
     this.transportFactory =
         firstNonNull(
             transportFactory,
@@ -284,7 +268,6 @@ private InputStream getUserCredentialsStream() throws IOException {
     if (quotaProjectId != null) {
       json.put("quota_project", clientSecret);
     }
-    json.put("scopes", scopes);
     json.setFactory(JSON_FACTORY);
     String text = json.toPrettyString();
     return new ByteArrayInputStream(text.getBytes(UTF_8));
@@ -314,7 +297,6 @@ public int hashCode() {
         clientSecret,
         refreshToken,
         tokenServerUri,
-        scopes,
         transportFactoryClassName,
         quotaProjectId);
   }
@@ -329,7 +311,6 @@ public String toString() {
         .add("tokenServerUri", tokenServerUri)
         .add("transportFactoryClassName", transportFactoryClassName)
         .add("quotaProjectId", quotaProjectId)
-        .add("scopes", scopes)
         .toString();
   }
 
@@ -345,7 +326,6 @@ public boolean equals(Object obj) {
         && Objects.equals(this.refreshToken, other.refreshToken)
         && Objects.equals(this.tokenServerUri, other.tokenServerUri)
         && Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
-        && Objects.equals(this.scopes, other.scopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId);
   }
 
@@ -367,24 +347,6 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
-  /**
-   * Clone the UserCredential with the specified scopes.
-   *
-   * <p>Should be called before use for instances with empty scopes.
-   */
-  @Override
-  public GoogleCredentials createScoped(Collection<String> newScopes) {
-    return new UserCredentials(
-        clientId,
-        clientSecret,
-        refreshToken,
-        getAccessToken(),
-        newScopes,
-        transportFactory,
-        tokenServerUri,
-        quotaProjectId);
-  }
-
   /**
    * Returns a Google ID Token from the user credential
    *
@@ -405,15 +367,8 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
     tokenRequest.set("client_id", GOOGLE_CLIENT_ID);
     tokenRequest.set("client_secret", GOOGLE_CLIENT_SECRET);
     tokenRequest.set("refresh_token", this.refreshToken);
-    // build scope value
-    Iterator<String> it = this.scopes.iterator();
-    String customScopes = it.next();
-    while (it.hasNext()) {
-      customScopes += "+" + it.next();
-    }
-    tokenRequest.set("scope", customScopes);
 
-    UrlEncodedContent content = new UrlEncodedContent(tokenRequest, true);
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
 
     HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
     HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
@@ -434,7 +389,6 @@ public static class Builder extends GoogleCredentials.Builder {
     private URI tokenServerUri;
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
-    private Collection<String> scopes;
 
     protected Builder() {}
 
@@ -445,7 +399,6 @@ protected Builder(UserCredentials credentials) {
       this.transportFactory = credentials.transportFactory;
       this.tokenServerUri = credentials.tokenServerUri;
       this.quotaProjectId = credentials.quotaProjectId;
-      this.scopes = credentials.scopes;
     }
 
     public Builder setClientId(String clientId) {
@@ -483,11 +436,6 @@ public Builder setQuotaProjectId(String quotaProjectId) {
       return this;
     }
 
-    public Builder setScopes(Collection<String> scopes) {
-      this.scopes = scopes;
-      return this;
-    }
-
     public String getClientId() {
       return clientId;
     }
@@ -512,17 +460,12 @@ public String getQuotaProjectId() {
       return quotaProjectId;
     }
 
-    public Collection<String> getScopes() {
-      return scopes;
-    }
-
     public UserCredentials build() {
       return new UserCredentials(
           clientId,
           clientSecret,
           refreshToken,
           getAccessToken(),
-          scopes,
           transportFactory,
           tokenServerUri,
           quotaProjectId);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index c760657cd..b5f895ab0 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -70,12 +70,7 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
-  private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
-  public static final Collection<String> DEFAULT_SCOPES =
-      ImmutableSet.<String>of(
-          "https://www.googleapis.com/auth/userinfo.email",
-          "https://www.googleapis.com/auth/accounts.reauth");
 
   @Test(expected = IllegalStateException.class)
   public void constructor_accessAndRefreshTokenNull_throws() {
@@ -97,29 +92,6 @@ public void constructor() {
     assertEquals(QUOTA_PROJECT, credentials.getQuotaProjectId());
   }
 
-  @Test
-  public void createScoped_same() {
-    UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setScopes(SCOPES)
-            .build();
-    assertEquals(userCredentials, userCredentials.createScoped(SCOPES));
-  }
-
-  @Test
-  public void createScopedRequired_false() {
-    UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
-    assertFalse(userCredentials.createScopedRequired());
-  }
-
   @Test
   public void fromJson_hasAccessToken() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
@@ -238,7 +210,6 @@ public void equals_true() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
-            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -249,7 +220,6 @@ public void equals_true() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
-            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -339,34 +309,6 @@ public void equals_false_refreshToken() throws IOException {
     assertFalse(otherCredentials.equals(credentials));
   }
 
-  @Test
-  public void equals_false_scopes() throws IOException {
-    final URI tokenServer1 = URI.create("https://foo1.com/bar");
-    AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
-    MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
-    OAuth2Credentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setScopes(SCOPES)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
-    OAuth2Credentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken("otherRefreshToken")
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
-    assertFalse(credentials.equals(otherCredentials));
-    assertFalse(otherCredentials.equals(credentials));
-  }
-
   @Test
   public void equals_false_accessToken() throws IOException {
     final URI tokenServer1 = URI.create("https://foo1.com/bar");
@@ -498,7 +440,7 @@ public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
             "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
-                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s, scopes=%s}",
+                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
             ImmutableMap.of(
                 AuthHttpConstants.AUTHORIZATION,
                 ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
@@ -507,8 +449,7 @@ public void toString_containsFields() throws IOException {
             REFRESH_TOKEN,
             tokenServer,
             MockTokenServerTransportFactory.class.getName(),
-            QUOTA_PROJECT,
-            DEFAULT_SCOPES);
+            QUOTA_PROJECT);
     assertEquals(expectedToString, credentials.toString());
   }
 
@@ -523,7 +464,6 @@ public void hashCode_equals() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
-            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -534,7 +474,6 @@ public void hashCode_equals() throws IOException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
-            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .setQuotaProjectId(QUOTA_PROJECT)
@@ -553,7 +492,6 @@ public void serialize() throws IOException, ClassNotFoundException {
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
             .setAccessToken(accessToken)
-            .setScopes(SCOPES)
             .setHttpTransportFactory(transportFactory)
             .setTokenServerUri(tokenServer)
             .build();

From 9d1b142ef34133198c7973d1de9c8105cd1c32d6 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Tue, 29 Sep 2020 21:31:13 +0200
Subject: [PATCH 5/9] Too many cleaning on scope. oups!

---
 .../auth/oauth2/UserCredentialsTest.java      | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index b5f895ab0..92e8ebe73 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -46,7 +46,6 @@
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -70,6 +69,7 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
+  private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
   @Test(expected = IllegalStateException.class)
@@ -92,6 +92,28 @@ public void constructor() {
     assertEquals(QUOTA_PROJECT, credentials.getQuotaProjectId());
   }
 
+  @Test
+  public void createScoped_same() {
+    UserCredentials userCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .build();
+    assertSame(userCredentials, userCredentials.createScoped(SCOPES));
+  }
+
+  @Test
+  public void createScopedRequired_false() {
+    UserCredentials userCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .build();
+    assertFalse(userCredentials.createScopedRequired());
+  }
+
   @Test
   public void fromJson_hasAccessToken() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();

From 2eda5b46745482beafd241b6a88d03ab91cb1516 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Tue, 29 Sep 2020 21:31:13 +0200
Subject: [PATCH 6/9] fix: Too many cleaning on scope. oups!

---
 .../auth/oauth2/UserCredentialsTest.java      | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index b5f895ab0..92e8ebe73 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -46,7 +46,6 @@
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -70,6 +69,7 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
+  private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
   @Test(expected = IllegalStateException.class)
@@ -92,6 +92,28 @@ public void constructor() {
     assertEquals(QUOTA_PROJECT, credentials.getQuotaProjectId());
   }
 
+  @Test
+  public void createScoped_same() {
+    UserCredentials userCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .build();
+    assertSame(userCredentials, userCredentials.createScoped(SCOPES));
+  }
+
+  @Test
+  public void createScopedRequired_false() {
+    UserCredentials userCredentials =
+        UserCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientSecret(CLIENT_SECRET)
+            .setRefreshToken(REFRESH_TOKEN)
+            .build();
+    assertFalse(userCredentials.createScopedRequired());
+  }
+
   @Test
   public void fromJson_hasAccessToken() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();

From c1d3f5d5a424037d42934802caade3befc74c82b Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Mon, 12 Oct 2020 22:35:36 +0200
Subject: [PATCH 7/9] fix: clean unused import

---
 oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index d4de6dc24..7a74b76f3 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -48,7 +48,6 @@
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.Beta;
 import com.google.common.base.MoreObjects;
-import com.google.common.collect.ImmutableSet;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -58,9 +57,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.ArrayList;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
 public class UserCredentials extends GoogleCredentials

From 195eba54a9b3fc4e4a64c2d1d38898a0b2be9f9b Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Mon, 12 Oct 2020 22:40:36 +0200
Subject: [PATCH 8/9] fix: clean unused import.

---
 oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 7a74b76f3..a8b1f849c 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -58,6 +58,7 @@
 import java.util.Map;
 import java.util.Objects;
 
+
 /** OAuth2 Credentials representing a user's identity and consent. */
 public class UserCredentials extends GoogleCredentials
     implements QuotaProjectIdProvider, IdTokenProvider {

From d430710e0896d13c91fecff7d7ecd997ecc139b5 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Mon, 12 Oct 2020 22:47:40 +0200
Subject: [PATCH 9/9] chore: make the commit comment working

---
 oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index a8b1f849c..7a74b76f3 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -58,7 +58,6 @@
 import java.util.Map;
 import java.util.Objects;
 
-
 /** OAuth2 Credentials representing a user's identity and consent. */
 public class UserCredentials extends GoogleCredentials
     implements QuotaProjectIdProvider, IdTokenProvider {