fixing refresh flow for TPC case.

googleapis · Oct 10, 2024 · 2fbf761 · 2fbf761
1 parent 6b86b3a
commit 2fbf761
Showing 1 changed file with 28 additions and 9 deletions.
diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
@@ -44,6 +44,7 @@
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.auth.CredentialTypeForMetrics;
+import com.google.auth.Credentials;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpCredentialsAdapter;
 import com.google.auth.http.HttpTransportFactory;
@@ -486,13 +487,24 @@ private ImpersonatedCredentials(Builder builder) {
     }
   }
 
+  /**
+   * Gets the universe domain for the credential.
+   *
+   * @return An explicit universe domain if it was explicitly provided, invokes the super
+   *     implementation otherwise
+   */
+  @Override
+  public String getUniverseDomain() throws IOException{
+    if (isExplicitUniverseDomain()) {
+      return super.getUniverseDomain();
+    }
+    return this.sourceCredentials.getUniverseDomain();
+  }
+
   @Override
-  public String getUniverseDomain() throws IOException {
+  boolean isDefaultUniverseDomain() {
     try {
-      if (isExplicitUniverseDomain()) {
-        return super.getUniverseDomain();
-      }
-      return this.sourceCredentials.getUniverseDomain();
+      return getUniverseDomain().equals(Credentials.GOOGLE_DEFAULT_UNIVERSE);
     } catch (IOException e) {
       // Throwing an IOException would be a breaking change, so wrap it here.
       // This should not happen for this credential type.
@@ -507,10 +519,14 @@ public AccessToken refreshAccessToken() throws IOException {
           this.sourceCredentials.createScoped(Arrays.asList(CLOUD_PLATFORM_SCOPE));
     }
 
-    try {
-      this.sourceCredentials.refreshIfExpired();
-    } catch (IOException e) {
-      throw new IOException("Unable to refresh sourceCredentials", e);
+    // for nonGDU uses self-signed JWT and will get refreshed at initialize request step
+    if (isDefaultUniverseDomain()) {
+      try {
+        this.sourceCredentials.refreshIfExpired();
+
+      } catch (IOException e) {
+        throw new IOException("Unable to refresh sourceCredentials", e);
+      }
     }
 
     HttpTransport httpTransport = this.transportFactory.create();
@@ -630,6 +646,9 @@ public boolean equals(Object obj) {
     if (!(obj instanceof ImpersonatedCredentials)) {
       return false;
     }
+    if (!super.equals(obj)) {
+      return false;
+    }
     ImpersonatedCredentials other = (ImpersonatedCredentials) obj;
     return Objects.equals(this.sourceCredentials, other.sourceCredentials)
         && Objects.equals(this.targetPrincipal, other.targetPrincipal)