From cb3866ede3494c43f10b30262b2a4ee4e9c7646e Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Wed, 5 May 2021 17:14:05 -0700
Subject: [PATCH 01/13] new adapter for idtoken

---
 .gitignore                                    |  3 +
 .../auth/http/HttpUserCredentialsAdapter.java | 81 +++++++++++++++++++
 .../google/auth/oauth2/UserCredentials.java   | 20 +++++
 3 files changed, 104 insertions(+)
 create mode 100644 oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java

diff --git a/.gitignore b/.gitignore
index b637b4b46..fe226042f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,6 @@ target/
 # Intellij
 *.iml
 .idea/
+
+# VS Code
+.vscode/
\ No newline at end of file
diff --git a/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java b/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java
new file mode 100644
index 000000000..22e7500b2
--- /dev/null
+++ b/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2015, Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.http;
+
+import com.google.api.client.http.HttpHeaders;
+import com.google.api.client.http.HttpRequest;
+import com.google.auth.Credentials;
+import java.io.IOException;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+/** A wrapper for using Credentials with the Google API Client Libraries for Java with Http. */
+public class HttpUserCredentialsAdapter extends HttpCredentialsAdapter {
+
+  /** @param credentials Credentials instance to adapt for HTTP */
+  public HttpUserCredentialsAdapter(Credentials credentials) {
+    super(credentials);
+  }
+
+  /**
+   * {@inheritDoc}
+   *
+   * <p>Initialize the HTTP request prior to execution.
+   *
+   * @param request HTTP request
+   */
+  @Override
+  public void initialize(HttpRequest request) throws IOException {
+    request.setUnsuccessfulResponseHandler(this);
+
+    if (!credentials.hasRequestMetadata()) {
+      return;
+    }
+    HttpHeaders requestHeaders = request.getHeaders();
+    URI uri = null;
+    if (request.getUrl() != null) {
+      uri = request.getUrl().toURI();
+    }
+    Map<String, List<String>> credentialHeaders = credentials.getRequestMetadata(uri);
+    if (credentialHeaders == null) {
+      return;
+    }
+    for (Map.Entry<String, List<String>> entry : credentialHeaders.entrySet()) {
+      String headerName = entry.getKey();
+      List<String> requestValues = new ArrayList<>();
+      requestValues.addAll(entry.getValue());
+      requestHeaders.put(headerName, requestValues);
+    }
+  }
+}
\ No newline at end of file
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index b8a05bcd1..8745a9e90 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -44,6 +44,7 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Preconditions;
+import com.google.api.client.util.StringUtils;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.MoreObjects;
 import java.io.ByteArrayInputStream;
@@ -71,6 +72,8 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private final String transportFactoryClassName;
   private final String quotaProjectId;
 
+  private IdToken idToken;
+
   private transient HttpTransportFactory transportFactory;
 
   /**
@@ -202,6 +205,14 @@ public AccessToken refreshAccessToken() throws IOException {
     request.setParser(new JsonObjectParser(JSON_FACTORY));
     HttpResponse response = request.execute();
     GenericData responseData = response.parseAs(GenericData.class);
+
+    String idTokenKey = "id_token";
+    if (responseData.containsKey(idTokenKey)) {
+      String idTokenString = 
+        OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
+        idToken = IdToken.create(idTokenString);
+    }
+    
     String accessToken =
         OAuth2Utils.validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
     int expiresInSeconds =
@@ -237,6 +248,15 @@ public final String getRefreshToken() {
     return refreshToken;
   }
 
+  /**
+   * Returns the id token resulting from a OAuth2 consent flow.
+   *
+   * @return id token
+   */
+  public final IdToken getIdToken() {
+    return idToken;
+  }
+
   /**
    * Returns the instance of InputStream containing the following user credentials in JSON format: -
    * RefreshToken - ClientId - ClientSecret - ServerTokenUri

From 9def95a56c6463bb44b7eb3fd5b907c588fa3385 Mon Sep 17 00:00:00 2001
From: stim <timur@sadykov.me>
Date: Thu, 6 May 2021 01:55:29 -0700
Subject: [PATCH 02/13] poc of the IdtokenProvider implementation for
 UserCredentials

---
 .../auth/oauth2/IdTokenCredentials.java       | 10 +++
 .../google/auth/oauth2/UserCredentials.java   | 77 ++++++++++++-------
 2 files changed, 59 insertions(+), 28 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index 5629d4e81..eea8e3e77 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -110,6 +110,16 @@ public class IdTokenCredentials extends OAuth2Credentials {
 
   private IdTokenCredentials(Builder builder) {
     this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
+
+    // if UserCredential is used as id token provider - we need to refresh access token
+    if (this.idTokenProvider instanceof UserCredentials) {
+      try { 
+        this.refresh();
+      } catch (IOException ignored) {
+        // ignore because all we need here is to reset the metadata
+      }
+
+    }
     this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
     this.options = builder.getOptions();
   }
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 8745a9e90..654bb9abd 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -44,7 +44,6 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.api.client.util.Preconditions;
-import com.google.api.client.util.StringUtils;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.base.MoreObjects;
 import java.io.ByteArrayInputStream;
@@ -59,7 +58,7 @@
 import java.util.Objects;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider {
+public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider, IdTokenProvider {
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
@@ -72,8 +71,6 @@ public class UserCredentials extends GoogleCredentials implements QuotaProjectId
   private final String transportFactoryClassName;
   private final String quotaProjectId;
 
-  private IdToken idToken;
-
   private transient HttpTransportFactory transportFactory;
 
   /**
@@ -189,30 +186,7 @@ public static UserCredentials fromStream(
   /** Refreshes the OAuth2 access token by getting a new access token from the refresh token */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
-    if (refreshToken == null) {
-      throw new IllegalStateException(
-          "UserCredentials instance cannot refresh because there is no" + " refresh token.");
-    }
-    GenericData tokenRequest = new GenericData();
-    tokenRequest.set("client_id", clientId);
-    tokenRequest.set("client_secret", clientSecret);
-    tokenRequest.set("refresh_token", refreshToken);
-    tokenRequest.set("grant_type", GRANT_TYPE);
-    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
-
-    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
-    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
-    request.setParser(new JsonObjectParser(JSON_FACTORY));
-    HttpResponse response = request.execute();
-    GenericData responseData = response.parseAs(GenericData.class);
-
-    String idTokenKey = "id_token";
-    if (responseData.containsKey(idTokenKey)) {
-      String idTokenString = 
-        OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
-        idToken = IdToken.create(idTokenString);
-    }
-    
+    GenericData responseData = doRefreshAccessToken();
     String accessToken =
         OAuth2Utils.validateString(responseData, "access_token", PARSE_ERROR_PREFIX);
     int expiresInSeconds =
@@ -221,6 +195,29 @@ public AccessToken refreshAccessToken() throws IOException {
     return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
+  /**
+   * Returns a Google ID Token from the refresh token response.
+   *
+   * @param targetAudience the aud: field the IdToken should include. Currently unused for
+   *     UserCredentials.
+   * @param options list of Credential specific options for for the token. Currently unused for
+   *     UserCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, expiration and audience
+   */
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
+    GenericData responseData = doRefreshAccessToken();
+    String idTokenKey = "id_token";
+    if (responseData.containsKey(idTokenKey)) {
+      String idTokenString = 
+        OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
+        return IdToken.create(idTokenString);
+    }
+
+    throw new IOException("UserCredentials instance cannot refresh id token because there is no id token in refresh response.");
+  }
+
   /**
    * Returns client ID of the credential from the console.
    *
@@ -257,6 +254,30 @@ public final IdToken getIdToken() {
     return idToken;
   }
 
+  /**
+   *  Does refresh access token request 
+   * 
+   * @return Refresh token response data
+   */
+  private GenericData doRefreshAccessToken() throws IOException {
+    if (refreshToken == null) {
+      throw new IllegalStateException(
+          "UserCredentials instance cannot refresh because there is no refresh token.");
+    }
+    GenericData tokenRequest = new GenericData();
+    tokenRequest.set("client_id", clientId);
+    tokenRequest.set("client_secret", clientSecret);
+    tokenRequest.set("refresh_token", refreshToken);
+    tokenRequest.set("grant_type", GRANT_TYPE);
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
+
+    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
+    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
+    request.setParser(new JsonObjectParser(JSON_FACTORY));
+    HttpResponse response = request.execute();
+    return response.parseAs(GenericData.class);
+  }
+
   /**
    * Returns the instance of InputStream containing the following user credentials in JSON format: -
    * RefreshToken - ClientId - ClientSecret - ServerTokenUri

From 3096bd02542ffb066e0677e5e82fd0f2736a0176 Mon Sep 17 00:00:00 2001
From: stim <timur@sadykov.me>
Date: Thu, 6 May 2021 01:59:29 -0700
Subject: [PATCH 03/13] removing HttpUserCredentialsAdapter as we go with
 IdTokenProvider approach

---
 .../auth/http/HttpUserCredentialsAdapter.java | 81 -------------------
 1 file changed, 81 deletions(-)
 delete mode 100644 oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java

diff --git a/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java b/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java
deleted file mode 100644
index 22e7500b2..000000000
--- a/oauth2_http/java/com/google/auth/http/HttpUserCredentialsAdapter.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright 2015, Google Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *    * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *    * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer
- * in the documentation and/or other materials provided with the
- * distribution.
- *
- *    * Neither the name of Google Inc. nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-package com.google.auth.http;
-
-import com.google.api.client.http.HttpHeaders;
-import com.google.api.client.http.HttpRequest;
-import com.google.auth.Credentials;
-import java.io.IOException;
-import java.net.URI;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-/** A wrapper for using Credentials with the Google API Client Libraries for Java with Http. */
-public class HttpUserCredentialsAdapter extends HttpCredentialsAdapter {
-
-  /** @param credentials Credentials instance to adapt for HTTP */
-  public HttpUserCredentialsAdapter(Credentials credentials) {
-    super(credentials);
-  }
-
-  /**
-   * {@inheritDoc}
-   *
-   * <p>Initialize the HTTP request prior to execution.
-   *
-   * @param request HTTP request
-   */
-  @Override
-  public void initialize(HttpRequest request) throws IOException {
-    request.setUnsuccessfulResponseHandler(this);
-
-    if (!credentials.hasRequestMetadata()) {
-      return;
-    }
-    HttpHeaders requestHeaders = request.getHeaders();
-    URI uri = null;
-    if (request.getUrl() != null) {
-      uri = request.getUrl().toURI();
-    }
-    Map<String, List<String>> credentialHeaders = credentials.getRequestMetadata(uri);
-    if (credentialHeaders == null) {
-      return;
-    }
-    for (Map.Entry<String, List<String>> entry : credentialHeaders.entrySet()) {
-      String headerName = entry.getKey();
-      List<String> requestValues = new ArrayList<>();
-      requestValues.addAll(entry.getValue());
-      requestHeaders.put(headerName, requestValues);
-    }
-  }
-}
\ No newline at end of file

From 74b0994bb2523e900afc37ebe8f4f75c0168710b Mon Sep 17 00:00:00 2001
From: stim <timur@sadykov.me>
Date: Mon, 10 May 2021 23:49:47 -0700
Subject: [PATCH 04/13] fix build

---
 .../java/com/google/auth/oauth2/UserCredentials.java     | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 654bb9abd..96df9d2b5 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -245,15 +245,6 @@ public final String getRefreshToken() {
     return refreshToken;
   }
 
-  /**
-   * Returns the id token resulting from a OAuth2 consent flow.
-   *
-   * @return id token
-   */
-  public final IdToken getIdToken() {
-    return idToken;
-  }
-
   /**
    *  Does refresh access token request 
    * 

From 195e37fb90dac7b7510f498604caae76b3781b7c Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Tue, 11 May 2021 00:50:36 -0700
Subject: [PATCH 05/13] linter fixes

---
 .../auth/oauth2/IdTokenCredentials.java       |  3 +--
 .../google/auth/oauth2/UserCredentials.java   | 26 +++++++------------
 2 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index eea8e3e77..1364d956b 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -113,12 +113,11 @@ private IdTokenCredentials(Builder builder) {
 
     // if UserCredential is used as id token provider - we need to refresh access token
     if (this.idTokenProvider instanceof UserCredentials) {
-      try { 
+      try {
         this.refresh();
       } catch (IOException ignored) {
         // ignore because all we need here is to reset the metadata
       }
-
     }
     this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
     this.options = builder.getOptions();
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 654bb9abd..27bb59a53 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -58,7 +58,8 @@
 import java.util.Objects;
 
 /** OAuth2 Credentials representing a user's identity and consent. */
-public class UserCredentials extends GoogleCredentials implements QuotaProjectIdProvider, IdTokenProvider {
+public class UserCredentials extends GoogleCredentials
+    implements QuotaProjectIdProvider, IdTokenProvider {
 
   private static final String GRANT_TYPE = "refresh_token";
   private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
@@ -206,16 +207,18 @@ public AccessToken refreshAccessToken() throws IOException {
    * @return IdToken object which includes the raw id_token, expiration and audience
    */
   @Override
-  public IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException {
+  public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
+      throws IOException {
     GenericData responseData = doRefreshAccessToken();
     String idTokenKey = "id_token";
     if (responseData.containsKey(idTokenKey)) {
-      String idTokenString = 
-        OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
-        return IdToken.create(idTokenString);
+      String idTokenString =
+          OAuth2Utils.validateString(responseData, idTokenKey, PARSE_ERROR_PREFIX);
+      return IdToken.create(idTokenString);
     }
 
-    throw new IOException("UserCredentials instance cannot refresh id token because there is no id token in refresh response.");
+    throw new IOException(
+        "UserCredentials instance cannot refresh id token because there is no id token in refresh response.");
   }
 
   /**
@@ -246,17 +249,8 @@ public final String getRefreshToken() {
   }
 
   /**
-   * Returns the id token resulting from a OAuth2 consent flow.
+   * Does refresh access token request
    *
-   * @return id token
-   */
-  public final IdToken getIdToken() {
-    return idToken;
-  }
-
-  /**
-   *  Does refresh access token request 
-   * 
    * @return Refresh token response data
    */
   private GenericData doRefreshAccessToken() throws IOException {

From bce601b39c25ac62231ab77d7449edbf89e16949 Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Tue, 11 May 2021 01:43:27 -0700
Subject: [PATCH 06/13] actual linter fixes

---
 oauth2_http/java/com/google/auth/oauth2/UserCredentials.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 63d1103af..27bb59a53 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -249,8 +249,8 @@ public final String getRefreshToken() {
   }
 
   /**
-   *  Does refresh access token request 
-   * 
+   * Does refresh access token request
+   *
    * @return Refresh token response data
    */
   private GenericData doRefreshAccessToken() throws IOException {

From c1ea59785a94f1d569d1b424eb5704a29d794bb7 Mon Sep 17 00:00:00 2001
From: stim <timur@sadykov.me>
Date: Fri, 14 May 2021 20:42:19 -0700
Subject: [PATCH 07/13] unit tests for idtoken

---
 .../auth/oauth2/IdTokenCredentials.java       |  6 +-
 .../google/auth/oauth2/UserCredentials.java   |  6 +-
 .../auth/oauth2/MockTokenServerTransport.java | 16 +++--
 .../auth/oauth2/UserCredentialsTest.java      | 58 ++++++++++++++++++-
 4 files changed, 76 insertions(+), 10 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index eea8e3e77..47d231e0a 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -118,9 +118,11 @@ private IdTokenCredentials(Builder builder) {
       } catch (IOException ignored) {
         // ignore because all we need here is to reset the metadata
       }
-
     }
-    this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    else {
+      // target audience is not used for UserCredentials
+      this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    }
     this.options = builder.getOptions();
   }
 
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 96df9d2b5..d2aafb130 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -198,7 +198,7 @@ public AccessToken refreshAccessToken() throws IOException {
   /**
    * Returns a Google ID Token from the refresh token response.
    *
-   * @param targetAudience the aud: field the IdToken should include. Currently unused for
+   * @param targetAudience the aud: field the IdToken should include. This is not unused for
    *     UserCredentials.
    * @param options list of Credential specific options for for the token. Currently unused for
    *     UserCredentials.
@@ -215,7 +215,9 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
         return IdToken.create(idTokenString);
     }
 
-    throw new IOException("UserCredentials instance cannot refresh id token because there is no id token in refresh response.");
+    throw new IOException("UserCredentials instance cannot refresh id token unless you are logged" +
+    " into gcloud. Please see https://cloud.google.com/run/docs/authenticating/developers" + 
+    " for more info.");
   }
 
   /**
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
index efa09d7c7..840351d2d 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
@@ -53,6 +53,7 @@
 /** Mock transport to simulate providing Google OAuth2 access tokens */
 public class MockTokenServerTransport extends MockHttpTransport {
 
+  public static final String SDK_CLIENT_ID = "sdk_client_id";
   static final String EXPECTED_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
   static final JsonFactory JSON_FACTORY = new GsonFactory();
   int buildRequestCount;
@@ -124,9 +125,9 @@ public LowLevelHttpRequest buildRequest(String method, String url) throws IOExce
       throw error;
     }
     int questionMarkPos = url.indexOf('?');
-    final String urlWithoutQUery = (questionMarkPos > 0) ? url.substring(0, questionMarkPos) : url;
+    final String urlWithoutQuery = (questionMarkPos > 0) ? url.substring(0, questionMarkPos) : url;
     final String query = (questionMarkPos > 0) ? url.substring(questionMarkPos + 1) : "";
-    if (urlWithoutQUery.equals(tokenServerUri.toString())) {
+    if (urlWithoutQuery.equals(tokenServerUri.toString())) {
       return new MockLowLevelHttpRequest(url) {
         @Override
         public LowLevelHttpResponse execute() throws IOException {
@@ -145,10 +146,14 @@ public LowLevelHttpResponse execute() throws IOException {
           boolean generateAccessToken = true;
 
           String foundId = query.get("client_id");
+          boolean isSdkClientId = false;
           if (foundId != null) {
             if (!clients.containsKey(foundId)) {
               throw new IOException("Client ID not found.");
             }
+            if (foundId.equals(SDK_CLIENT_ID)) {
+              isSdkClientId = true;
+            }
             String foundSecret = query.get("client_secret");
             String expectedSecret = clients.get(foundId);
             if (foundSecret == null || !foundSecret.equals(expectedSecret)) {
@@ -207,8 +212,9 @@ public LowLevelHttpResponse execute() throws IOException {
             responseContents.put("access_token", accessToken);
             if (refreshToken != null) {
               responseContents.put("refresh_token", refreshToken);
-            }
-          } else {
+            }            
+          } 
+          if (isSdkClientId || !generateAccessToken) {
             responseContents.put("id_token", ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN);
           }
           String refreshText = responseContents.toPrettyString();
@@ -218,7 +224,7 @@ public LowLevelHttpResponse execute() throws IOException {
               .setContent(refreshText);
         }
       };
-    } else if (urlWithoutQUery.equals(OAuth2Utils.TOKEN_REVOKE_URI.toString())) {
+    } else if (urlWithoutQuery.equals(OAuth2Utils.TOKEN_REVOKE_URI.toString())) {
       return new MockLowLevelHttpRequest(url) {
         @Override
         public LowLevelHttpResponse execute() throws IOException {
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 288f4d773..be73a0396 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -72,7 +72,13 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
-  private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");  
+  public static final String DEFAULT_ID_TOKEN =
+  "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
+      + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
+      + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
+      + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+      + ".redacted";
 
   @Test(expected = IllegalStateException.class)
   public void constructor_accessAndRefreshTokenNull_throws() {
@@ -699,6 +705,56 @@ public void onFailure(Throwable exception) {
     assertTrue("Should have run onSuccess() callback", success.get());
   }
 
+  @Test
+  public void IdTokenCredentials_SdkClientId_correct() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
+    InputStream userStream =
+        writeUserStream(MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+
+    UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
+    credentials.refresh();
+
+    assertEquals(ACCESS_TOKEN, credentials.getAccessToken().getTokenValue());
+
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .build();
+    
+    // UserCredential returns access token until refresh, 
+    // IDTokenCredential does refresh during instantiation
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+  }
+
+  @Test
+  public void IdTokenCredentials_notSdkClientId_throws() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
+    InputStream userStream =
+        writeUserStream(CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+
+    UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
+
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .build();
+
+    String expectedMessageContent = "UserCredentials instance cannot refresh id token unless" +
+    " you are logged into gcloud. Please see" +
+    " https://cloud.google.com/run/docs/authenticating/developers for more info.";
+
+    try {
+      tokenCredential.refresh();
+    } catch (IOException expected) {
+      assertTrue(expected.getMessage().contains(expectedMessageContent));
+    }
+  }
+
   static GenericJson writeUserJson(
       String clientId, String clientSecret, String refreshToken, String quotaProjectId) {
     GenericJson json = new GenericJson();

From 21b1c79cfeaf6946ef06578bebb9dd6d3c8bc206 Mon Sep 17 00:00:00 2001
From: stim <timur@sadykov.me>
Date: Sat, 15 May 2021 18:10:37 -0700
Subject: [PATCH 08/13] linter fixes

---
 .../auth/oauth2/IdTokenCredentials.java       |  3 +-
 .../google/auth/oauth2/UserCredentials.java   |  7 ++--
 .../auth/oauth2/MockTokenServerTransport.java |  4 +--
 .../auth/oauth2/UserCredentialsTest.java      | 34 +++++++++----------
 4 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index 8d15c0e42..a5d2ada37 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -118,8 +118,7 @@ private IdTokenCredentials(Builder builder) {
       } catch (IOException ignored) {
         // ignore because all we need here is to reset the metadata
       }
-    }
-    else {
+    } else {
       // target audience is not used for UserCredentials
       this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
     }
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index c482b8bb1..7c1b6c666 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -217,9 +217,10 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
       return IdToken.create(idTokenString);
     }
 
-    throw new IOException("UserCredentials instance cannot refresh id token unless you are logged" +
-    " into gcloud. Please see https://cloud.google.com/run/docs/authenticating/developers" + 
-    " for more info.");
+    throw new IOException(
+        "UserCredentials instance cannot refresh id token unless you are logged"
+            + " into gcloud. Please see https://cloud.google.com/run/docs/authenticating/developers"
+            + " for more info.");
   }
 
   /**
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
index 840351d2d..13d876372 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
@@ -212,8 +212,8 @@ public LowLevelHttpResponse execute() throws IOException {
             responseContents.put("access_token", accessToken);
             if (refreshToken != null) {
               responseContents.put("refresh_token", refreshToken);
-            }            
-          } 
+            }
+          }
           if (isSdkClientId || !generateAccessToken) {
             responseContents.put("id_token", ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN);
           }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index be73a0396..c3289c074 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -72,13 +72,13 @@ public class UserCredentialsTest extends BaseSerializationTest {
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
-  private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");  
+  private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
   public static final String DEFAULT_ID_TOKEN =
-  "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
-      + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
-      + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
-      + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
-      + ".redacted";
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
+          + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
+          + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
+          + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+          + ".redacted";
 
   @Test(expected = IllegalStateException.class)
   public void constructor_accessAndRefreshTokenNull_throws() {
@@ -711,7 +711,8 @@ public void IdTokenCredentials_SdkClientId_correct() throws IOException {
     transportFactory.transport.addClient(MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
     InputStream userStream =
-        writeUserStream(MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+        writeUserStream(
+            MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
 
     UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
     credentials.refresh();
@@ -719,11 +720,9 @@ public void IdTokenCredentials_SdkClientId_correct() throws IOException {
     assertEquals(ACCESS_TOKEN, credentials.getAccessToken().getTokenValue());
 
     IdTokenCredentials tokenCredential =
-        IdTokenCredentials.newBuilder()
-            .setIdTokenProvider(credentials)
-            .build();
-    
-    // UserCredential returns access token until refresh, 
+        IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
+
+    // UserCredential returns access token until refresh,
     // IDTokenCredential does refresh during instantiation
     assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
     assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
@@ -740,13 +739,12 @@ public void IdTokenCredentials_notSdkClientId_throws() throws IOException {
     UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
 
     IdTokenCredentials tokenCredential =
-        IdTokenCredentials.newBuilder()
-            .setIdTokenProvider(credentials)
-            .build();
+        IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
 
-    String expectedMessageContent = "UserCredentials instance cannot refresh id token unless" +
-    " you are logged into gcloud. Please see" +
-    " https://cloud.google.com/run/docs/authenticating/developers for more info.";
+    String expectedMessageContent =
+        "UserCredentials instance cannot refresh id token unless"
+            + " you are logged into gcloud. Please see"
+            + " https://cloud.google.com/run/docs/authenticating/developers for more info.";
 
     try {
       tokenCredential.refresh();

From 58f0c4861ca58aeef846b8bbca1f5603ca681973 Mon Sep 17 00:00:00 2001
From: TimurSadykov <stim@google.com>
Date: Tue, 18 May 2021 04:03:36 -0700
Subject: [PATCH 09/13] comments addressed

---
 .../auth/oauth2/IdTokenCredentials.java       |  2 +-
 .../google/auth/oauth2/UserCredentials.java   | 12 +++++-----
 .../auth/oauth2/MockTokenServerTransport.java | 12 +++++-----
 .../auth/oauth2/UserCredentialsTest.java      | 23 ++++++++++---------
 4 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index a5d2ada37..1a20dfe78 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -119,7 +119,7 @@ private IdTokenCredentials(Builder builder) {
         // ignore because all we need here is to reset the metadata
       }
     } else {
-      // target audience is not used for UserCredentials
+      // target audience can't be used for UserCredentials
       this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
     }
     this.options = builder.getOptions();
diff --git a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
index 7c1b6c666..780ec7538 100644
--- a/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -199,9 +199,8 @@ public AccessToken refreshAccessToken() throws IOException {
   /**
    * Returns a Google ID Token from the refresh token response.
    *
-   * @param targetAudience the aud: field the IdToken should include. This is not unused for
-   *     UserCredentials.
-   * @param options list of Credential specific options for for the token. Currently unused for
+   * @param targetAudience This can't be used for UserCredentials.
+   * @param options list of Credential specific options for the token. Currently unused for
    *     UserCredentials.
    * @throws IOException if the attempt to get an IdToken failed
    * @return IdToken object which includes the raw id_token, expiration and audience
@@ -218,9 +217,10 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
     }
 
     throw new IOException(
-        "UserCredentials instance cannot refresh id token unless you are logged"
-            + " into gcloud. Please see https://cloud.google.com/run/docs/authenticating/developers"
-            + " for more info.");
+        "UserCredentials can obtain an id token only when authenticated through"
+            + " gcloud running 'gcloud auth login --update-adc' or 'gcloud auth application-default"
+            + " login'. The latter form would not work for Cloud Run, but would still generate an"
+            + " id token.");
   }
 
   /**
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
index 13d876372..0b0eecec5 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
@@ -53,7 +53,7 @@
 /** Mock transport to simulate providing Google OAuth2 access tokens */
 public class MockTokenServerTransport extends MockHttpTransport {
 
-  public static final String SDK_CLIENT_ID = "sdk_client_id";
+  public static final String REFRESH_TOKEN_WITH_USER_SCOPE = "refresh_token_with_user.email_scope";
   static final String EXPECTED_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
   static final JsonFactory JSON_FACTORY = new GsonFactory();
   int buildRequestCount;
@@ -146,14 +146,11 @@ public LowLevelHttpResponse execute() throws IOException {
           boolean generateAccessToken = true;
 
           String foundId = query.get("client_id");
-          boolean isSdkClientId = false;
+          boolean isUserEmailScope = false;
           if (foundId != null) {
             if (!clients.containsKey(foundId)) {
               throw new IOException("Client ID not found.");
             }
-            if (foundId.equals(SDK_CLIENT_ID)) {
-              isSdkClientId = true;
-            }
             String foundSecret = query.get("client_secret");
             String expectedSecret = clients.get(foundId);
             if (foundSecret == null || !foundSecret.equals(expectedSecret)) {
@@ -172,6 +169,9 @@ public LowLevelHttpResponse execute() throws IOException {
             if (!refreshTokens.containsKey(refreshToken)) {
               throw new IOException("Refresh Token not found.");
             }
+            if (refreshToken.equals(REFRESH_TOKEN_WITH_USER_SCOPE)) {
+              isUserEmailScope = true;
+            }
             accessToken = refreshTokens.get(refreshToken);
           } else if (query.containsKey("grant_type")) {
             String grantType = query.get("grant_type");
@@ -214,7 +214,7 @@ public LowLevelHttpResponse execute() throws IOException {
               responseContents.put("refresh_token", refreshToken);
             }
           }
-          if (isSdkClientId || !generateAccessToken) {
+          if (isUserEmailScope || !generateAccessToken) {
             responseContents.put("id_token", ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN);
           }
           String refreshText = responseContents.toPrettyString();
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index c3289c074..8a0cedd87 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -706,13 +706,13 @@ public void onFailure(Throwable exception) {
   }
 
   @Test
-  public void IdTokenCredentials_SdkClientId_correct() throws IOException {
+  public void IdTokenCredentials_WithUserEmailScope_success() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
-    transportFactory.transport.addClient(MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET);
-    transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
-    InputStream userStream =
-        writeUserStream(
-            MockTokenServerTransport.SDK_CLIENT_ID, CLIENT_SECRET, REFRESH_TOKEN, QUOTA_PROJECT);
+    String refreshToken = MockTokenServerTransport.REFRESH_TOKEN_WITH_USER_SCOPE;
+
+    transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
+    transportFactory.transport.addRefreshToken(refreshToken, ACCESS_TOKEN);
+    InputStream userStream = writeUserStream(CLIENT_ID, CLIENT_SECRET, refreshToken, QUOTA_PROJECT);
 
     UserCredentials credentials = UserCredentials.fromStream(userStream, transportFactory);
     credentials.refresh();
@@ -729,7 +729,7 @@ public void IdTokenCredentials_SdkClientId_correct() throws IOException {
   }
 
   @Test
-  public void IdTokenCredentials_notSdkClientId_throws() throws IOException {
+  public void IdTokenCredentials_NoUserEmailScope_throws() throws IOException {
     MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
     transportFactory.transport.addClient(CLIENT_ID, CLIENT_SECRET);
     transportFactory.transport.addRefreshToken(REFRESH_TOKEN, ACCESS_TOKEN);
@@ -742,14 +742,15 @@ public void IdTokenCredentials_notSdkClientId_throws() throws IOException {
         IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
 
     String expectedMessageContent =
-        "UserCredentials instance cannot refresh id token unless"
-            + " you are logged into gcloud. Please see"
-            + " https://cloud.google.com/run/docs/authenticating/developers for more info.";
+        "UserCredentials can obtain an id token only when authenticated through"
+            + " gcloud running 'gcloud auth login --update-adc' or 'gcloud auth application-default"
+            + " login'. The latter form would not work for Cloud Run, but would still generate an"
+            + " id token.";
 
     try {
       tokenCredential.refresh();
     } catch (IOException expected) {
-      assertTrue(expected.getMessage().contains(expectedMessageContent));
+      assertTrue(expected.getMessage().equals(expectedMessageContent));
     }
   }
 

From 85114c416838e03ee82f0aa18ae6b974c32f8788 Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Mon, 24 May 2021 16:19:09 -0700
Subject: [PATCH 10/13] remove redundant idtoken refresh

---
 .../auth/oauth2/IdTokenCredentials.java       | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index 1a20dfe78..81daacd9c 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -112,16 +112,16 @@ private IdTokenCredentials(Builder builder) {
     this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
 
     // if UserCredential is used as id token provider - we need to refresh access token
-    if (this.idTokenProvider instanceof UserCredentials) {
-      try {
-        this.refresh();
-      } catch (IOException ignored) {
-        // ignore because all we need here is to reset the metadata
-      }
-    } else {
-      // target audience can't be used for UserCredentials
-      this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
-    }
+    // if (this.idTokenProvider instanceof UserCredentials) {
+    //   try {
+    //     this.refresh();
+    //   } catch (IOException ignored) {
+    //     // ignore because all we need here is to reset the metadata
+    //   }
+    // } else {
+    //   // target audience can't be used for UserCredentials
+    //   this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    // }
     this.options = builder.getOptions();
   }
 

From 5ab8df6463de7ee2751b1b20317d5d99e1030a69 Mon Sep 17 00:00:00 2001
From: Timur Sadykov <stim@google.com>
Date: Mon, 24 May 2021 18:16:08 -0700
Subject: [PATCH 11/13] fix of removing redundant idtoken referesh

---
 .../google/auth/oauth2/IdTokenCredentials.java   | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
index 81daacd9c..be64a607b 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -111,17 +111,11 @@ public class IdTokenCredentials extends OAuth2Credentials {
   private IdTokenCredentials(Builder builder) {
     this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
 
-    // if UserCredential is used as id token provider - we need to refresh access token
-    // if (this.idTokenProvider instanceof UserCredentials) {
-    //   try {
-    //     this.refresh();
-    //   } catch (IOException ignored) {
-    //     // ignore because all we need here is to reset the metadata
-    //   }
-    // } else {
-    //   // target audience can't be used for UserCredentials
-    //   this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
-    // }
+    // target audience can't be used for UserCredentials
+    if (!(this.idTokenProvider instanceof UserCredentials)) {
+      this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    }
+
     this.options = builder.getOptions();
   }
 

From 5dc530ed8d00a6afbe2cc18af81f2c08c0699b6d Mon Sep 17 00:00:00 2001
From: TimurSadykov <stim@google.com>
Date: Mon, 24 May 2021 22:05:13 -0700
Subject: [PATCH 12/13] fix tests

---
 .../javatests/com/google/auth/oauth2/UserCredentialsTest.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 8a0cedd87..7e45f8d07 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -722,6 +722,8 @@ public void IdTokenCredentials_WithUserEmailScope_success() throws IOException {
     IdTokenCredentials tokenCredential =
         IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
 
+    tokenCredential.getRequestMetadata();
+
     // UserCredential returns access token until refresh,
     // IDTokenCredential does refresh during instantiation
     assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());

From cf6cbb257173c483232184ddbabc90aabacdc7f7 Mon Sep 17 00:00:00 2001
From: TimurSadykov <stim@google.com>
Date: Wed, 26 May 2021 00:33:57 -0700
Subject: [PATCH 13/13] null check and more docs

---
 .../com/google/auth/oauth2/UserCredentialsTest.java        | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
index 7e45f8d07..d28e6011f 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -34,6 +34,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -722,10 +723,12 @@ public void IdTokenCredentials_WithUserEmailScope_success() throws IOException {
     IdTokenCredentials tokenCredential =
         IdTokenCredentials.newBuilder().setIdTokenProvider(credentials).build();
 
+    assertNull(tokenCredential.getAccessToken());
+    assertNull(tokenCredential.getIdToken());
+
+    // trigger the refresh like it would happen during a request build
     tokenCredential.getRequestMetadata();
 
-    // UserCredential returns access token until refresh,
-    // IDTokenCredential does refresh during instantiation
     assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
     assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
   }