RubyGems - grpc - Versions diffs - 1.34.0 → 1.35.0.pre1 - Mend

grpc 1.34.0 → 1.35.0.pre1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (458) hide show

data/src/core/lib/security/credentials/external/external_account_credentials.h CHANGED

@@ -35,7 +35,7 @@ class ExternalAccountCredentials
     : public grpc_oauth2_token_fetcher_credentials {
  public:
   // External account credentials json interface.
-  struct ExternalAccountCredentialsOptions {
+  struct Options {
     std::string type;
     std::string audience;
     std::string subject_token_type;
@@ -48,8 +48,10 @@ class ExternalAccountCredentials
     std::string client_secret;
   };
-  ExternalAccountCredentials(ExternalAccountCredentialsOptions options,
-                             std::vector<std::string> scopes);
+  static RefCountedPtr<ExternalAccountCredentials> Create(
+      const Json& json, std::vector<std::string> scopes, grpc_error** error);
+  ExternalAccountCredentials(Options options, std::vector<std::string> scopes);
   ~ExternalAccountCredentials() override;
   std::string debug_string() override;
@@ -81,7 +83,7 @@ class ExternalAccountCredentials
   // the callback function (cb) to pass the subject token (or error)
   // back.
   virtual void RetrieveSubjectToken(
-      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error*)> cb) = 0;
  private:
@@ -105,7 +107,7 @@ class ExternalAccountCredentials
   void FinishTokenFetch(grpc_error* error);
-  ExternalAccountCredentialsOptions options_;
+  Options options_;
   std::vector<std::string> scopes_;
   HTTPRequestContext* ctx_ = nullptr;

data/src/core/lib/security/credentials/external/file_external_account_credentials.cc CHANGED

@@ -26,9 +26,9 @@
 namespace grpc_core {
 RefCountedPtr<FileExternalAccountCredentials>
-FileExternalAccountCredentials::Create(
-    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
-    grpc_error** error) {
+FileExternalAccountCredentials::Create(Options options,
+                                       std::vector<std::string> scopes,
+                                       grpc_error** error) {
   auto creds = MakeRefCounted<FileExternalAccountCredentials>(
       std::move(options), std::move(scopes), error);
   if (*error == GRPC_ERROR_NONE) {
@@ -39,8 +39,7 @@ FileExternalAccountCredentials::Create(
 }
 FileExternalAccountCredentials::FileExternalAccountCredentials(
-    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
-    grpc_error** error)
+    Options options, std::vector<std::string> scopes, grpc_error** error)
     : ExternalAccountCredentials(options, std::move(scopes)) {
   auto it = options.credential_source.object_value().find("file");
   if (it == options.credential_source.object_value().end()) {
@@ -92,7 +91,7 @@ FileExternalAccountCredentials::FileExternalAccountCredentials(
 }
 void FileExternalAccountCredentials::RetrieveSubjectToken(
-    HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+    HTTPRequestContext* ctx, const Options& options,
     std::function<void(std::string, grpc_error*)> cb) {
   struct SliceWrapper {
     ~SliceWrapper() { grpc_slice_unref_internal(slice); }

data/src/core/lib/security/credentials/external/file_external_account_credentials.h CHANGED

@@ -26,16 +26,15 @@ namespace grpc_core {
 class FileExternalAccountCredentials final : public ExternalAccountCredentials {
  public:
   static RefCountedPtr<FileExternalAccountCredentials> Create(
-      ExternalAccountCredentialsOptions options,
-      std::vector<std::string> scopes, grpc_error** error);
+      Options options, std::vector<std::string> scopes, grpc_error** error);
-  FileExternalAccountCredentials(ExternalAccountCredentialsOptions options,
+  FileExternalAccountCredentials(Options options,
                                  std::vector<std::string> scopes,
                                  grpc_error** error);
  private:
   void RetrieveSubjectToken(
-      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error*)> cb) override;
   // Fields of credential source

data/src/core/lib/security/credentials/external/url_external_account_credentials.cc CHANGED

@@ -17,12 +17,14 @@
 #include "src/core/lib/security/credentials/external/url_external_account_credentials.h"
+#include "absl/strings/str_cat.h"
 #include "absl/strings/str_format.h"
+#include "absl/strings/str_split.h"
 namespace grpc_core {
 RefCountedPtr<UrlExternalAccountCredentials>
-UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
+UrlExternalAccountCredentials::Create(Options options,
                                       std::vector<std::string> scopes,
                                       grpc_error** error) {
   auto creds = MakeRefCounted<UrlExternalAccountCredentials>(
@@ -35,8 +37,7 @@ UrlExternalAccountCredentials::Create(ExternalAccountCredentialsOptions options,
 }
 UrlExternalAccountCredentials::UrlExternalAccountCredentials(
-    ExternalAccountCredentialsOptions options, std::vector<std::string> scopes,
-    grpc_error** error)
+    Options options, std::vector<std::string> scopes, grpc_error** error)
     : ExternalAccountCredentials(options, std::move(scopes)) {
   auto it = options.credential_source.object_value().find("url");
   if (it == options.credential_source.object_value().end()) {
@@ -48,13 +49,19 @@ UrlExternalAccountCredentials::UrlExternalAccountCredentials(
         GRPC_ERROR_CREATE_FROM_STATIC_STRING("url field must be a string.");
     return;
   }
-  grpc_uri* url = grpc_uri_parse(it->second.string_value(), false);
-  if (url == nullptr) {
-    *error =
-        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Invalid credential source url.");
+  absl::StatusOr<URI> tmp_url = URI::Parse(it->second.string_value());
+  if (!tmp_url.ok()) {
+    *error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrFormat("Invalid credential source url. Error: %s",
+                        tmp_url.status().ToString())
+            .c_str());
     return;
   }
-  url_ = url;
+  url_ = *tmp_url;
+  // The url must follow the format of <scheme>://<authority>/<path>
+  std::vector<absl::string_view> v =
+      absl::StrSplit(it->second.string_value(), absl::MaxSplits('/', 3));
+  url_full_path_ = absl::StrCat("/", v[3]);
   it = options.credential_source.object_value().find("headers");
   if (it != options.credential_source.object_value().end()) {
     if (it->second.type() != Json::Type::OBJECT) {
@@ -104,12 +111,8 @@ UrlExternalAccountCredentials::UrlExternalAccountCredentials(
   }
 }
-UrlExternalAccountCredentials::~UrlExternalAccountCredentials() {
-  grpc_uri_destroy(url_);
-}
 void UrlExternalAccountCredentials::RetrieveSubjectToken(
-    HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+    HTTPRequestContext* ctx, const Options& options,
     std::function<void(std::string, grpc_error*)> cb) {
   if (ctx == nullptr) {
     FinishRetrieveSubjectToken(
@@ -122,8 +125,8 @@ void UrlExternalAccountCredentials::RetrieveSubjectToken(
   cb_ = cb;
   grpc_httpcli_request request;
   memset(&request, 0, sizeof(grpc_httpcli_request));
-  request.host = const_cast<char*>(url_->authority);
-  request.http.path = gpr_strdup(url_->path);
+  request.host = const_cast<char*>(url_.authority().c_str());
+  request.http.path = gpr_strdup(url_full_path_.c_str());
   grpc_http_header* headers = nullptr;
   request.http.hdr_count = headers_.size();
   headers = static_cast<grpc_http_header*>(
@@ -135,9 +138,8 @@ void UrlExternalAccountCredentials::RetrieveSubjectToken(
     ++i;
   }
   request.http.hdrs = headers;
-  request.handshaker = (strcmp(url_->scheme, "https") == 0)
-                           ? &grpc_httpcli_ssl
-                           : &grpc_httpcli_plaintext;
+  request.handshaker =
+      url_.scheme() == "https" ? &grpc_httpcli_ssl : &grpc_httpcli_plaintext;
   grpc_resource_quota* resource_quota =
       grpc_resource_quota_create("external_account_credentials");
   grpc_http_response_destroy(&ctx_->response);

data/src/core/lib/security/credentials/external/url_external_account_credentials.h CHANGED

@@ -26,17 +26,15 @@ namespace grpc_core {
 class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
  public:
   static RefCountedPtr<UrlExternalAccountCredentials> Create(
-      ExternalAccountCredentialsOptions options,
-      std::vector<std::string> scopes, grpc_error** error);
+      Options options, std::vector<std::string> scopes, grpc_error** error);
-  UrlExternalAccountCredentials(ExternalAccountCredentialsOptions options,
+  UrlExternalAccountCredentials(Options options,
                                 std::vector<std::string> scopes,
                                 grpc_error** error);
-  ~UrlExternalAccountCredentials() override;
  private:
   void RetrieveSubjectToken(
-      HTTPRequestContext* ctx, const ExternalAccountCredentialsOptions& options,
+      HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error*)> cb) override;
   static void OnRetrieveSubjectToken(void* arg, grpc_error* error);
@@ -45,7 +43,8 @@ class UrlExternalAccountCredentials final : public ExternalAccountCredentials {
   void FinishRetrieveSubjectToken(std::string subject_token, grpc_error* error);
   // Fields of credential source
-  grpc_uri* url_ = nullptr;
+  URI url_;
+  std::string url_full_path_;
   std::map<std::string, std::string> headers_;
   std::string format_type_;
   std::string format_subject_token_field_name_;

data/src/core/lib/security/credentials/fake/fake_credentials.cc CHANGED

@@ -76,7 +76,8 @@ grpc_fake_transport_security_server_credentials_create() {
 grpc_arg grpc_fake_transport_expected_targets_arg(char* expected_targets) {
   return grpc_channel_arg_string_create(
-      (char*)GRPC_ARG_FAKE_SECURITY_EXPECTED_TARGETS, expected_targets);
+      const_cast<char*>(GRPC_ARG_FAKE_SECURITY_EXPECTED_TARGETS),
+      expected_targets);
 }
 const char* grpc_fake_transport_get_expected_targets(

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc CHANGED

@@ -27,6 +27,7 @@
 #include <grpc/support/sync.h>
 #include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
+#include "src/core/ext/filters/client_channel/lb_policy/xds/xds_channel_args.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/string.h"
@@ -37,6 +38,7 @@
 #include "src/core/lib/iomgr/polling_entity.h"
 #include "src/core/lib/security/credentials/alts/alts_credentials.h"
 #include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
+#include "src/core/lib/security/credentials/external/external_account_credentials.h"
 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
 #include "src/core/lib/security/credentials/oauth2/oauth2_credentials.h"
@@ -80,21 +82,22 @@ grpc_google_default_channel_credentials::create_security_connector(
     grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
     const char* target, const grpc_channel_args* args,
     grpc_channel_args** new_args) {
-  bool is_grpclb_load_balancer = grpc_channel_arg_get_bool(
-      grpc_channel_args_find(args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER),
-      false);
-  bool is_backend_from_grpclb_load_balancer = grpc_channel_arg_get_bool(
-      grpc_channel_args_find(
-          args, GRPC_ARG_ADDRESS_IS_BACKEND_FROM_GRPCLB_LOAD_BALANCER),
-      false);
-  bool use_alts =
-      is_grpclb_load_balancer || is_backend_from_grpclb_load_balancer;
+  const bool is_grpclb_load_balancer = grpc_channel_args_find_bool(
+      args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER, false);
+  const bool is_backend_from_grpclb_load_balancer = grpc_channel_args_find_bool(
+      args, GRPC_ARG_ADDRESS_IS_BACKEND_FROM_GRPCLB_LOAD_BALANCER, false);
+  const char* xds_cluster =
+      grpc_channel_args_find_string(args, GRPC_ARG_XDS_CLUSTER_NAME);
+  const bool is_xds_non_cfe_cluster =
+      xds_cluster != nullptr && strcmp(xds_cluster, "google_cfe") != 0;
+  const bool use_alts = is_grpclb_load_balancer ||
+                        is_backend_from_grpclb_load_balancer ||
+                        is_xds_non_cfe_cluster;
   /* Return failure if ALTS is selected but not running on GCE. */
   if (use_alts && alts_creds_ == nullptr) {
     gpr_log(GPR_ERROR, "ALTS is selected, but not running on GCE.");
     return nullptr;
   }
   grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
       use_alts ? alts_creds_->create_security_connector(call_creds, target,
                                                         args, new_args)
@@ -175,8 +178,8 @@ static int is_metadata_server_reachable() {
   detector.is_done = 0;
   detector.success = 0;
   memset(&request, 0, sizeof(grpc_httpcli_request));
-  request.host = (char*)GRPC_COMPUTE_ENGINE_DETECTION_HOST;
-  request.http.path = (char*)"/";
+  request.host = const_cast<char*>(GRPC_COMPUTE_ENGINE_DETECTION_HOST);
+  request.http.path = const_cast<char*>("/");
   grpc_httpcli_context_init(&context);
   grpc_resource_quota* resource_quota =
       grpc_resource_quota_create("google_default_credentials");
@@ -267,6 +270,9 @@ static grpc_error* create_default_creds_from_path(
     goto end;
   }
+  /* Finally try an external account credentials.*/
+  result = grpc_core::ExternalAccountCredentials::Create(json, {}, &error);
 end:
   GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1);
   grpc_slice_unref_internal(creds_data);

data/src/core/lib/security/credentials/insecure/insecure_credentials.cc CHANGED

@@ -30,12 +30,10 @@ constexpr char kCredentialsTypeInsecure[] = "insecure";
 class InsecureCredentials final : public grpc_channel_credentials {
  public:
-  explicit InsecureCredentials()
-      : grpc_channel_credentials(kCredentialsTypeInsecure) {}
+  InsecureCredentials() : grpc_channel_credentials(kCredentialsTypeInsecure) {}
-  grpc_core::RefCountedPtr<grpc_channel_security_connector>
-  create_security_connector(
-      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+  RefCountedPtr<grpc_channel_security_connector> create_security_connector(
+      RefCountedPtr<grpc_call_credentials> call_creds,
       const char* /* target_name */, const grpc_channel_args* /* args */,
       grpc_channel_args** /* new_args */) override {
     return MakeRefCounted<InsecureChannelSecurityConnector>(
@@ -43,9 +41,24 @@ class InsecureCredentials final : public grpc_channel_credentials {
   }
 };
+class InsecureServerCredentials final : public grpc_server_credentials {
+ public:
+  InsecureServerCredentials()
+      : grpc_server_credentials(kCredentialsTypeInsecure) {}
+  RefCountedPtr<grpc_server_security_connector> create_security_connector()
+      override {
+    return MakeRefCounted<InsecureServerSecurityConnector>(Ref());
+  }
+};
 }  // namespace
 }  // namespace grpc_core
 grpc_channel_credentials* grpc_insecure_credentials_create() {
   return new grpc_core::InsecureCredentials();
 }
+grpc_server_credentials* grpc_insecure_server_credentials_create() {
+  return new grpc_core::InsecureServerCredentials();
+}

data/src/core/lib/security/credentials/jwt/json_token.cc CHANGED

@@ -112,7 +112,7 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) {
     goto end;
   }
   result.private_key =
-      PEM_read_bio_RSAPrivateKey(bio, nullptr, nullptr, (void*)"");
+      PEM_read_bio_RSAPrivateKey(bio, nullptr, nullptr, const_cast<char*>(""));
   if (result.private_key == nullptr) {
     gpr_log(GPR_ERROR, "Could not deserialize private key.");
     goto end;

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc CHANGED

@@ -696,7 +696,7 @@ static void on_openid_config_retrieved(void* user_data, grpc_error* /*error*/) {
   req.host = gpr_strdup(jwks_uri);
   req.http.path = const_cast<char*>(strchr(jwks_uri, '/'));
   if (req.http.path == nullptr) {
-    req.http.path = (char*)"";
+    req.http.path = const_cast<char*>("");
   } else {
     *(req.host + (req.http.path - jwks_uri)) = '\0';
   }
@@ -757,8 +757,8 @@ const char* grpc_jwt_issuer_email_domain(const char* issuer) {
   if (dot == nullptr || dot == email_domain) return email_domain;
   GPR_ASSERT(dot > email_domain);
   /* There may be a subdomain, we just want the domain. */
-  dot = static_cast<const char*>(gpr_memrchr(
-      (void*)email_domain, '.', static_cast<size_t>(dot - email_domain)));
+  dot = static_cast<const char*>(
+      gpr_memrchr(email_domain, '.', static_cast<size_t>(dot - email_domain)));
   if (dot == nullptr) return email_domain;
   return dot + 1;
 }

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc CHANGED

@@ -386,8 +386,9 @@ class grpc_compute_engine_token_fetcher_credentials
                                const_cast<char*>("Google")};
     grpc_httpcli_request request;
     memset(&request, 0, sizeof(grpc_httpcli_request));
-    request.host = (char*)GRPC_COMPUTE_ENGINE_METADATA_HOST;
-    request.http.path = (char*)GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH;
+    request.host = const_cast<char*>(GRPC_COMPUTE_ENGINE_METADATA_HOST);
+    request.http.path =
+        const_cast<char*>(GRPC_COMPUTE_ENGINE_METADATA_TOKEN_PATH);
     request.http.hdr_count = 1;
     request.http.hdrs = &header;
     /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
@@ -445,8 +446,8 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
       GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, refresh_token_.client_id,
       refresh_token_.client_secret, refresh_token_.refresh_token);
   memset(&request, 0, sizeof(grpc_httpcli_request));
-  request.host = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
-  request.http.path = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
+  request.host = const_cast<char*>(GRPC_GOOGLE_OAUTH2_SERVICE_HOST);
+  request.http.path = const_cast<char*>(GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH);
   request.http.hdr_count = 1;
   request.http.hdrs = &header;
   request.handshaker = &grpc_httpcli_ssl;
@@ -537,9 +538,9 @@ grpc_error* LoadTokenFile(const char* path, gpr_slice* token) {
 class StsTokenFetcherCredentials
     : public grpc_oauth2_token_fetcher_credentials {
  public:
-  StsTokenFetcherCredentials(grpc_uri* sts_url,  // Ownership transferred.
+  StsTokenFetcherCredentials(URI sts_url,
                              const grpc_sts_credentials_options* options)
-      : sts_url_(sts_url),
+      : sts_url_(std::move(sts_url)),
         resource_(gpr_strdup(options->resource)),
         audience_(gpr_strdup(options->audience)),
         scope_(gpr_strdup(options->scope)),
@@ -549,12 +550,10 @@ class StsTokenFetcherCredentials
         actor_token_path_(gpr_strdup(options->actor_token_path)),
         actor_token_type_(gpr_strdup(options->actor_token_type)) {}
-  ~StsTokenFetcherCredentials() override { grpc_uri_destroy(sts_url_); }
   std::string debug_string() override {
     return absl::StrFormat(
-        "StsTokenFetcherCredentials{Path:%s,Authority:%s,%s}", sts_url_->path,
-        sts_url_->authority,
+        "StsTokenFetcherCredentials{Path:%s,Authority:%s,%s}", sts_url_.path(),
+        sts_url_.authority(),
         grpc_oauth2_token_fetcher_credentials::debug_string());
   }
@@ -577,11 +576,11 @@ class StsTokenFetcherCredentials
         const_cast<char*>("application/x-www-form-urlencoded")};
     grpc_httpcli_request request;
     memset(&request, 0, sizeof(grpc_httpcli_request));
-    request.host = (char*)sts_url_->authority;
-    request.http.path = (char*)sts_url_->path;
+    request.host = const_cast<char*>(sts_url_.authority().c_str());
+    request.http.path = const_cast<char*>(sts_url_.path().c_str());
     request.http.hdr_count = 1;
     request.http.hdrs = &header;
-    request.handshaker = (strcmp(sts_url_->scheme, "https") == 0)
+    request.handshaker = (sts_url_.scheme() == "https")
                              ? &grpc_httpcli_ssl
                              : &grpc_httpcli_plaintext;
     /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
@@ -641,7 +640,7 @@ class StsTokenFetcherCredentials
     return cleanup();
   }
-  grpc_uri* sts_url_;
+  URI sts_url_;
   grpc_closure http_post_cb_closure_;
   grpc_core::UniquePtr<char> resource_;
   grpc_core::UniquePtr<char> audience_;
@@ -655,26 +654,21 @@ class StsTokenFetcherCredentials
 }  // namespace
-grpc_error* ValidateStsCredentialsOptions(
-    const grpc_sts_credentials_options* options, grpc_uri** sts_url_out) {
-  struct GrpcUriDeleter {
-    void operator()(grpc_uri* uri) { grpc_uri_destroy(uri); }
-  };
-  *sts_url_out = nullptr;
+absl::StatusOr<URI> ValidateStsCredentialsOptions(
+    const grpc_sts_credentials_options* options) {
   absl::InlinedVector<grpc_error*, 3> error_list;
-  std::unique_ptr<grpc_uri, GrpcUriDeleter> sts_url(
-      options->token_exchange_service_uri != nullptr
-          ? grpc_uri_parse(options->token_exchange_service_uri, false)
-          : nullptr);
-  if (sts_url == nullptr) {
+  absl::StatusOr<URI> sts_url =
+      URI::Parse(options->token_exchange_service_uri == nullptr
+                     ? ""
+                     : options->token_exchange_service_uri);
+  if (!sts_url.ok()) {
+    error_list.push_back(GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrFormat("Invalid or missing STS endpoint URL. Error: %s",
+                        sts_url.status().ToString())
+            .c_str()));
+  } else if (sts_url->scheme() != "https" && sts_url->scheme() != "http") {
     error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-        "Invalid or missing STS endpoint URL"));
-  } else {
-    if (strcmp(sts_url->scheme, "https") != 0 &&
-        strcmp(sts_url->scheme, "http") != 0) {
-      error_list.push_back(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
-          "Invalid URI scheme, must be https to http."));
-    }
+        "Invalid URI scheme, must be https to http."));
   }
   if (options->subject_token_path == nullptr ||
       strlen(options->subject_token_path) == 0) {
@@ -687,12 +681,13 @@ grpc_error* ValidateStsCredentialsOptions(
         "subject_token_type needs to be specified"));
   }
   if (error_list.empty()) {
-    *sts_url_out = sts_url.release();
-    return GRPC_ERROR_NONE;
-  } else {
-    return GRPC_ERROR_CREATE_FROM_VECTOR("Invalid STS Credentials Options",
-                                         &error_list);
+    return sts_url;
   }
+  auto grpc_error_vec = GRPC_ERROR_CREATE_FROM_VECTOR(
+      "Invalid STS Credentials Options", &error_list);
+  auto retval = absl::InvalidArgumentError(grpc_error_string(grpc_error_vec));
+  GRPC_ERROR_UNREF(grpc_error_vec);
+  return retval;
 }
 }  // namespace grpc_core
@@ -700,17 +695,15 @@ grpc_error* ValidateStsCredentialsOptions(
 grpc_call_credentials* grpc_sts_credentials_create(
     const grpc_sts_credentials_options* options, void* reserved) {
   GPR_ASSERT(reserved == nullptr);
-  grpc_uri* sts_url;
-  grpc_error* error =
-      grpc_core::ValidateStsCredentialsOptions(options, &sts_url);
-  if (error != GRPC_ERROR_NONE) {
+  absl::StatusOr<grpc_core::URI> sts_url =
+      grpc_core::ValidateStsCredentialsOptions(options);
+  if (!sts_url.ok()) {
     gpr_log(GPR_ERROR, "STS Credentials creation failed. Error: %s.",
-            grpc_error_string(error));
-    GRPC_ERROR_UNREF(error);
+            sts_url.status().ToString().c_str());
     return nullptr;
   }
   return grpc_core::MakeRefCounted<grpc_core::StsTokenFetcherCredentials>(
-             sts_url, options)
+             std::move(*sts_url), options)
       .release();
 }