From 12df8fa505da259b49430c6973c97965480370ef Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Mon, 12 Oct 2020 22:30:06 +0200
Subject: [PATCH 1/4] feature: add id_token generation through the service
 account credentials API

---
 .../google/auth/oauth2/UserCredentials.java   | 75 ++++++++++++++++++-
 1 file changed, 74 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 5010a9ae6..40f06a909 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -40,11 +40,13 @@
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.UrlEncodedContent;
+import com.google.api.client.http.json.JsonHttpContent;
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Preconditions;
+import com.google.auth.http.HttpCredentialsAdapter;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.MoreObjects;
 import java.io.ByteArrayInputStream;
@@ -56,12 +58,21 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.logging.Logger;
+import com.google.api.client.http.javanet.NetHttpTransport;
+
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider {
+public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider, IdTokenProvider {
+
+  private static final Logger LOGGER = Logger.getLogger(HttpCredentialsAdapter.class.getName());
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
+  private static final String RESOURCE_MANAGER_API = "https://cloudresourcemanager.googleapis.com/v1/";
+  private static final String SERVICE_ACCOUNT_CREDENTIALS_API = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/";
+  private static final String SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR = "SERVICE_ACCOUNT_APPLICATION_CREDENTIALS";
+  private static final String DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX = "-compute@developer.gserviceaccount.com";
   private static final long serialVersionUID = -4800758775038679176L;
 
   private final String clientId;
@@ -70,6 +81,7 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private final URI tokenServerUri;
   private final String transportFactoryClassName;
   private final String quotaProjectId;
+  private String serviceAccountCredentialEmail;
 
   private transient HttpTransportFactory transportFactory;
 
@@ -340,6 +352,67 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
+
+    if (targetAudience == null || targetAudience.equals("")) {
+      throw new IOException("TargetAudience can't be null or empty");
+    }
+
+    HttpRequestFactory requestFactory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(this));
+
+    //First time, check if the instance attribute has been initialized or not
+    if (serviceAccountCredentialEmail == null){
+      LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
+              "A service account must be used. You can define it in the environment variable\n" +
+              SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR + "\nIf not set, default Compute Engine default " +
+              "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
+              "on the service account.");
+
+      // Get the service account in the Environment Variables
+      serviceAccountCredentialEmail = System.getenv(SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR);
+
+      // If missing, use the compute engine default service account by default
+      if (serviceAccountCredentialEmail == null || serviceAccountCredentialEmail.equals("")){
+        // If quotaProjectId is null, you can't determine the current project
+        if (quotaProjectId == null){
+          throw new IOException(
+                  "QuotaProjectId can't be null to determine the default service account to use\n" +
+                          "Use 'gcloud auth application-default set-quota-project' to set it");
+        }
+
+        // Inform the user that no defined service account is found. Use the Compute Engine Default service account
+        serviceAccountCredentialEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
+      }
+      LOGGER.info("The service account with email '" + serviceAccountCredentialEmail + "' is used");
+    }
+
+    GenericData requestBody = new GenericData();
+    requestBody.put("audience",targetAudience);
+    requestBody.put("includeEmail", true);
+    JsonHttpContent jsonRequestBody = new JsonHttpContent(JSON_FACTORY,requestBody);
+
+    HttpRequest request = requestFactory.buildPostRequest(
+            new GenericUrl(SERVICE_ACCOUNT_CREDENTIALS_API +
+                    serviceAccountCredentialEmail+":generateIdToken"),jsonRequestBody);
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse httpResponse = request.execute();
+    GenericData responseData = httpResponse.parseAs(GenericData.class);
+
+    return IdToken.create(responseData.get("token").toString());
+  }
+
+  private String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
+    String url = RESOURCE_MANAGER_API + "projects/" + projectId;
+
+    HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse httpResponse = request.execute();
+    GenericData responseData = httpResponse.parseAs(GenericData.class);
+
+    return responseData.get("projectNumber").toString() + DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX;
+  }
+
   public static class Builder extends GoogleCredentials.Builder {
 
     private String clientId;

From b20593a87a2655bb707db95458d378085fb6bd81 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Thu, 15 Oct 2020 22:19:31 +0200
Subject: [PATCH 2/4] Feat: use Service Account Credentials API to generate an
 id_token with user credential.

Print a warning to inform clearly the user on the behavior.
---
 .../google/auth/oauth2/UserCredentials.java   |  99 +++++---
 .../auth/oauth2/UserCredentialsTest.java      | 236 +++++++++++++++++-
 2 files changed, 290 insertions(+), 45 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 40f06a909..011566bc0 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -40,7 +40,6 @@
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.UrlEncodedContent;
-import com.google.api.client.http.json.JsonHttpContent;
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
@@ -54,10 +53,7 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 import java.util.logging.Logger;
 import com.google.api.client.http.javanet.NetHttpTransport;
 
@@ -70,8 +66,7 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
   private static final String RESOURCE_MANAGER_API = "https://cloudresourcemanager.googleapis.com/v1/";
-  private static final String SERVICE_ACCOUNT_CREDENTIALS_API = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/";
-  private static final String SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR = "SERVICE_ACCOUNT_APPLICATION_CREDENTIALS";
+  private static final String SERVICE_ACCOUNT_APPLICATION_CREDENTIALS = "SERVICE_ACCOUNT_APPLICATION_CREDENTIALS";
   private static final String DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX = "-compute@developer.gserviceaccount.com";
   private static final long serialVersionUID = -4800758775038679176L;
 
@@ -85,6 +80,15 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
 
   private transient HttpTransportFactory transportFactory;
 
+  //For test purpose
+  UserCredentials(){
+    clientId = null;
+    clientSecret = null;
+    refreshToken = null;
+    tokenServerUri = null;
+    transportFactoryClassName = null;
+    quotaProjectId = null;
+  }
   /**
    * Constructor with all parameters allowing custom transport and server URL.
    *
@@ -352,6 +356,19 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
+  /**
+   * Returns a Google ID Token from the Service Account Credentials API.
+   * Compute Engine default service account of the quotas project is used
+   * except if the environment variable 'SERVICE_ACCOUNT_APPLICATION_CREDENTIALS'
+   * is set. The user account must have the 'Service Account Token Creator' on the
+   * service account to be allowed to generate an id_token
+   *
+   * @param targetAudience the aud: field the IdToken should include.
+   * @param options list of Credential specific options for for the token. Currently unused for
+   *     UserCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, expiration and audience
+   */
   @Override
   public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
 
@@ -363,46 +380,46 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
 
     //First time, check if the instance attribute has been initialized or not
     if (serviceAccountCredentialEmail == null){
-      LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
-              "A service account must be used. You can define it in the environment variable\n" +
-              SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR + "\nIf not set, default Compute Engine default " +
-              "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
-              "on the service account.");
-
-      // Get the service account in the Environment Variables
-      serviceAccountCredentialEmail = System.getenv(SERVICE_ACCOUNT_CREDENTIAL_ENV_VAR);
-
-      // If missing, use the compute engine default service account by default
-      if (serviceAccountCredentialEmail == null || serviceAccountCredentialEmail.equals("")){
-        // If quotaProjectId is null, you can't determine the current project
-        if (quotaProjectId == null){
-          throw new IOException(
-                  "QuotaProjectId can't be null to determine the default service account to use\n" +
-                          "Use 'gcloud auth application-default set-quota-project' to set it");
-        }
-
-        // Inform the user that no defined service account is found. Use the Compute Engine Default service account
-        serviceAccountCredentialEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
-      }
-      LOGGER.info("The service account with email '" + serviceAccountCredentialEmail + "' is used");
+      serviceAccountCredentialEmail = getServiceAccountEmail(requestFactory);
     }
 
-    GenericData requestBody = new GenericData();
-    requestBody.put("audience",targetAudience);
-    requestBody.put("includeEmail", true);
-    JsonHttpContent jsonRequestBody = new JsonHttpContent(JSON_FACTORY,requestBody);
+    return IamUtils.getIdToken(serviceAccountCredentialEmail,this, requestFactory.getTransport(),
+            targetAudience, true, Collections.EMPTY_MAP);
+  }
 
-    HttpRequest request = requestFactory.buildPostRequest(
-            new GenericUrl(SERVICE_ACCOUNT_CREDENTIALS_API +
-                    serviceAccountCredentialEmail+":generateIdToken"),jsonRequestBody);
-    request.setParser(new JsonObjectParser(JSON_FACTORY));
-    HttpResponse httpResponse = request.execute();
-    GenericData responseData = httpResponse.parseAs(GenericData.class);
+  protected String getServiceAccountEmail(HttpRequestFactory requestFactory) throws IOException {
+    LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
+            "A service account must be used. You can define it in the environment variable\n" +
+            SERVICE_ACCOUNT_APPLICATION_CREDENTIALS + "\nIf not set, default Compute Engine default " +
+            "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
+            "on the service account.");
+
+    // Get the service account in the Environment Variables
+    String saEmail = getEnv(SERVICE_ACCOUNT_APPLICATION_CREDENTIALS);
+
+    // If missing, use the compute engine default service account by default
+    if (saEmail == null || saEmail.equals("")){
+      // If quotaProjectId is null, you can't determine the current project
+      if (quotaProjectId == null){
+        throw new IOException(
+                "QuotaProjectId can't be null to determine the default service account to use\n" +
+                        "Use 'gcloud auth application-default set-quota-project' to set it");
+      }
 
-    return IdToken.create(responseData.get("token").toString());
+      // Inform the user that no defined service account is found. Use the Compute Engine Default service account
+      saEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
+    }
+    LOGGER.info("The service account with email '" + saEmail + "' is used");
+    return saEmail;
   }
 
-  private String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
+  //For test purpose
+  String getEnv(String key){
+    return System.getenv(key);
+  }
+
+
+    protected String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
     String url = RESOURCE_MANAGER_API + "projects/" + projectId;
 
     HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 92e8ebe73..3e3006a8f 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -38,10 +38,17 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.LowLevelHttpRequest;
+import com.google.api.client.http.LowLevelHttpResponse;
 import com.google.api.client.json.GenericJson;
+import com.google.api.client.testing.http.MockHttpTransport;
+import com.google.api.client.testing.http.MockLowLevelHttpRequest;
+import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.util.Clock;
 import com.google.auth.TestUtils;
 import com.google.auth.http.AuthHttpConstants;
+import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
 import com.google.common.collect.ImmutableList;
@@ -52,10 +59,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
@@ -69,6 +74,7 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String REFRESH_TOKEN = "1/Tl6awhpFjkMkSJoj1xsli0H2eL5YsMgU_NKPY2TyGWY";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
+  private static final String SERVICE_ACCOUNT_EMAIL = "my-service-account@my-project.iam.gserviceaccount.com";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
@@ -622,6 +628,105 @@ public void saveAndRestoreUserCredential_saveAndRestored_throws() throws IOExcep
     assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken());
   }
 
+  @Test
+  public void getComputeEngineDefaultServiceAccountEmail_correct() throws IOException {
+    HttpTransportFactory transportFactory =
+            new HttpTransportFactory() {
+              @Override
+              public HttpTransport create() {
+                return new MockHttpTransport() {
+                  @Override
+                  public LowLevelHttpRequest buildRequest(String method, String url)
+                          throws IOException {
+                    return new MockLowLevelHttpRequest() {
+                      @Override
+                      public LowLevelHttpResponse execute() throws IOException {
+                        MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
+                        response.setStatusCode(200);
+                        response.setContentType("application/json");
+                        response.setContent("{\"projectNumber\":\"4226\"}");
+                        return response;
+                      }
+                    };
+                  }
+                };
+              }
+            };
+
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
+    String saEmail = userCredentials.getComputeEngineDefaultServiceAccountEmail(QUOTA_PROJECT, transportFactory.create().createRequestFactory());
+    assertEquals("4226-compute@developer.gserviceaccount.com", saEmail);
+  }
+
+  @Test
+  public void getServiceAccountEmail_throws() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
+    try {
+      userCredentials.getServiceAccountEmail(transportFactory.create().createRequestFactory());
+      fail("Should throw if quota project is null");
+    } catch (IOException expected) {
+      // Expected
+    }
+  }
+
+  @Test
+  public void getServiceAccountEmail_correct() throws IOException {
+    HttpTransportFactory transportFactory =
+            new HttpTransportFactory() {
+              @Override
+              public HttpTransport create() {
+                return new MockHttpTransport() {
+                  @Override
+                  public LowLevelHttpRequest buildRequest(String method, String url)
+                          throws IOException {
+                    return new MockLowLevelHttpRequest() {
+                      @Override
+                      public LowLevelHttpResponse execute() throws IOException {
+                        MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
+                        response.setStatusCode(200);
+                        response.setContentType("application/json");
+                        response.setContent("{\"projectNumber\":\"4226\"}");
+                        return response;
+                      }
+                    };
+                  }
+                };
+              }
+            };
+
+    UserCredentials userCredentials =
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
+    String saEmail = userCredentials.getServiceAccountEmail(transportFactory.create().createRequestFactory());
+    assertEquals("4226-compute@developer.gserviceaccount.com", saEmail);
+  }
+
+  @Test
+  public void getServiceAccountEmail_envVar_correct() throws IOException {
+    TestUserCredentials userCredentials = new TestUserCredentials();
+
+    userCredentials.getVariables().put("SERVICE_ACCOUNT_APPLICATION_CREDENTIALS",SERVICE_ACCOUNT_EMAIL);
+
+    String saEmail = userCredentials.getServiceAccountEmail(null);
+    assertEquals(SERVICE_ACCOUNT_EMAIL, saEmail);
+  }
+
+
   static GenericJson writeUserJson(
       String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
     GenericJson json = new GenericJson();
@@ -658,4 +763,127 @@ private static void testFromStreamException(InputStream stream, String expectedM
       assertTrue(expected.getMessage().contains(expectedMessageContent));
     }
   }
+
+  private static class TestUserCredentials extends UserCredentials {
+
+    private final Map<String, String> variables = new HashMap<>();
+
+    public TestUserCredentials() {
+    }
+
+    public Map<String, String> getVariables() {
+      return variables;
+    }
+
+    String getEnv(String key){
+      return variables.get(key);
+    }
+
+  }
+
+/*
+  @Test
+  public void idTokenWithAudience_correct() throws IOException {
+    String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    MockTokenServerTransport transport = transportFactory.transport;
+    ServiceAccountCredentials credentials =
+            ServiceAccountCredentials.fromPkcs8(
+                    CLIENT_ID,
+                    CLIENT_EMAIL,
+                    PRIVATE_KEY_PKCS8,
+                    PRIVATE_KEY_ID,
+                    SCOPES,
+                    transportFactory,
+                    null);
+
+    transport.addServiceAccount(CLIENT_EMAIL, accessToken1);
+    TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken1);
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+            IdTokenCredentials.newBuilder()
+                    .setIdTokenProvider(credentials)
+                    .setTargetAudience(targetAudience)
+                    .build();
+    tokenCredential.refresh();
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+    assertEquals(
+            targetAudience,
+            (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
+  }
+*/
+
+
+
+  /*
+    @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
+
+    if (targetAudience == null || targetAudience.equals("")) {
+      throw new IOException("TargetAudience can't be null or empty");
+    }
+
+    HttpRequestFactory requestFactory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(this));
+
+    //First time, check if the instance attribute has been initialized or not
+    if (serviceAccountCredentialEmail == null){
+      serviceAccountCredentialEmail = getServiceAccountEmail(requestFactory);
+    }
+
+    GenericData requestBody = new GenericData();
+    requestBody.put("audience",targetAudience);
+    requestBody.put("includeEmail", true);
+    JsonHttpContent jsonRequestBody = new JsonHttpContent(JSON_FACTORY,requestBody);
+
+    HttpRequest request = requestFactory.buildPostRequest(
+            new GenericUrl(SERVICE_ACCOUNT_CREDENTIALS_API +
+                    serviceAccountCredentialEmail+":generateIdToken"),jsonRequestBody);
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse httpResponse = request.execute();
+    GenericData responseData = httpResponse.parseAs(GenericData.class);
+
+    return IdToken.create(responseData.get("token").toString());
+  }
+
+  private String getServiceAccountEmail(HttpRequestFactory requestFactory) throws IOException {
+    LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
+            "A service account must be used. You can define it in the environment variable\n" +
+            SERVICE_ACCOUNT_APPLICATION_CREDENTIALS + "\nIf not set, default Compute Engine default " +
+            "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
+            "on the service account.");
+
+    // Get the service account in the Environment Variables
+    String saEmail = System.getenv(SERVICE_ACCOUNT_APPLICATION_CREDENTIALS);
+
+    // If missing, use the compute engine default service account by default
+    if (saEmail == null || saEmail.equals("")){
+      // If quotaProjectId is null, you can't determine the current project
+      if (quotaProjectId == null){
+        throw new IOException(
+                "QuotaProjectId can't be null to determine the default service account to use\n" +
+                        "Use 'gcloud auth application-default set-quota-project' to set it");
+      }
+
+      // Inform the user that no defined service account is found. Use the Compute Engine Default service account
+      saEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
+    }
+    LOGGER.info("The service account with email '" + saEmail + "' is used");
+    return saEmail;
+  }
+
+
+    private String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
+    String url = RESOURCE_MANAGER_API + "projects/" + projectId;
+
+    HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse httpResponse = request.execute();
+    GenericData responseData = httpResponse.parseAs(GenericData.class);
+
+    return responseData.get("projectNumber").toString() + DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX;
+  }
+
+   */
 }

From db86d8f15581a1145633c796d37ec3852e8c0075 Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Thu, 15 Oct 2020 22:21:16 +0200
Subject: [PATCH 3/4] style: improve style

---
 oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 011566bc0..44b77b57a 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -419,7 +419,8 @@ String getEnv(String key){
   }
 
 
-    protected String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
+  protected String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory)
+            throws IOException {
     String url = RESOURCE_MANAGER_API + "projects/" + projectId;
 
     HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));

From 44409ce57d0b2d5741f0a334888f606f1d10047f Mon Sep 17 00:00:00 2001
From: Guillaume Blaquiere <guillaume.blaquiere@gmail.com>
Date: Thu, 15 Oct 2020 22:22:16 +0200
Subject: [PATCH 4/4] chore: clean commented lines

---
 .../auth/oauth2/UserCredentialsTest.java      | 586 +++++++-----------
 1 file changed, 240 insertions(+), 346 deletions(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 3e3006a8f..66be2d341 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -86,12 +86,12 @@ public void constructor_accessAndRefreshTokenNull_throws() {
   @Test
   public void constructor() {
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertEquals(CLIENT_ID, credentials.getClientId());
     assertEquals(CLIENT_SECRET, credentials.getClientSecret());
     assertEquals(REFRESH_TOKEN, credentials.getRefreshToken());
@@ -101,22 +101,22 @@ public void constructor() {
   @Test
   public void createScoped_same() {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     assertSame(userCredentials, userCredentials.createScoped(SCOPES));
   }
 
   @Test
   public void createScopedRequired_false() {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     assertFalse(userCredentials.createScopedRequired());
   }
 
@@ -145,8 +145,8 @@ public void fromJson_hasQuotaProjectId() throws IOException {
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
     assertTrue(metadata.containsKey(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY));
     assertEquals(
-        metadata.get(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY),
-        Collections.singletonList(QUOTA_PROJECT));
+            metadata.get(GoogleCredentials.QUOTA_PROJECT_ID_HEADER_KEY),
+            Collections.singletonList(QUOTA_PROJECT));
   }
 
   @Test
@@ -155,12 +155,12 @@ public void getRequestMetadata_initialToken_hasAccessToken() throws IOException
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -173,12 +173,12 @@ public void getRequestMetadata_initialTokenRefreshed_throws() throws IOException
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     try {
       userCredentials.refresh();
@@ -194,12 +194,12 @@ public void getRequestMetadata_fromRefreshToken_hasAccessToken() throws IOExcept
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setHttpTransportFactory(transportFactory)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setHttpTransportFactory(transportFactory)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -214,13 +214,13 @@ public void getRequestMetadata_customTokenServer_hasAccessToken() throws IOExcep
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     transportFactory.transport.setTokenServerUri(TOKEN_SERVER);
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(TOKEN_SERVER)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(TOKEN_SERVER)
+                    .build();
 
     Map<String, List<String>> metadata = userCredentials.getRequestMetadata(CALL_URI);
 
@@ -233,25 +233,25 @@ public void equals_true() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertTrue(credentials.equals(otherCredentials));
     assertTrue(otherCredentials.equals(credentials));
   }
@@ -262,23 +262,23 @@ public void equals_false_clientId() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId("other client id")
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId("other client id")
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -289,23 +289,23 @@ public void equals_false_clientSecret() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret("other client secret")
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret("other client secret")
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -316,23 +316,23 @@ public void equals_false_refreshToken() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     OAuth2Credentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     OAuth2Credentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken("otherRefreshToken")
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken("otherRefreshToken")
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -344,23 +344,23 @@ public void equals_false_accessToken() throws IOException {
     AccessToken otherAccessToken = new AccessToken("otherAccessToken", null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(otherAccessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(otherAccessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -372,23 +372,23 @@ public void equals_false_transportFactory() throws IOException {
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     MockTokenServerTransportFactory serverTransportFactory = new MockTokenServerTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(serverTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(serverTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -400,23 +400,23 @@ public void equals_false_tokenServer() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setTokenServerUri(tokenServer2)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setTokenServerUri(tokenServer2)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -428,23 +428,23 @@ public void equals_false_quotaProjectId() throws IOException {
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     MockHttpTransportFactory httpTransportFactory = new MockHttpTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setQuotaProjectId(quotaProject1)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setQuotaProjectId(quotaProject1)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(httpTransportFactory)
-            .setQuotaProjectId(quotaProject2)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(httpTransportFactory)
+                    .setQuotaProjectId(quotaProject2)
+                    .build();
     assertFalse(credentials.equals(otherCredentials));
     assertFalse(otherCredentials.equals(credentials));
   }
@@ -455,29 +455,29 @@ public void toString_containsFields() throws IOException {
     final URI tokenServer = URI.create("https://foo.com/bar");
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
 
     String expectedToString =
-        String.format(
-            "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
-                + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
-            ImmutableMap.of(
-                AuthHttpConstants.AUTHORIZATION,
-                ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
-            accessToken.toString(),
-            CLIENT_ID,
-            REFRESH_TOKEN,
-            tokenServer,
-            MockTokenServerTransportFactory.class.getName(),
-            QUOTA_PROJECT);
+            String.format(
+                    "UserCredentials{requestMetadata=%s, temporaryAccess=%s, clientId=%s, refreshToken=%s, "
+                            + "tokenServerUri=%s, transportFactoryClassName=%s, quotaProjectId=%s}",
+                    ImmutableMap.of(
+                            AuthHttpConstants.AUTHORIZATION,
+                            ImmutableList.of(OAuth2Utils.BEARER_PREFIX + accessToken.getTokenValue())),
+                    accessToken.toString(),
+                    CLIENT_ID,
+                    REFRESH_TOKEN,
+                    tokenServer,
+                    MockTokenServerTransportFactory.class.getName(),
+                    QUOTA_PROJECT);
     assertEquals(expectedToString, credentials.toString());
   }
 
@@ -487,25 +487,25 @@ public void hashCode_equals() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     UserCredentials otherCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .setQuotaProjectId(QUOTA_PROJECT)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .setQuotaProjectId(QUOTA_PROJECT)
+                    .build();
     assertEquals(credentials.hashCode(), otherCredentials.hashCode());
   }
 
@@ -515,14 +515,14 @@ public void serialize() throws IOException, ClassNotFoundException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     AccessToken accessToken = new AccessToken(ACCESS_TOKEN, null);
     UserCredentials credentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .setAccessToken(accessToken)
-            .setHttpTransportFactory(transportFactory)
-            .setTokenServerUri(tokenServer)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .setAccessToken(accessToken)
+                    .setHttpTransportFactory(transportFactory)
+                    .setTokenServerUri(tokenServer)
+                    .build();
     UserCredentials deserializedCredentials = serializeAndDeserialize(credentials);
     assertEquals(credentials, deserializedCredentials);
     assertEquals(credentials.hashCode(), deserializedCredentials.hashCode());
@@ -532,7 +532,7 @@ public void serialize() throws IOException, ClassNotFoundException {
 
   @Test
   public void fromStream_nullTransport_throws() throws IOException {
-    InputStream stream = new ByteArrayInputStream("foo".getBytes());
+    InputStream stream = new ByteArrayInputStream("foo" .getBytes());
     try {
       UserCredentials.fromStream(stream, null);
       fail("Should throw if HttpTransportFactory is null");
@@ -558,7 +558,7 @@ public void fromStream_user_providesToken() throws IOException {
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     InputStream userStream =
-        writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+            writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
 
     UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
 
@@ -591,11 +591,11 @@ public void fromStream_userNoRefreshToken_throws() throws IOException {
   @Test
   public void saveUserCredentials_saved_throws() throws IOException {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
     file.deleteOnExit();
 
@@ -606,11 +606,11 @@ public void saveUserCredentials_saved_throws() throws IOException {
   @Test
   public void saveAndRestoreUserCredential_saveAndRestored_throws() throws IOException {
     UserCredentials userCredentials =
-        UserCredentials.newBuilder()
-            .setClientId(CLIENT_ID)
-            .setClientSecret(CLIENT_SECRET)
-            .setRefreshToken(REFRESH_TOKEN)
-            .build();
+            UserCredentials.newBuilder()
+                    .setClientId(CLIENT_ID)
+                    .setClientSecret(CLIENT_SECRET)
+                    .setRefreshToken(REFRESH_TOKEN)
+                    .build();
 
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
     file.deleteOnExit();
@@ -720,7 +720,7 @@ public LowLevelHttpResponse execute() throws IOException {
   public void getServiceAccountEmail_envVar_correct() throws IOException {
     TestUserCredentials userCredentials = new TestUserCredentials();
 
-    userCredentials.getVariables().put("SERVICE_ACCOUNT_APPLICATION_CREDENTIALS",SERVICE_ACCOUNT_EMAIL);
+    userCredentials.getVariables().put("SERVICE_ACCOUNT_APPLICATION_CREDENTIALS", SERVICE_ACCOUNT_EMAIL);
 
     String saEmail = userCredentials.getServiceAccountEmail(null);
     assertEquals(SERVICE_ACCOUNT_EMAIL, saEmail);
@@ -728,7 +728,7 @@ public void getServiceAccountEmail_envVar_correct() throws IOException {
 
 
   static GenericJson writeUserJson(
-      String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
+          String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
     GenericJson json = new GenericJson();
     if (clientId != null) {
       json.put("client_id", clientId);
@@ -747,8 +747,8 @@ static GenericJson writeUserJson(
   }
 
   static InputStream writeUserStream(
-      String clientId, String clientSecret, String refreshToken, String quotaProjectId)
-      throws IOException {
+          String clientId, String clientSecret, String refreshToken, String quotaProjectId)
+          throws IOException {
     GenericJson json = writeUserJson(clientId, clientSecret, refreshToken, quotaProjectId);
     return TestUtils.jsonToInputStream(json);
   }
@@ -757,8 +757,8 @@ private static void testFromStreamException(InputStream stream, String expectedM
     try {
       UserCredentials.fromStream(stream);
       fail(
-          String.format(
-              "Should throw exception with message containing '%s'", expectedMessageContent));
+              String.format(
+                      "Should throw exception with message containing '%s'", expectedMessageContent));
     } catch (IOException expected) {
       assertTrue(expected.getMessage().contains(expectedMessageContent));
     }
@@ -775,115 +775,9 @@ public Map<String, String> getVariables() {
       return variables;
     }
 
-    String getEnv(String key){
+    String getEnv(String key) {
       return variables.get(key);
     }
 
   }
-
-/*
-  @Test
-  public void idTokenWithAudience_correct() throws IOException {
-    String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
-    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
-    MockTokenServerTransport transport = transportFactory.transport;
-    ServiceAccountCredentials credentials =
-            ServiceAccountCredentials.fromPkcs8(
-                    CLIENT_ID,
-                    CLIENT_EMAIL,
-                    PRIVATE_KEY_PKCS8,
-                    PRIVATE_KEY_ID,
-                    SCOPES,
-                    transportFactory,
-                    null);
-
-    transport.addServiceAccount(CLIENT_EMAIL, accessToken1);
-    TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken1);
-
-    String targetAudience = "https://foo.bar";
-    IdTokenCredentials tokenCredential =
-            IdTokenCredentials.newBuilder()
-                    .setIdTokenProvider(credentials)
-                    .setTargetAudience(targetAudience)
-                    .build();
-    tokenCredential.refresh();
-    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
-    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
-    assertEquals(
-            targetAudience,
-            (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
-  }
-*/
-
-
-
-  /*
-    @Override
-  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
-
-    if (targetAudience == null || targetAudience.equals("")) {
-      throw new IOException("TargetAudience can't be null or empty");
-    }
-
-    HttpRequestFactory requestFactory = new NetHttpTransport().createRequestFactory(new HttpCredentialsAdapter(this));
-
-    //First time, check if the instance attribute has been initialized or not
-    if (serviceAccountCredentialEmail == null){
-      serviceAccountCredentialEmail = getServiceAccountEmail(requestFactory);
-    }
-
-    GenericData requestBody = new GenericData();
-    requestBody.put("audience",targetAudience);
-    requestBody.put("includeEmail", true);
-    JsonHttpContent jsonRequestBody = new JsonHttpContent(JSON_FACTORY,requestBody);
-
-    HttpRequest request = requestFactory.buildPostRequest(
-            new GenericUrl(SERVICE_ACCOUNT_CREDENTIALS_API +
-                    serviceAccountCredentialEmail+":generateIdToken"),jsonRequestBody);
-    request.setParser(new JsonObjectParser(JSON_FACTORY));
-    HttpResponse httpResponse = request.execute();
-    GenericData responseData = httpResponse.parseAs(GenericData.class);
-
-    return IdToken.create(responseData.get("token").toString());
-  }
-
-  private String getServiceAccountEmail(HttpRequestFactory requestFactory) throws IOException {
-    LOGGER.warning("ID Token generation with audience and based on user credential is not possible. \n" +
-            "A service account must be used. You can define it in the environment variable\n" +
-            SERVICE_ACCOUNT_APPLICATION_CREDENTIALS + "\nIf not set, default Compute Engine default " +
-            "service account will be used\nYou need to have the role 'Service Account Token Creator' " +
-            "on the service account.");
-
-    // Get the service account in the Environment Variables
-    String saEmail = System.getenv(SERVICE_ACCOUNT_APPLICATION_CREDENTIALS);
-
-    // If missing, use the compute engine default service account by default
-    if (saEmail == null || saEmail.equals("")){
-      // If quotaProjectId is null, you can't determine the current project
-      if (quotaProjectId == null){
-        throw new IOException(
-                "QuotaProjectId can't be null to determine the default service account to use\n" +
-                        "Use 'gcloud auth application-default set-quota-project' to set it");
-      }
-
-      // Inform the user that no defined service account is found. Use the Compute Engine Default service account
-      saEmail = getComputeEngineDefaultServiceAccountEmail(getQuotaProjectId(),requestFactory);
-    }
-    LOGGER.info("The service account with email '" + saEmail + "' is used");
-    return saEmail;
-  }
-
-
-    private String getComputeEngineDefaultServiceAccountEmail(String projectId, HttpRequestFactory requestFactory) throws IOException {
-    String url = RESOURCE_MANAGER_API + "projects/" + projectId;
-
-    HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(url));
-    request.setParser(new JsonObjectParser(JSON_FACTORY));
-    HttpResponse httpResponse = request.execute();
-    GenericData responseData = httpResponse.parseAs(GenericData.class);
-
-    return responseData.get("projectNumber").toString() + DEFAULT_COMPUTE_ENGINE_SERVICE_ACCOUNT_SUFFIX;
-  }
-
-   */
-}
+}
\ No newline at end of file