grpc 1.22.0 → 1.23.0

data/src/core/lib/iomgr/tcp_server_custom.cc

@@ -245,6 +245,7 @@ static void custom_accept_callback(grpc_custom_socket* socket,
 static void custom_accept_callback(grpc_custom_socket* socket,
                                    grpc_custom_socket* client,
                                    grpc_error* error) {
+  grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx;
   grpc_tcp_listener* sp = socket->listener;
   if (error != GRPC_ERROR_NONE) {

data/src/core/lib/iomgr/tcp_server_windows.cc

@@ -409,7 +409,7 @@ static grpc_error* add_socket_to_server(grpc_tcp_server* s, SOCKET sock,
     gpr_log(GPR_ERROR, "on_connect error: %s", utf8_message);
     gpr_free(utf8_message);
     closesocket(sock);
-    return NULL;
+    return GRPC_ERROR_NONE;
   }
 
   error = prepare_socket(sock, addr, &port);

data/src/core/lib/iomgr/tcp_windows.cc

@@ -196,17 +196,17 @@ static void on_read(void* tcpp, grpc_error* error) {
       gpr_free(utf8_message);
       grpc_slice_buffer_reset_and_unref_internal(tcp->read_slices);
     } else {
-      if (info->bytes_transfered != 0 && !tcp->shutting_down) {
-        GPR_ASSERT((size_t)info->bytes_transfered <= tcp->read_slices->length);
-        if (static_cast<size_t>(info->bytes_transfered) !=
+      if (info->bytes_transferred != 0 && !tcp->shutting_down) {
+        GPR_ASSERT((size_t)info->bytes_transferred <= tcp->read_slices->length);
+        if (static_cast<size_t>(info->bytes_transferred) !=
             tcp->read_slices->length) {
           grpc_slice_buffer_trim_end(
               tcp->read_slices,
               tcp->read_slices->length -
-                  static_cast<size_t>(info->bytes_transfered),
+                  static_cast<size_t>(info->bytes_transferred),
               &tcp->last_read_buffer);
         }
-        GPR_ASSERT((size_t)info->bytes_transfered == tcp->read_slices->length);
+        GPR_ASSERT((size_t)info->bytes_transferred == tcp->read_slices->length);
 
         if (grpc_tcp_trace.enabled()) {
           size_t i;
@@ -288,7 +288,7 @@ static void win_read(grpc_endpoint* ep, grpc_slice_buffer* read_slices,
 
   /* Did we get data immediately ? Yay. */
   if (info->wsa_error != WSAEWOULDBLOCK) {
-    info->bytes_transfered = bytes_read;
+    info->bytes_transferred = bytes_read;
     GRPC_CLOSURE_SCHED(&tcp->on_read, GRPC_ERROR_NONE);
     return;
   }
@@ -333,7 +333,7 @@ static void on_write(void* tcpp, grpc_error* error) {
     if (info->wsa_error != 0) {
       error = GRPC_WSA_ERROR(info->wsa_error, "WSASend");
     } else {
-      GPR_ASSERT(info->bytes_transfered == tcp->write_slices->length);
+      GPR_ASSERT(info->bytes_transferred == tcp->write_slices->length);
     }
   }
 

data/src/core/lib/iomgr/timer_custom.cc

@@ -32,6 +32,7 @@ static grpc_custom_timer_vtable* custom_timer_impl;
 
 void grpc_custom_timer_callback(grpc_custom_timer* t, grpc_error* error) {
   GRPC_CUSTOM_IOMGR_ASSERT_SAME_THREAD();
+  grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
   grpc_core::ExecCtx exec_ctx;
   grpc_timer* timer = t->original;
   GPR_ASSERT(timer->pending);

data/src/core/lib/iomgr/timer_manager.cc

@@ -61,15 +61,6 @@ static uint64_t g_timed_waiter_generation;
 
 static void timer_thread(void* completed_thread_ptr);
 
-// For debug of the timer manager crash only.
-// TODO (mxyan): remove after bug is fixed.
-#ifdef GRPC_DEBUG_TIMER_MANAGER
-extern int64_t g_timer_manager_init_count;
-extern int64_t g_timer_manager_shutdown_count;
-extern int64_t g_fork_count;
-extern int64_t g_next_value;
-#endif  // GRPC_DEBUG_TIMER_MANAGER
-
 static void gc_completed_threads(void) {
   if (g_completed_threads != nullptr) {
     completed_thread* to_gc = g_completed_threads;
@@ -203,11 +194,6 @@ static bool wait_until(grpc_millis next) {
       gpr_log(GPR_INFO, "sleep until kicked");
     }
 
-      // For debug of the timer manager crash only.
-      // TODO (mxyan): remove after bug is fixed.
-#ifdef GRPC_DEBUG_TIMER_MANAGER
-    g_next_value = next;
-#endif
     gpr_cv_wait(&g_cv_wait, &g_mu,
                 grpc_millis_to_timespec(next, GPR_CLOCK_MONOTONIC));
 
@@ -309,11 +295,6 @@ static void start_threads(void) {
 void grpc_timer_manager_init(void) {
   gpr_mu_init(&g_mu);
   gpr_cv_init(&g_cv_wait);
-#ifdef GRPC_DEBUG_TIMER_MANAGER
-  // For debug of the timer manager crash only.
-  // TODO (mxyan): remove after bug is fixed.
-  g_timer_manager_init_count++;
-#endif
   gpr_cv_init(&g_cv_shutdown);
   g_threaded = false;
   g_thread_count = 0;
@@ -349,11 +330,6 @@ static void stop_threads(void) {
 }
 
 void grpc_timer_manager_shutdown(void) {
-#ifdef GRPC_DEBUG_TIMER_MANAGER
-  // For debug of the timer manager crash only.
-  // TODO (mxyan): remove after bug is fixed.
-  g_timer_manager_shutdown_count++;
-#endif
   stop_threads();
 
   gpr_mu_destroy(&g_mu);
@@ -362,11 +338,6 @@ void grpc_timer_manager_shutdown(void) {
 }
 
 void grpc_timer_manager_set_threading(bool threaded) {
-#ifdef GRPC_DEBUG_TIMER_MANAGER
-  // For debug of the timer manager crash only.
-  // TODO (mxyan): remove after bug is fixed.
-  g_fork_count++;
-#endif
   if (threaded) {
     start_threads();
   } else {

data/src/core/lib/security/credentials/credentials.cc

@@ -45,6 +45,90 @@ void grpc_channel_credentials_release(grpc_channel_credentials* creds) {
   if (creds) creds->Unref();
 }
 
+static grpc_core::Map<grpc_core::UniquePtr<char>,
+                      grpc_core::RefCountedPtr<grpc_channel_credentials>,
+                      grpc_core::StringLess>* g_grpc_control_plane_creds;
+static gpr_mu g_control_plane_creds_mu;
+
+static void do_control_plane_creds_init() {
+  gpr_mu_init(&g_control_plane_creds_mu);
+  GPR_ASSERT(g_grpc_control_plane_creds == nullptr);
+  g_grpc_control_plane_creds = grpc_core::New<
+      grpc_core::Map<grpc_core::UniquePtr<char>,
+                     grpc_core::RefCountedPtr<grpc_channel_credentials>,
+                     grpc_core::StringLess>>();
+}
+
+void grpc_control_plane_credentials_init() {
+  static gpr_once once_init_control_plane_creds = GPR_ONCE_INIT;
+  gpr_once_init(&once_init_control_plane_creds, do_control_plane_creds_init);
+}
+
+void grpc_test_only_control_plane_credentials_destroy() {
+  grpc_core::Delete(g_grpc_control_plane_creds);
+  g_grpc_control_plane_creds = nullptr;
+  gpr_mu_destroy(&g_control_plane_creds_mu);
+}
+
+void grpc_test_only_control_plane_credentials_force_init() {
+  if (g_grpc_control_plane_creds == nullptr) {
+    do_control_plane_creds_init();
+  }
+}
+
+bool grpc_channel_credentials_attach_credentials(
+    grpc_channel_credentials* credentials, const char* authority,
+    grpc_channel_credentials* control_plane_creds) {
+  grpc_core::ExecCtx exec_ctx;
+  return credentials->attach_credentials(authority, control_plane_creds->Ref());
+}
+
+bool grpc_control_plane_credentials_register(
+    const char* authority, grpc_channel_credentials* control_plane_creds) {
+  grpc_core::ExecCtx exec_ctx;
+  {
+    grpc_core::MutexLock lock(&g_control_plane_creds_mu);
+    auto key = grpc_core::UniquePtr<char>(gpr_strdup(authority));
+    if (g_grpc_control_plane_creds->find(key) !=
+        g_grpc_control_plane_creds->end()) {
+      return false;
+    }
+    (*g_grpc_control_plane_creds)[std::move(key)] = control_plane_creds->Ref();
+  }
+  return true;
+}
+
+bool grpc_channel_credentials::attach_credentials(
+    const char* authority,
+    grpc_core::RefCountedPtr<grpc_channel_credentials> control_plane_creds) {
+  auto key = grpc_core::UniquePtr<char>(gpr_strdup(authority));
+  if (local_control_plane_creds_.find(key) !=
+      local_control_plane_creds_.end()) {
+    return false;
+  }
+  local_control_plane_creds_[std::move(key)] = std::move(control_plane_creds);
+  return true;
+}
+
+grpc_core::RefCountedPtr<grpc_channel_credentials>
+grpc_channel_credentials::get_control_plane_credentials(const char* authority) {
+  {
+    auto key = grpc_core::UniquePtr<char>(gpr_strdup(authority));
+    auto local_lookup = local_control_plane_creds_.find(key);
+    if (local_lookup != local_control_plane_creds_.end()) {
+      return local_lookup->second;
+    }
+    {
+      grpc_core::MutexLock lock(&g_control_plane_creds_mu);
+      auto global_lookup = g_grpc_control_plane_creds->find(key);
+      if (global_lookup != g_grpc_control_plane_creds->end()) {
+        return global_lookup->second;
+      }
+    }
+  }
+  return duplicate_without_call_credentials();
+}
+
 void grpc_call_credentials_release(grpc_call_credentials* creds) {
   GRPC_API_TRACE("grpc_call_credentials_release(creds=%p)", 1, (creds));
   grpc_core::ExecCtx exec_ctx;

data/src/core/lib/security/credentials/credentials.h

@@ -26,7 +26,9 @@
 #include <grpc/support/sync.h>
 #include "src/core/lib/transport/metadata_batch.h"
 
+#include "src/core/lib/gprpp/map.h"
 #include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/http/httpcli.h"
 #include "src/core/lib/http/parser.h"
 #include "src/core/lib/iomgr/polling_entity.h"
@@ -64,8 +66,8 @@ typedef enum {
 #define GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH \
   "/computeMetadata/v1/instance/service-accounts/default/token"
 
-#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "www.googleapis.com"
-#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/oauth2/v3/token"
+#define GRPC_GOOGLE_OAUTH2_SERVICE_HOST "oauth2.googleapis.com"
+#define GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH "/token"
 
 #define GRPC_SERVICE_ACCOUNT_POST_BODY_PREFIX                         \
   "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&" \
@@ -131,12 +133,31 @@ struct grpc_channel_credentials
     return args;
   }
 
+  // Attaches control_plane_creds to the local registry, under authority,
+  // if no other creds are currently registered under authority. Returns
+  // true if registered successfully and false if not.
+  bool attach_credentials(
+      const char* authority,
+      grpc_core::RefCountedPtr<grpc_channel_credentials> control_plane_creds);
+
+  // Gets the control plane credentials registered under authority. This
+  // prefers the local control plane creds registry but falls back to the
+  // global registry. Lastly, this returns self but with any attached
+  // call credentials stripped off, in the case that neither the local
+  // registry nor the global registry have an entry for authority.
+  grpc_core::RefCountedPtr<grpc_channel_credentials>
+  get_control_plane_credentials(const char* authority);
+
   const char* type() const { return type_; }
 
   GRPC_ABSTRACT_BASE_CLASS
 
  private:
   const char* type_;
+  grpc_core::Map<grpc_core::UniquePtr<char>,
+                 grpc_core::RefCountedPtr<grpc_channel_credentials>,
+                 grpc_core::StringLess>
+      local_control_plane_creds_;
 };
 
 /* Util to encapsulate the channel credentials in a channel arg. */
@@ -150,6 +171,41 @@ grpc_channel_credentials* grpc_channel_credentials_from_arg(
 grpc_channel_credentials* grpc_channel_credentials_find_in_args(
     const grpc_channel_args* args);
 
+/** EXPERIMENTAL.  API MAY CHANGE IN THE FUTURE.
+    Attaches \a control_plane_creds to \a credentials
+    under the key \a authority. Returns false if \a authority
+    is already present, in which case no changes are made.
+    Note that this API is not thread safe. Only one thread may
+    attach control plane creds to a given credentials object at
+    any one time, and new control plane creds must not be
+    attached after \a credentials has been used to create a channel. */
+bool grpc_channel_credentials_attach_credentials(
+    grpc_channel_credentials* credentials, const char* authority,
+    grpc_channel_credentials* control_plane_creds);
+
+/** EXPERIMENTAL.  API MAY CHANGE IN THE FUTURE.
+    Registers \a control_plane_creds in the global registry
+    under the key \a authority. Returns false if \a authority
+    is already present, in which case no changes are made. */
+bool grpc_control_plane_credentials_register(
+    const char* authority, grpc_channel_credentials* control_plane_creds);
+
+/* Initializes global control plane credentials data. */
+void grpc_control_plane_credentials_init();
+
+/* Test only: destroy global control plane credentials data.
+ * This API is meant for use by a few tests that need to
+ * satisdy grpc_core::LeakDetector. */
+void grpc_test_only_control_plane_credentials_destroy();
+
+/* Test only: force re-initialization of global control
+ * plane credentials data if it was previously destroyed.
+ * This API is meant to be used in
+ * tandem with the
+ * grpc_test_only_control_plane_credentials_destroy, for
+ * the few tests that need it. */
+void grpc_test_only_control_plane_credentials_force_init();
+
 /* --- grpc_credentials_mdelem_array. --- */
 
 typedef struct {

data/src/core/lib/security/credentials/jwt/json_token.cc

@@ -18,6 +18,7 @@
 
 #include <grpc/support/port_platform.h>
 
+#include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/credentials/jwt/json_token.h"
 
 #include <string.h>
@@ -69,6 +70,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json) {
   BIO* bio = nullptr;
   const char* prop_value;
   int success = 0;
+  grpc_error* error = GRPC_ERROR_NONE;
 
   memset(&result, 0, sizeof(grpc_auth_json_key));
   result.type = GRPC_AUTH_JSON_TYPE_INVALID;
@@ -77,7 +79,8 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json) {
     goto end;
   }
 
-  prop_value = grpc_json_get_string_property(json, "type");
+  prop_value = grpc_json_get_string_property(json, "type", &error);
+  GRPC_LOG_IF_ERROR("JSON key parsing", error);
   if (prop_value == nullptr ||
       strcmp(prop_value, GRPC_AUTH_JSON_TYPE_SERVICE_ACCOUNT)) {
     goto end;
@@ -92,7 +95,8 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json) {
     goto end;
   }
 
-  prop_value = grpc_json_get_string_property(json, "private_key");
+  prop_value = grpc_json_get_string_property(json, "private_key", &error);
+  GRPC_LOG_IF_ERROR("JSON key parsing", error);
   if (prop_value == nullptr) {
     goto end;
   }

data/src/core/lib/security/credentials/jwt/json_token.h

@@ -30,7 +30,7 @@
 
 /* --- Constants. --- */
 
-#define GRPC_JWT_OAUTH2_AUDIENCE "https://www.googleapis.com/oauth2/v3/token"
+#define GRPC_JWT_OAUTH2_AUDIENCE "https://oauth2.googleapis.com/token"
 
 /* --- auth_json_key parsing. --- */
 

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -18,18 +18,28 @@
 
 #include <grpc/support/port_platform.h>
 
+#include "src/core/lib/json/json.h"
 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
 
 #include <string.h>
 
-#include "src/core/lib/gprpp/ref_counted_ptr.h"
-#include "src/core/lib/security/util/json_util.h"
-#include "src/core/lib/surface/api_trace.h"
-
+#include <grpc/grpc_security.h>
+#include <grpc/impl/codegen/slice.h>
+#include <grpc/slice.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gprpp/inlined_vector.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/iomgr/error.h"
+#include "src/core/lib/iomgr/load_file.h"
+#include "src/core/lib/security/util/json_util.h"
+#include "src/core/lib/slice/slice_internal.h"
+#include "src/core/lib/surface/api_trace.h"
+#include "src/core/lib/uri/uri_parser.h"
+
 //
 // Auth Refresh Token.
 //
@@ -45,6 +55,7 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
   grpc_auth_refresh_token result;
   const char* prop_value;
   int success = 0;
+  grpc_error* error = GRPC_ERROR_NONE;
 
   memset(&result, 0, sizeof(grpc_auth_refresh_token));
   result.type = GRPC_AUTH_JSON_TYPE_INVALID;
@@ -53,7 +64,8 @@ grpc_auth_refresh_token grpc_auth_refresh_token_create_from_json(
     goto end;
   }
 
-  prop_value = grpc_json_get_string_property(json, "type");
+  prop_value = grpc_json_get_string_property(json, "type", &error);
+  GRPC_LOG_IF_ERROR("Parsing refresh token", error);
   if (prop_value == nullptr ||
       strcmp(prop_value, GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER)) {
     goto end;
@@ -187,8 +199,8 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
     *token_lifetime = strtol(expires_in->value, nullptr, 10) * GPR_MS_PER_SEC;
     if (!GRPC_MDISNULL(*token_md)) GRPC_MDELEM_UNREF(*token_md);
     *token_md = grpc_mdelem_from_slices(
-        grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
-        grpc_slice_from_copied_string(new_access_token));
+        grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
+        grpc_core::UnmanagedMemorySlice(new_access_token));
     status = GRPC_CREDENTIALS_OK;
   }
 
@@ -216,10 +228,12 @@ static void on_oauth2_token_fetcher_http_response(void* user_data,
 void grpc_oauth2_token_fetcher_credentials::on_http_response(
     grpc_credentials_metadata_request* r, grpc_error* error) {
   grpc_mdelem access_token_md = GRPC_MDNULL;
-  grpc_millis token_lifetime;
+  grpc_millis token_lifetime = 0;
   grpc_credentials_status status =
-      grpc_oauth2_token_fetcher_credentials_parse_server_response(
-          &r->response, &access_token_md, &token_lifetime);
+      error == GRPC_ERROR_NONE
+          ? grpc_oauth2_token_fetcher_credentials_parse_server_response(
+                &r->response, &access_token_md, &token_lifetime)
+          : GRPC_CREDENTIALS_ERROR;
   // Update cache and grab list of pending requests.
   gpr_mu_lock(&mu_);
   token_fetch_pending_ = false;
@@ -234,14 +248,15 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
   gpr_mu_unlock(&mu_);
   // Invoke callbacks for all pending requests.
   while (pending_request != nullptr) {
+    grpc_error* new_error = GRPC_ERROR_NONE;
     if (status == GRPC_CREDENTIALS_OK) {
       grpc_credentials_mdelem_array_add(pending_request->md_array,
                                         access_token_md);
     } else {
-      error = GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
+      new_error = GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
           "Error occurred when fetching oauth2 token.", &error, 1);
     }
-    GRPC_CLOSURE_SCHED(pending_request->on_request_metadata, error);
+    GRPC_CLOSURE_SCHED(pending_request->on_request_metadata, new_error);
     grpc_polling_entity_del_from_pollset_set(
         pending_request->pollent, grpc_polling_entity_pollset_set(&pollent_));
     grpc_oauth2_pending_get_request_metadata* prev = pending_request;
@@ -356,7 +371,8 @@ class grpc_compute_engine_token_fetcher_credentials
                     grpc_polling_entity* pollent,
                     grpc_iomgr_cb_func response_cb,
                     grpc_millis deadline) override {
-    grpc_http_header header = {(char*)"Metadata-Flavor", (char*)"Google"};
+    grpc_http_header header = {const_cast<char*>("Metadata-Flavor"),
+                               const_cast<char*>("Google")};
     grpc_httpcli_request request;
     memset(&request, 0, sizeof(grpc_httpcli_request));
     request.host = (char*)GRPC_COMPUTE_ENGINE_METADATA_HOST;
@@ -369,11 +385,14 @@ class grpc_compute_engine_token_fetcher_credentials
     grpc_resource_quota* resource_quota =
         grpc_resource_quota_create("oauth2_credentials");
     grpc_httpcli_get(http_context, pollent, resource_quota, &request, deadline,
-                     GRPC_CLOSURE_CREATE(response_cb, metadata_req,
-                                         grpc_schedule_on_exec_ctx),
+                     GRPC_CLOSURE_INIT(&http_get_cb_closure_, response_cb,
+                                       metadata_req, grpc_schedule_on_exec_ctx),
                      &metadata_req->response);
     grpc_resource_quota_unref_internal(resource_quota);
   }
+
+ private:
+  grpc_closure http_get_cb_closure_;
 };
 
 }  // namespace
@@ -401,8 +420,9 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
     grpc_credentials_metadata_request* metadata_req,
     grpc_httpcli_context* httpcli_context, grpc_polling_entity* pollent,
     grpc_iomgr_cb_func response_cb, grpc_millis deadline) {
-  grpc_http_header header = {(char*)"Content-Type",
-                             (char*)"application/x-www-form-urlencoded"};
+  grpc_http_header header = {
+      const_cast<char*>("Content-Type"),
+      const_cast<char*>("application/x-www-form-urlencoded")};
   grpc_httpcli_request request;
   char* body = nullptr;
   gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
@@ -419,11 +439,11 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
      extreme memory pressure. */
   grpc_resource_quota* resource_quota =
       grpc_resource_quota_create("oauth2_credentials_refresh");
-  grpc_httpcli_post(
-      httpcli_context, pollent, resource_quota, &request, body, strlen(body),
-      deadline,
-      GRPC_CLOSURE_CREATE(response_cb, metadata_req, grpc_schedule_on_exec_ctx),
-      &metadata_req->response);
+  grpc_httpcli_post(httpcli_context, pollent, resource_quota, &request, body,
+                    strlen(body), deadline,
+                    GRPC_CLOSURE_INIT(&http_post_cb_closure_, response_cb,
+                                      metadata_req, grpc_schedule_on_exec_ctx),
+                    &metadata_req->response);
   grpc_resource_quota_unref_internal(resource_quota);
   gpr_free(body);
 }
@@ -472,6 +492,207 @@ grpc_call_credentials* grpc_google_refresh_token_credentials_create(
       .release();
 }
 
+//
+// STS credentials.
+//
+
+namespace grpc_core {
+
+namespace {
+
+void MaybeAddToBody(gpr_strvec* body_strvec, const char* field_name,
+                    const char* field) {
+  if (field == nullptr || strlen(field) == 0) return;
+  char* new_query;
+  gpr_asprintf(&new_query, "&%s=%s", field_name, field);
+  gpr_strvec_add(body_strvec, new_query);
+}
+
+grpc_error* LoadTokenFile(const char* path, gpr_slice* token) {
+  grpc_error* err = grpc_load_file(path, 1, token);
+  if (err != GRPC_ERROR_NONE) return err;
+  if (GRPC_SLICE_LENGTH(*token) == 0) {
+    gpr_log(GPR_ERROR, "Token file %s is empty", path);
+    err = GRPC_ERROR_CREATE_FROM_STATIC_STRING("Token file is empty.");
+  }
+  return err;
+}
+
+class StsTokenFetcherCredentials
+    : public grpc_oauth2_token_fetcher_credentials {
+ public:
+  StsTokenFetcherCredentials(grpc_uri* sts_url,  // Ownership transferred.
+                             const grpc_sts_credentials_options* options)
+      : sts_url_(sts_url),
+        resource_(gpr_strdup(options->resource)),
+        audience_(gpr_strdup(options->audience)),
+        scope_(gpr_strdup(options->scope)),
+        requested_token_type_(gpr_strdup(options->requested_token_type)),
+        subject_token_path_(gpr_strdup(options->subject_token_path)),
+        subject_token_type_(gpr_strdup(options->subject_token_type)),
+        actor_token_path_(gpr_strdup(options->actor_token_path)),
+        actor_token_type_(gpr_strdup(options->actor_token_type)) {}
+
+  ~StsTokenFetcherCredentials() override { grpc_uri_destroy(sts_url_); }
+
+ private:
+  void fetch_oauth2(grpc_credentials_metadata_request* metadata_req,
+                    grpc_httpcli_context* http_context,
+                    grpc_polling_entity* pollent,
+                    grpc_iomgr_cb_func response_cb,
+                    grpc_millis deadline) override {
+    char* body = nullptr;
+    size_t body_length = 0;
+    grpc_error* err = FillBody(&body, &body_length);
+    if (err != GRPC_ERROR_NONE) {
+      response_cb(metadata_req, err);
+      GRPC_ERROR_UNREF(err);
+      return;
+    }
+    grpc_http_header header = {
+        const_cast<char*>("Content-Type"),
+        const_cast<char*>("application/x-www-form-urlencoded")};
+    grpc_httpcli_request request;
+    memset(&request, 0, sizeof(grpc_httpcli_request));
+    request.host = (char*)sts_url_->authority;
+    request.http.path = (char*)sts_url_->path;
+    request.http.hdr_count = 1;
+    request.http.hdrs = &header;
+    request.handshaker = (strcmp(sts_url_->scheme, "https") == 0)
+                             ? &grpc_httpcli_ssl
+                             : &grpc_httpcli_plaintext;
+    /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
+       channel. This would allow us to cancel an authentication query when under
+       extreme memory pressure. */
+    grpc_resource_quota* resource_quota =
+        grpc_resource_quota_create("oauth2_credentials_refresh");
+    grpc_httpcli_post(
+        http_context, pollent, resource_quota, &request, body, body_length,
+        deadline,
+        GRPC_CLOSURE_INIT(&http_post_cb_closure_, response_cb, metadata_req,
+                          grpc_schedule_on_exec_ctx),
+        &metadata_req->response);
+    grpc_resource_quota_unref_internal(resource_quota);
+    gpr_free(body);
+  }
+
+  grpc_error* FillBody(char** body, size_t* body_length) {
+    *body = nullptr;
+    gpr_strvec body_strvec;
+    gpr_strvec_init(&body_strvec);
+    grpc_slice subject_token = grpc_empty_slice();
+    grpc_slice actor_token = grpc_empty_slice();
+    grpc_error* err = GRPC_ERROR_NONE;
+
+    auto cleanup = [&body, &body_length, &body_strvec, &subject_token,
+                    &actor_token, &err]() {
+      if (err == GRPC_ERROR_NONE) {
+        *body = gpr_strvec_flatten(&body_strvec, body_length);
+      } else {
+        gpr_free(*body);
+      }
+      gpr_strvec_destroy(&body_strvec);
+      grpc_slice_unref_internal(subject_token);
+      grpc_slice_unref_internal(actor_token);
+      return err;
+    };
+
+    err = LoadTokenFile(subject_token_path_.get(), &subject_token);
+    if (err != GRPC_ERROR_NONE) return cleanup();
+    gpr_asprintf(
+        body, GRPC_STS_POST_MINIMAL_BODY_FORMAT_STRING,
+        reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(subject_token)),
+        subject_token_type_.get());
+    gpr_strvec_add(&body_strvec, *body);
+    MaybeAddToBody(&body_strvec, "resource", resource_.get());
+    MaybeAddToBody(&body_strvec, "audience", audience_.get());
+    MaybeAddToBody(&body_strvec, "scope", scope_.get());
+    MaybeAddToBody(&body_strvec, "requested_token_type",
+                   requested_token_type_.get());
+    if (actor_token_path_ != nullptr) {
+      err = LoadTokenFile(actor_token_path_.get(), &actor_token);
+      if (err != GRPC_ERROR_NONE) return cleanup();
+      MaybeAddToBody(
+          &body_strvec, "actor_token",
+          reinterpret_cast<const char*>(GRPC_SLICE_START_PTR(subject_token)));
+      MaybeAddToBody(&body_strvec, "actor_token_type", actor_token_type_.get());
+    }
+    return cleanup();
+  }
+
+  grpc_uri* sts_url_;
+  grpc_closure http_post_cb_closure_;
+  grpc_core::UniquePtr<char> resource_;
+  grpc_core::UniquePtr<char> audience_;
+  grpc_core::UniquePtr<char> scope_;
+  grpc_core::UniquePtr<char> requested_token_type_;
+  grpc_core::UniquePtr<char> subject_token_path_;
+  grpc_core::UniquePtr<char> subject_token_type_;
+  grpc_core::UniquePtr<char> actor_token_path_;
+  grpc_core::UniquePtr<char> actor_token_type_;
+};
+
+}  // namespace
+
+grpc_error* ValidateStsCredentialsOptions(
+    const grpc_sts_credentials_options* options, grpc_uri** sts_url_out) {
+  struct GrpcUriDeleter {
+    void operator()(grpc_uri* uri) { grpc_uri_destroy(uri); }
+  };
+  *sts_url_out = nullptr;
+  InlinedVector<grpc_error*, 3> error_list;
+  UniquePtr<grpc_uri, GrpcUriDeleter> sts_url(
+      options->token_exchange_service_uri != nullptr
+          ? grpc_uri_parse(options->token_exchange_service_uri, false)
+          : nullptr);
+  if (sts_url == nullptr) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "Invalid or missing STS endpoint URL"));
+  } else {
+    if (strcmp(sts_url->scheme, "https") != 0 &&
+        strcmp(sts_url->scheme, "http") != 0) {
+      error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+          "Invalid URI scheme, must be https to http."));
+    }
+  }
+  if (options->subject_token_path == nullptr ||
+      strlen(options->subject_token_path) == 0) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "subject_token needs to be specified"));
+  }
+  if (options->subject_token_type == nullptr ||
+      strlen(options->subject_token_type) == 0) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "subject_token_type needs to be specified"));
+  }
+  if (error_list.empty()) {
+    *sts_url_out = sts_url.release();
+    return GRPC_ERROR_NONE;
+  } else {
+    return GRPC_ERROR_CREATE_FROM_VECTOR("Invalid STS Credentials Options",
+                                         &error_list);
+  }
+}
+
+}  // namespace grpc_core
+
+grpc_call_credentials* grpc_sts_credentials_create(
+    const grpc_sts_credentials_options* options, void* reserved) {
+  GPR_ASSERT(reserved == nullptr);
+  grpc_uri* sts_url;
+  grpc_error* error =
+      grpc_core::ValidateStsCredentialsOptions(options, &sts_url);
+  if (error != GRPC_ERROR_NONE) {
+    gpr_log(GPR_ERROR, "STS Credentials creation failed. Error: %s.",
+            grpc_error_string(error));
+    GRPC_ERROR_UNREF(error);
+    return nullptr;
+  }
+  return grpc_core::MakeRefCounted<grpc_core::StsTokenFetcherCredentials>(
+             sts_url, options)
+      .release();
+}
+
 //
 // Oauth2 Access Token credentials.
 //
@@ -500,8 +721,8 @@ grpc_access_token_credentials::grpc_access_token_credentials(
   gpr_asprintf(&token_md_value, "Bearer %s", access_token);
   grpc_core::ExecCtx exec_ctx;
   access_token_md_ = grpc_mdelem_from_slices(
-      grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
-      grpc_slice_from_copied_string(token_md_value));
+      grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
+      grpc_core::UnmanagedMemorySlice(token_md_value));
   gpr_free(token_md_value);
 }