Merge remote-tracking branch 'remotes/origin/main' into add-debug-logging

Author: feywind

.github/.OwlBot.lock.yaml

@@ -13,5 +13,5 @@
 # limitations under the License.
 docker:
   image: gcr.io/cloud-devrel-public-resources/owlbot-nodejs:latest
-  digest: sha256:609822e3c09b7a1bd90b99655904609f162cc15acb4704f1edf778284c36f429
-# created: 2024-10-01T19:34:30.797530443Z
+  digest: sha256:0d39e59663287ae929c1d4ccf8ebf7cef9946826c9b86eda7e85d8d752dbb584
+# created: 2024-11-21T22:39:44.342569463Z

.github/release-trigger.yml

@@ -1 +1,2 @@
 enabled: true
+multiScmName: google-auth-library-nodejs

.github/sync-repo-settings.yaml

@@ -8,9 +8,9 @@ branchProtectionRules:
       - "ci/kokoro: Samples test"
       - "ci/kokoro: System test"
       - lint
-      - test (14)
-      - test (16)
       - test (18)
+      - test (20)
+      - test (22)
       - cla/google
       - windows
       - OwlBot Post Processor

.github/workflows/ci.yaml

@@ -9,9 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node: [14, 16, 18, 20]
+        node: [18, 20, 22]
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
@@ -29,21 +29,21 @@ jobs:
   windows:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 14
+          node-version: 18
       - run: npm install
       - run: npm test
         env:
           MOCHA_THROW_DEPRECATION: false
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 14
+          node-version: 18
       - run: npm install
       - run: npm run lint
   docs:

.kokoro/common.cfg

@@ -13,20 +13,12 @@ body: |-
   - [Downscoped Client](#downscoped-client) - Use Downscoped Client with Credential Access Boundary to generate a short-lived credential with downscoped, restricted IAM permissions that can use for Cloud Storage.
 
   ## Application Default Credentials
-  This library provides an implementation of [Application Default Credentials](https://cloud.google.com/docs/authentication/getting-started) for Node.js. The [Application Default Credentials](https://cloud.google.com/docs/authentication/getting-started) provide a simple way to get authorization credentials for use in calling Google APIs.
 
-  They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Cloud Platform.
+  This library provides an implementation of [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials) for Node.js. ADC provides a simple way to get credentials for use in calling Google APIs. How you [set up ADC](https://cloud.google.com/docs/authentication/provide-credentials-adc) depends on the environment where your code is running.
 
-  Application Default Credentials also support workload identity federation to access Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally, see: [Workload Identity Federation](#workload-identity-federation).
+  ADC is best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Cloud Platform.
 
-  #### Download your Service Account Credentials JSON file
-
-  To use Application Default Credentials, You first need to download a set of JSON credentials for your project. Go to **APIs & Auth** > **Credentials** in the [Google Developers Console](https://console.cloud.google.com/) and select **Service account** from the **Add credentials** dropdown.
-
-  > This file is your *only copy* of these credentials. It should never be
-  > committed with your source code, and should be stored securely.
-
-  Once downloaded, store the path to this file in the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
+  Application Default Credentials also supports Workload Identity Federation to access Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload Identity Federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally, see: [Workload Identity Federation](#workload-identity-federation).
 
   #### Enable the API you want to use
 
@@ -64,7 +56,7 @@ body: |-
 
   ## OAuth2
 
-  This library comes with an [OAuth2](https://developers.google.com/identity/protocols/OAuth2) client that allows you to retrieve an access token and refreshes the token and retry the request seamlessly if you also provide an `expiry_date` and the token is expired. The basics of Google's OAuth2 implementation is explained on [Google Authorization and Authentication documentation](https://developers.google.com/accounts/docs/OAuth2Login).
+  This library comes with an [OAuth2](https://developers.google.com/identity/protocols/OAuth2) client that allows you to retrieve an access token and refreshes the token and retry the request seamlessly if you also provide an `expiry_date` and the token is expired. The basics of Google's OAuth2 implementation is explained on [Google authorization and Authentication documentation](https://developers.google.com/accounts/docs/OAuth2Login).
 
   In the following examples, you may need a `CLIENT_ID`, `CLIENT_SECRET` and `REDIRECT_URL`. You can find these pieces of information by going to the [Developer Console](https://console.cloud.google.com/), clicking your project > APIs & auth > credentials.
 
@@ -111,11 +103,11 @@ body: |-
     return new Promise((resolve, reject) => {
       // create an oAuth client to authorize the API call.  Secrets are kept in a `keys.json` file,
       // which should be downloaded from the Google Developers Console.
-      const oAuth2Client = new OAuth2Client(
-        keys.web.client_id,
-        keys.web.client_secret,
-        keys.web.redirect_uris[0]
-      );
+      const oAuth2Client = new OAuth2Client({
+        clientId: keys.web.client_id,
+        clientSecret: keys.web.client_secret,
+        redirectUri: keys.web.redirect_uris[0]
+      });
 
       // Generate the url that will be used for the consent dialog.
       const authorizeUrl = oAuth2Client.generateAuthUrl({
@@ -308,6 +300,8 @@ body: |-
   main().catch(console.error);
   ```
 
+  **Important**: If you accept a credential configuration (credential JSON/File/Stream) from an external source for authentication to Google Cloud, you must validate it before providing it to any Google API or library. Providing an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more information, refer to [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
   #### Using a Proxy
   You can set the `HTTPS_PROXY` or `https_proxy` environment variables to proxy HTTPS requests. When `HTTPS_PROXY` or `https_proxy` are set, they will be used to proxy SSL requests that do not have an explicit proxy configuration option present.
 
@@ -434,6 +428,7 @@ body: |-
     audience: '//iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID', // Set the GCP audience.
     subject_token_type: 'urn:ietf:params:aws:token-type:aws4_request', // Set the subject token type.
     aws_security_credentials_supplier: new AwsSupplier("AWS_REGION") // Set the custom supplier.
+    service_account_impersonation_url: 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$EMAIL:generateAccessToken', // Set the service account impersonation url.
   }
 
   // Create a new Auth client and use it to create service client, i.e. storage.
@@ -996,19 +991,19 @@ body: |-
   }
 
   const clientOptions = {
-    audience: '//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID', // Set the GCP audience.
+    audience: '//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID', // Set the GCP audience.
     subject_token_type: 'urn:ietf:params:oauth:token-type:id_token', // Set the subject token type.
     subject_token_supplier: new CustomSupplier() // Set the custom supplier.
   }
 
   const client = new CustomSupplier(clientOptions);
   ```
 
-  Where the audience is: `//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID`
+  Where the audience is: `//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID`
 
   Where the following variables need to be substituted:
 
-  * `WORKFORCE_POOL_ID`: The worforce pool ID.
+  * `$WORKFORCE_POOL_ID`: The worforce pool ID.
   * `$PROVIDER_ID`: The provider ID.
 
   and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project).
@@ -1190,7 +1185,7 @@ body: |-
 
     // Get impersonated credentials:
     const authHeaders = await targetClient.getRequestHeaders();
-    // Do something with `authHeaders.Authorization`.
+    // Do something with `authHeaders.get('authorization')`.
 
     // Use impersonated credentials:
     const url = 'https://www.googleapis.com/storage/v1/b?project=anotherProjectID'
@@ -1265,7 +1260,7 @@ body: |-
   const client = await googleAuth.getClient();
 
   // Use the client to create a DownscopedClient.
-  const cabClient = new DownscopedClient(client, cab);
+  const cabClient = new DownscopedClient({authClient: client, credentialAccessBoundary: cab});
 
   // Refresh the tokens.
   const refreshedAccessToken = await cabClient.getAccessToken();