googleauth 1.2.0 → 1.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8caed2ed693770223fcf3ec7e28c499c54ad1a2345e132bb182f4ca167a7f68
-  data.tar.gz: f8f49257aef8acc7fef826ffcb1c1ddb0c81a814488b45f5f0997f5dd6eec4cf
+  metadata.gz: '089cb78f4121da1e8502eb258e106d161b72642f1d4aeb9959ea605197dba5d9'
+  data.tar.gz: a93423d64db3c8e0fb55807586befc3d13480c43e17b4a8cbd37704f95d12fa7
 SHA512:
-  metadata.gz: 1a1b02f55e19af0f26164a8c9dda4aef819791ccb0774ec793b72fa23a352e4c9c52044555d34871e26f04547f3f6bce011738668054fa69e88a800b689397b2
-  data.tar.gz: d9a68924f0e3f7d0796056f225d41ad905783b5ae1b6766434b8aaf85b6722ba6cfbbb1a92c12237edd4625f02f7e5a55bc0d5289ec6da555846d07c74ef767f
+  metadata.gz: 1d3513b20df2ec263c7f7db1a14421d4fef63fdaf836cbad78c62b22bf8399bd6ed7a830ba8548ffa197e6a7279eb0f8aaab65379c7cf1b4612a494e9a83a8ec
+  data.tar.gz: 8ee1b859360348eded906242f44e7a7d58841a864e195f34b0726c2aba660e6c10ae07e27d3d2a4517e1756b5ff989e449aad0965419995b4f2bc58ad45ae597

data/CHANGELOG.md

@@ -1,5 +1,88 @@
 # Release History
 
+### 1.9.2 (2024-01-25)
+
+#### Bug Fixes
+
+* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467)) 
+
+### 1.9.1 (2023-12-12)
+
+#### Bug Fixes
+
+* update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464)) 
+
+### 1.9.0 (2023-12-07)
+
+#### Features
+
+* Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460)) 
+* Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459)) 
+
+### 1.8.1 (2023-09-19)
+
+#### Documentation
+
+* improve ADC related error and warning messages ([#452](https://github.com/googleapis/google-auth-library-ruby/issues/452)) 
+
+### 1.8.0 (2023-09-07)
+
+#### Features
+
+* Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447)) 
+#### Documentation
+
+* improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449)) 
+
+### 1.7.0 (2023-07-14)
+
+#### Features
+
+* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437)) 
+#### Documentation
+
+* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438)) 
+
+### 1.6.0 (2023-06-20)
+
+#### Features
+
+* adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433)) 
+#### Documentation
+
+* deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435)) 
+
+### 1.5.2 (2023-04-13)
+
+#### Bug Fixes
+
+* AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429)) 
+* GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425)) 
+
+### 1.5.1 (2023-04-10)
+
+#### Bug Fixes
+
+* Remove external account config validation ([#427](https://github.com/googleapis/google-auth-library-ruby/issues/427)) 
+
+### 1.5.0 (2023-03-21)
+
+#### Features
+
+* Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418)) 
+
+### 1.4.0 (2022-12-14)
+
+#### Features
+
+* make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405)) 
+
+### 1.3.0 (2022-10-18)
+
+#### Features
+
+* Use OpenSSL 3.0 compatible interfaces for IDTokens ([#397](https://github.com/googleapis/google-auth-library-ruby/issues/397)) 
+
 ### 1.2.0 (2022-06-23)
 
 * Updated minimum Ruby version to 2.6

data/README.md

@@ -97,7 +97,9 @@ get('/oauth2callback') do
 end
 ```
 
-### Example (Command Line)
+### Example (Command Line) [Deprecated]
+
+The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
 
 ```ruby
 require 'googleauth'
@@ -215,14 +217,14 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library is supported on Ruby 2.5+.
+This library is supported on Ruby 2.6+.
 
 Google provides official support for Ruby versions that are actively supported
-by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
-security maintenance, and not end of life. Currently, this means Ruby 2.5 and
-later. Older versions of Ruby _may_ still work, but are unsupported and not
-recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
-about the Ruby support schedule.
+by Ruby Core—that is, Ruby versions that are either in normal maintenance or
+in security maintenance, and not end of life. Older versions of Ruby _may_
+still work, but are unsupported and not recommended. See
+https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby
+support schedule.
 
 ## License
 
@@ -241,6 +243,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
+[application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
 [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
 [license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE

data/lib/googleauth/application_default.rb

@@ -20,9 +20,9 @@ module Google
   # used to access Google APIs.
   module Auth
     NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
-      Could not load the default credentials. Browse to
-      https://developers.google.com/accounts/docs/application-default-credentials
-      for more information
+      Your credentials were not found. To set up Application Default
+      Credentials for your environment, see
+      https://cloud.google.com/docs/authentication/external/set-up-adc
     ERROR_MESSAGE
 
     module_function
@@ -55,12 +55,8 @@ module Google
               DefaultCredentials.from_well_known_path(scope, options) ||
               DefaultCredentials.from_system_default_path(scope, options)
       return creds unless creds.nil?
-      unless GCECredentials.on_gce? options
-        # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.unmemoize_all
-        raise NOT_FOUND_ERROR
-      end
-      GCECredentials.new scope: scope
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
+      GCECredentials.new options.merge(scope: scope)
     end
   end
 end

data/lib/googleauth/base_client.rb

@@ -0,0 +1,80 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # BaseClient is a class used to contain common methods that are required by any
+    # Credentials Client, including AwsCredentials, ServiceAccountCredentials,
+    # and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
+    # and has been created to create a generic interface for all credentials clients
+    # to use, including ones which do not inherit from Signet::OAuth2::Client.
+    module BaseClient
+      AUTH_METADATA_KEY = :authorization
+
+      # Updates a_hash updated with the authentication token
+      def apply! a_hash, opts = {}
+        # fetch the access token there is currently not one, or if the client
+        # has expired
+        fetch_access_token! opts if needs_access_token?
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
+      end
+
+      # Returns a clone of a_hash updated with the authentication token
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Whether the id_token or access_token is missing or about to expire.
+      def needs_access_token?
+        send(token_type).nil? || expires_within?(60)
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      def on_refresh &block
+        @refresh_listeners = [] unless defined? @refresh_listeners
+        @refresh_listeners << block
+      end
+
+      def notify_refresh_listeners
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
+        listeners.each do |block|
+          block.call self
+        end
+      end
+
+      def expires_within?
+        raise NotImplementedError
+      end
+
+      private
+
+      def token_type
+        raise NotImplementedError
+      end
+
+      def fetch_access_token!
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/googleauth/client_id.rb

@@ -17,51 +17,67 @@ require "googleauth/credentials_loader"
 
 module Google
   module Auth
-    # Representation of an application's identity for user authorization
-    # flows.
+    ##
+    # Representation of an application's identity for user authorization flows.
+    #
     class ClientId
+      # Toplevel JSON key for the an installed app configuration.
+      # Must include client_id and client_secret subkeys if present.
       INSTALLED_APP = "installed".freeze
+      # Toplevel JSON key for the a webapp configuration.
+      # Must include client_id and client_secret subkeys if present.
       WEB_APP = "web".freeze
+      # JSON key for the client ID within an app configuration.
       CLIENT_ID = "client_id".freeze
+      # JSON key for the client secret within an app configuration.
       CLIENT_SECRET = "client_secret".freeze
+      # An error message raised when none of the expected toplevel properties
+      # can be found.
       MISSING_TOP_LEVEL_ELEMENT_ERROR =
         "Expected top level property 'installed' or 'web' to be present.".freeze
 
+      ##
       # Text identifier of the client ID
       # @return [String]
+      #
       attr_reader :id
 
+      ##
       # Secret associated with the client ID
       # @return [String]
+      #
       attr_reader :secret
 
       class << self
         attr_accessor :default
       end
 
-      # Initialize the Client ID
+      ##
+      # Initialize the Client ID. Both id and secret must be non-nil.
       #
       # @param [String] id
       #  Text identifier of the client ID
       # @param [String] secret
       #  Secret associated with the client ID
-      # @note Direction instantion is discouraged to avoid embedding IDs
-      #       & secrets in source. See {#from_file} to load from
+      # @note Direct instantiation is discouraged to avoid embedding IDs
+      #       and secrets in source. See {#from_file} to load from
       #       `client_secrets.json` files.
+      #
       def initialize id, secret
-        CredentialsLoader.warn_if_cloud_sdk_credentials id
         raise "Client id can not be nil" if id.nil?
         raise "Client secret can not be nil" if secret.nil?
         @id = id
         @secret = secret
       end
 
+      ##
       # Constructs a Client ID from a JSON file downloaded from the
       # Google Developers Console.
       #
       # @param [String, File] file
       #  Path of file to read from
       # @return [Google::Auth::ClientID]
+      #
       def self.from_file file
         raise "File can not be nil." if file.nil?
         File.open file.to_s do |f|
@@ -71,13 +87,14 @@ module Google
         end
       end
 
+      ##
       # Constructs a Client ID from a previously loaded JSON file. The hash
-      # structure should
-      # match the expected JSON format.
+      # structure should match the expected JSON format.
       #
       # @param [hash] config
       #  Parsed contents of the JSON file
       # @return [Google::Auth::ClientID]
+      #
       def self.from_hash config
         raise "Hash can not be nil." if config.nil?
         raw_detail = config[INSTALLED_APP] || config[WEB_APP]

data/lib/googleauth/compute_engine.rb

@@ -12,9 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "faraday"
+require "google-cloud-env"
 require "googleauth/signet"
-require "memoist"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -34,74 +33,69 @@ module Google
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
-      # The IP Address is used in the URIs to speed up failures on non-GCE
-      # systems.
+      # @private Unused and deprecated but retained to prevent breaking changes
       DEFAULT_METADATA_HOST = "169.254.169.254".freeze
 
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_AUTH_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_ID_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
-        extend Memoist
-
+        # @private Unused and deprecated
         def metadata_host
           ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
         end
 
+        # @private Unused and deprecated
         def compute_check_uri
           "http://#{metadata_host}".freeze
         end
 
+        # @private Unused and deprecated
         def compute_auth_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
         end
 
+        # @private Unused and deprecated
         def compute_id_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
         end
 
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
-        def on_gce? options = {}
-          # TODO: This should use google-cloud-env instead.
-          c = options[:connection] || Faraday.default_connection
-          headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get compute_check_uri, nil, headers do |req|
-            req.options.timeout = 1.0
-            req.options.open_timeout = 0.1
-          end
-          return false unless resp.status == 200
-          resp.headers["Metadata-Flavor"] == "Google"
-        rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-          false
+        # The parameters are deprecated and unused.
+        def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
+          Google::Cloud.env.metadata?
         end
 
-        memoize :on_gce?
+        def reset_cache
+          Google::Cloud.env.compute_metadata.reset_existence!
+          Google::Cloud.env.compute_metadata.cache.expire_all!
+        end
+        alias unmemoize_all reset_cache
       end
 
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token options = {}
-        c = options[:connection] || Faraday.default_connection
-        retry_with_error do
-          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
-          query[:scopes] = Array(scope).join "," if scope
-          resp = c.get uri, query, "Metadata-Flavor" => "Google"
+      def fetch_access_token _options = {}
+        if token_type == :id_token
+          query = { "audience" => target_audience, "format" => "full" }
+          entry = "service-accounts/default/identity"
+        else
+          query = {}
+          entry = "service-accounts/default/token"
+        end
+        query[:scopes] = Array(scope).join "," if scope
+        begin
+          resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
           case resp.status
           when 200
-            content_type = resp.headers["content-type"]
-            if ["text/html", "application/text"].include? content_type
-              { (target_audience ? "id_token" : "access_token") => resp.body }
-            else
-              Signet::OAuth2.parse_credentials resp.body, content_type
-            end
+            build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
           when 403, 500
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::UnexpectedStatusError, msg
@@ -111,7 +105,33 @@ module Google
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::AuthorizationError, msg
           end
+        rescue Google::Cloud::Env::MetadataServerNotResponding => e
+          raise Signet::AuthorizationError, e.message
+        end
+      end
+
+      private
+
+      def build_token_hash body, content_type, retrieval_time
+        hash =
+          if ["text/html", "application/text"].include? content_type
+            { token_type.to_s => body }
+          else
+            Signet::OAuth2.parse_credentials body, content_type
+          end
+        universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
+        universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+        hash["universe_domain"] = universe_domain.strip
+        # The response might have been cached, which means expires_in might be
+        # stale. Update it based on the time since the data was retrieved.
+        # We also ensure expires_in is conservative; subtracting at least 1
+        # second to offset any skew from metadata server latency.
+        if hash["expires_in"].is_a? Numeric
+          offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
+          hash["expires_in"] -= offset if offset.positive?
+          hash["expires_in"] = 0 if hash["expires_in"].negative?
         end
+        hash
       end
     end
   end

data/lib/googleauth/credentials.rb

@@ -259,7 +259,7 @@ module Google
       # @return [Object] The value
       #
       def self.lookup_auth_param name, method_name = name
-        val = instance_variable_get "@#{name}".to_sym
+        val = instance_variable_get :"@#{name}"
         val = yield if val.nil? && block_given?
         return val unless val.nil?
         return superclass.send method_name if superclass.respond_to? method_name
@@ -328,9 +328,13 @@ module Google
       #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
       #     suitable for passing as a closure.
       #
+      # @!attribute [rw] universe_domain
+      #   @return [String] The universe domain issuing these credentials.
+      #
       def_delegators :@client,
                      :token_credential_uri, :audience,
-                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience,
+                     :universe_domain, :universe_domain=
 
       ##
       # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -355,14 +359,13 @@ module Google
         @project_id = options["project_id"] || options["project"]
         @quota_project_id = options["quota_project_id"]
         case keyfile
-        when Signet::OAuth2::Client
+        when Google::Auth::BaseClient
           update_from_signet keyfile
         when Hash
           update_from_hash keyfile, options
         else
           update_from_filepath keyfile, options
         end
-        CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @client.fetch_access_token! if @client.needs_access_token?
         @env_vars = nil
@@ -507,12 +510,15 @@ module Google
 
         needs_scope = options["target_audience"].nil?
         # client options for initializing signet client
-        { token_credential_uri: options["token_credential_uri"],
+        {
+          token_credential_uri: options["token_credential_uri"],
           audience:             options["audience"],
           scope:                (needs_scope ? Array(options["scope"]) : nil),
           target_audience:      options["target_audience"],
           issuer:               options["client_email"],
-          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]),
+          universe_domain:      options["universe_domain"] || "googleapis.com"
+        }
       end
 
       # rubocop:enable Metrics/AbcSize
@@ -527,7 +533,7 @@ module Google
         hash = stringify_hash_keys hash
         hash["scope"] ||= options[:scope]
         hash["target_audience"] ||= options[:target_audience]
-        @project_id ||= (hash["project_id"] || hash["project"])
+        @project_id ||= hash["project_id"] || hash["project"]
         @quota_project_id ||= hash["quota_project_id"]
         @client = init_client hash, options
       end
@@ -537,7 +543,7 @@ module Google
         json = JSON.parse ::File.read(path)
         json["scope"] ||= options[:scope]
         json["target_audience"] ||= options[:target_audience]
-        @project_id ||= (json["project_id"] || json["project"])
+        @project_id ||= json["project_id"] || json["project"]
         @quota_project_id ||= json["quota_project_id"]
         @client = init_client json, options
       end

data/lib/googleauth/credentials_loader.rb

@@ -30,6 +30,11 @@ module Google
       REFRESH_TOKEN_VAR         = "GOOGLE_REFRESH_TOKEN".freeze
       ACCOUNT_TYPE_VAR          = "GOOGLE_ACCOUNT_TYPE".freeze
       PROJECT_ID_VAR            = "GOOGLE_PROJECT_ID".freeze
+      AWS_REGION_VAR            = "AWS_REGION".freeze
+      AWS_DEFAULT_REGION_VAR    = "AWS_DEFAULT_REGION".freeze
+      AWS_ACCESS_KEY_ID_VAR     = "AWS_ACCESS_KEY_ID".freeze
+      AWS_SECRET_ACCESS_KEY_VAR = "AWS_SECRET_ACCESS_KEY".freeze
+      AWS_SESSION_TOKEN_VAR     = "AWS_SESSION_TOKEN".freeze
       GCLOUD_POSIX_COMMAND      = "gcloud".freeze
       GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
       GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none".freeze
@@ -41,16 +46,9 @@ module Google
 
       SYSTEM_DEFAULT_ERROR = "Unable to read the system default credential file".freeze
 
-      CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
+      CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
                             "s.googleusercontent.com".freeze
 
-      CLOUD_SDK_CREDENTIALS_WARNING =
-        "Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most" \
-        " server applications use service accounts instead. If your application continues to use end user credentials" \
-        ' from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about' \
-        " service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the"\
-        " GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
-
       # make_creds proxies the construction of a credentials instance
       #
       # By default, it calls #new on the current class, but this behaviour can
@@ -144,12 +142,6 @@ module Google
 
       module_function
 
-      # Issues warning if cloud sdk client id is used
-      def warn_if_cloud_sdk_credentials client_id
-        return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
-        warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
-      end
-
       # Finds project_id from gcloud CLI configuration
       def load_gcloud_project_id
         gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?

data/lib/googleauth/default_credentials.rb

@@ -18,6 +18,7 @@ require "stringio"
 require "googleauth/credentials_loader"
 require "googleauth/service_account"
 require "googleauth/user_refresh"
+require "googleauth/external_account"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -34,11 +35,9 @@ module Google
         json_key_io = options[:json_key_io]
         if json_key_io
           json_key, clz = determine_creds_class json_key_io
-          warn_if_cloud_sdk_credentials json_key["client_id"]
           io = StringIO.new MultiJson.dump(json_key)
           clz.make_creds options.merge(json_key_io: io)
         else
-          warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
           clz = read_creds
           clz.make_creds options
         end
@@ -53,6 +52,8 @@ module Google
           ServiceAccountCredentials
         when "authorized_user"
           UserRefreshCredentials
+        when "external_account"
+          ExternalAccount::Credentials
         else
           raise "credentials type '#{type}' is not supported"
         end
@@ -69,6 +70,8 @@ module Google
           [json_key, ServiceAccountCredentials]
         when "authorized_user"
           [json_key, UserRefreshCredentials]
+        when "external_account"
+          [json_key, ExternalAccount::Credentials]
         else
           raise "credentials type '#{type}' is not supported"
         end