Open
Conversation
diegomarquezp
changed the title
product-auto-label
bot
added
size: xl
product-auto-label
bot
added
size: l
lqiu96
reviewed
Mar 24, 2026
| LoggerProvider.forClazz(GdchCredentials.class); | ||
| static final String SUPPORTED_FORMAT_VERSION = "1"; | ||
| private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. "; | ||
| @VisibleForTesting static final String SUPPORTED_FORMAT_VERSION = "1"; |
Member
There was a problem hiding this comment.
nit: Do you have any documentation regarding this format version? What is version 1 refrencing?
Contributor
Author
There was a problem hiding this comment.
It's the format version of the JSON file. I believe this is to track changes such as a new entry in the json file.
I found go/gdch-python-auth-lib as a good source of truth.
Added a code comment to explain that.
lqiu96
reviewed
Mar 24, 2026
lqiu96
reviewed
Mar 24, 2026
lqiu96
reviewed
Mar 24, 2026
|
Acceso
El martes, 24 de marzo de 2026, Lawrence ***@***.***>
escribió:
… ***@***.**** commented on this pull request.
------------------------------
In oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java
<#1896 (comment)>
:
> + @CanIgnoreReturnValue
+ @ObsoleteApi("Use setGdchAudience(String) instead")
+ public Builder setGdchAudience(URI apiAudience) {
+ if (apiAudience == null) {
+ throw new IllegalArgumentException(
+ "Audience cannot be null for GDCH service account credentials.");
+ }
+ this.apiAudience = apiAudience.toString();
+ return this;
+ }
We probably don't need to add a new setter for an obsolete method. Let's
just have the user directly set with the String overload.
—
Reply to this email directly, view it on GitHub
<#1896?email_source=notifications&email_token=B5MKPO7NS274SX7WUFDLRAT4SK7O3A5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTIMBQGA4TEMRTGQYKM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#pullrequestreview-4000922340>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B5MKPO66ZOHXBMK6AAJ427L4SK7O3AVCNFSM6AAAAACWHGYLYWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DAMBQHEZDEMZUGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: <googleapis/google-auth-library-java/pull/1896/review/4000922340@
github.com>
|
lqiu96
reviewed
Mar 24, 2026
|
Acceso
El martes, 24 de marzo de 2026, Lawrence ***@***.***>
escribió:
… ***@***.**** commented on this pull request.
------------------------------
In oauth2_http/java/com/google/auth/oauth2/GdchCredentials.java
<#1896 (comment)>
:
> private static final String PARSE_ERROR_PREFIX = "Error parsing token refresh response. ";
+ @VisibleForTesting static final String SUPPORTED_FORMAT_VERSION = "1";
+
+ private static final String SERVICE_ACCOUNT_TOKEN_TYPE =
any documentation regarding this specific Uniform Resource Name and the
k8s variant? Why does GDCH require this one?
—
Reply to this email directly, view it on GitHub
<#1896?email_source=notifications&email_token=B5MKPO3KWUKTX3EMNGA4SAT4SK7YTA5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTIMBQGA4TIMRTGQ3KM4TFMFZW63VHMNXW23LFNZ2KKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#pullrequestreview-4000942346>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B5MKPO4GWQZHDG3EL3IWC734SK7YTAVCNFSM6AAAAACWHGYLYWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DAMBQHE2DEMZUGY>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
|
lqiu96
reviewed
Mar 26, 2026
|
|
||
| @CanIgnoreReturnValue | ||
| public Builder setGdchAudience(URI apiAudience) { | ||
| public Builder setGdchAudience(String apiAudience) { |
Member
There was a problem hiding this comment.
for this public method, add small javadocs and note that it cannot be null or empty.
lqiu96
reviewed
Mar 26, 2026
| private static final String SA_PRIVATE_KEY_PKCS8 = | ||
| ServiceAccountCredentialsTest.PRIVATE_KEY_PKCS8; | ||
| private static final String GDCH_SA_FORMAT_VERSION = GdchCredentials.SUPPORTED_FORMAT_VERSION; | ||
| private static final String GDCH_SA_FORMAT_VERSION = |
Member
There was a problem hiding this comment.
can the tests just use GdchCredentials.SUPPORTED_JSON_FORMAT_VERSION constant directly?
lqiu96
reviewed
Mar 26, 2026
Comment on lines
+1094
to
+1114
| // SEQUENCE length doesn't match actual length | ||
| byte[] invalidDer = new byte[] {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x01, 0x02}; | ||
| GoogleAuthException e = | ||
| assertThrows( | ||
| GoogleAuthException.class, () -> GdchCredentials.transcodeDerToConcat(invalidDer, 64)); | ||
| assertEquals("Invalid DER signature length.", e.getMessage()); | ||
| } | ||
|
|
||
| @Test | ||
| void transcodeDerToConcat_invalidRInteger() { | ||
| // Missing INTEGER for R | ||
| byte[] invalidDer = new byte[] {0x30, 0x06, 0x03, 0x01, 0x01, 0x02, 0x01, 0x02}; | ||
| GoogleAuthException e = | ||
| assertThrows( | ||
| GoogleAuthException.class, () -> GdchCredentials.transcodeDerToConcat(invalidDer, 64)); | ||
| assertEquals("Expected INTEGER for R.", e.getMessage()); | ||
| } | ||
|
|
||
| @Test | ||
| void transcodeDerToConcat_invalidSInteger() { | ||
| // Missing INTEGER for S |
Member
There was a problem hiding this comment.
For these test cases, can the comment show where it's missing the INTEGER value?
// Missing INTEGER for R
Is it missing something from byte[] invalidDer = new byte[] {0x30, 0x06, 0x03, 0x01, 0x01, 0x02, 0x01, 0x02};?
lqiu96
reviewed
Mar 26, 2026
| private static final String SA_PRIVATE_KEY_PKCS8 = | ||
| ServiceAccountCredentialsTest.PRIVATE_KEY_PKCS8; | ||
| private static final String GDCH_SA_FORMAT_VERSION = GdchCredentials.SUPPORTED_FORMAT_VERSION; | ||
| private static final String GDCH_SA_FORMAT_VERSION = |
Member
There was a problem hiding this comment.
same here, is it possible to just use GdchCredentials.SUPPORTED_JSON_FORMAT_VERSION directly in the test?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context: b/488439640
Implementation originally proposed in b/431924643#comment9
The primary objective is to enable support for Elliptic Curve (EC) keys and non-URI audience formats, aligning the Java SDK with the behavior of the Python and Go implementations. Additionally, the GDCH key creation tool creates EC keys only, meaning the GDCH implementation was not following the convention.
Key Changes
apiAudiencefield from aURIto aStringto accommodate "magic" non-URI strings (e.g., specific administrative audiences) required by certain GDCH services.privateKeyFromPkcs8to accept an algorithm parameter, allowing the library to parse EC keys instead of defaulting exclusively to RSA.Testing
GdchCredentialsTestto include test cases for EC key parsing and token signing.