googleapis
diff --git a/‎README.md‎
Lines changed: 12 additions & 3 deletions b/‎README.md‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎idtoken/idtoken.go‎
Lines changed: 138 additions & 43 deletions b/‎idtoken/idtoken.go‎
Lines changed: 138 additions & 43 deletions
diff --git a/‎idtoken/idtoken_test.go‎
Lines changed: 96 additions & 0 deletions b/‎idtoken/idtoken_test.go‎
Lines changed: 96 additions & 0 deletions
@@ -60,13 +60,22 @@ client, err := sheets.NewService(ctx)
 ```
 
 To authorize using a [JSON key file](https://cloud.google.com/iam/docs/managing-service-account-keys), pass
-[`option.WithCredentialsFile`](https://pkg.go.dev/google.golang.org/api/option#WithCredentialsFile) to the `NewService`
-function of the desired package. For example:
+[`option.WithAuthCredentialsFile`](https://pkg.go.dev/google.golang.org/api/option#WithAuthCredentialsFile) to the `NewService`
+function of the desired package. You must also specify the credential type. For example, to use a service account key file:
 
 ```go
-client, err := sheets.NewService(ctx, option.WithCredentialsFile("path/to/keyfile.json"))
+client, err := sheets.NewService(ctx, option.WithAuthCredentialsFile(option.ServiceAccount, "path/to/keyfile.json"))
 ```
 
+Similarly, you can use JSON credentials directly with [`option.WithAuthCredentialsJSON`](https://pkg.go.dev/google.golang.org/api/option#WithAuthCredentialsJSON):
+
+```go
+// where jsonKey is a []byte containing the JSON key
+client, err := sheets.NewService(ctx, option.WithAuthCredentialsJSON(option.ServiceAccount, jsonKey))
+```
+
+The older `option.WithCredentialsFile` and `option.WithCredentialsJSON` functions are deprecated due to a potential security risk.
+
 You can exert more control over authorization by using the [`golang.org/x/oauth2`](https://pkg.go.dev/golang.org/x/oauth2)
 package to create an `oauth2.TokenSource`. Then pass [`option.WithTokenSource`](https://pkg.go.dev/google.golang.org/api/option#WithTokenSource)
 to the `NewService` function:
 
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -20,6 +21,7 @@ import (
 	"cloud.google.com/go/auth/oauth2adapt"
 	"google.golang.org/api/impersonate"
 	"google.golang.org/api/internal"
+	"google.golang.org/api/internal/credentialstype"
 	"google.golang.org/api/option"
 	"google.golang.org/api/option/internaloption"
 	htransport "google.golang.org/api/transport/http"
@@ -30,13 +32,38 @@ import (
 // ClientOption is for configuring a Google API client or transport.
 type ClientOption = option.ClientOption
 
-type credentialsType int
+// CredentialsType specifies the type of JSON credentials being provided
+// to a loading function such as [WithAuthCredentialsFile] or
+// [WithAuthCredentialsJSON].
+type CredentialsType = credentialstype.CredType
 
 const (
-	unknownCredType credentialsType = iota
-	serviceAccount
-	impersonatedServiceAccount
-	externalAccount
+	// ServiceAccount represents a service account file type.
+	ServiceAccount = credentialstype.ServiceAccount
+	// AuthorizedUser represents an authorized user credentials file type.
+	AuthorizedUser = credentialstype.AuthorizedUser
+	// ImpersonatedServiceAccount represents an impersonated service account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ImpersonatedServiceAccount = credentialstype.ImpersonatedServiceAccount
+	// ExternalAccount represents an external account file type.
+	//
+	// IMPORTANT:
+	// This credential type does not validate the credential configuration. A security
+	// risk occurs when a credential configuration configured with malicious urls
+	// is used.
+	// You should validate credential configurations provided by untrusted sources.
+	// See [Security requirements when using credential configurations from an external
+	// source] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+	// for more details.
+	ExternalAccount = credentialstype.ExternalAccount
 )
 
 // NewClient creates a HTTP Client that automatically adds an ID token to each
@@ -110,11 +137,33 @@ func newTokenSourceNewAuth(ctx context.Context, audience string, ds *internal.Di
 	if ds.AuthCredentials != nil {
 		return nil, fmt.Errorf("idtoken: option.WithTokenProvider not supported")
 	}
+
+	var credsJSON []byte
+	var credsType credentialstype.CredType
+	var err error
+
+	credsFile, fileCredsType := ds.GetAuthCredentialsFile()
+	if credsFile != "" {
+		credsJSON, err = os.ReadFile(credsFile)
+		if err != nil {
+			return nil, fmt.Errorf("idtoken: cannot read credentials file: %v", err)
+		}
+		credsType = fileCredsType
+	} else {
+		credsJSON, credsType = ds.GetAuthCredentialsJSON()
+	}
+
+	if credsType != credentialstype.Unknown {
+		allowed := []credentialstype.CredType{ServiceAccount, ImpersonatedServiceAccount, ExternalAccount}
+		if err := credentialstype.CheckCredentialType(credsJSON, credsType, allowed...); err != nil {
+			return nil, err
+		}
+	}
+
 	creds, err := newidtoken.NewCredentials(&newidtoken.Options{
 		Audience:        audience,
 		CustomClaims:    ds.CustomClaims,
-		CredentialsFile: ds.CredentialsFile,
-		CredentialsJSON: ds.CredentialsJSON,
+		CredentialsJSON: credsJSON, // Pass the bytes to avoid re-reading the file.
 		Client:          oauth2.NewClient(ctx, nil),
 		Logger:          ds.Logger,
 	})
@@ -141,12 +190,12 @@ func newTokenSource(ctx context.Context, audience string, ds *internal.DialSetti
 }
 
 func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds *internal.DialSettings) (oauth2.TokenSource, error) {
-	allowedType, err := getAllowedType(data)
+	credType, err := credentialstype.GetCredType(data)
 	if err != nil {
 		return nil, err
 	}
-	switch allowedType {
-	case serviceAccount:
+	switch credType {
+	case ServiceAccount:
 		cfg, err := google.JWTConfigFromJSON(data, ds.GetScopes()...)
 		if err != nil {
 			return nil, err
@@ -166,7 +215,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			return nil, err
 		}
 		return oauth2.ReuseTokenSource(tok, ts), nil
-	case impersonatedServiceAccount, externalAccount:
+	case ImpersonatedServiceAccount, ExternalAccount:
 		type url struct {
 			ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
 		}
@@ -182,43 +231,13 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			TargetPrincipal: account,
 			IncludeEmail:    true,
 		}
-		ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))
+		ts, err := impersonate.IDTokenSource(ctx, config, option.WithAuthCredentialsJSON(credType, data))
 		if err != nil {
 			return nil, err
 		}
 		return ts, nil
 	default:
-		return nil, fmt.Errorf("idtoken: unsupported credentials type")
-	}
-}
-
-// getAllowedType returns the credentials type of type credentialsType, and an error.
-// allowed types are "service_account" and "impersonated_service_account"
-func getAllowedType(data []byte) (credentialsType, error) {
-	var t credentialsType
-	if len(data) == 0 {
-		return t, fmt.Errorf("idtoken: credential provided is 0 bytes")
-	}
-	var f struct {
-		Type string `json:"type"`
-	}
-	if err := json.Unmarshal(data, &f); err != nil {
-		return t, err
-	}
-	t = parseCredType(f.Type)
-	return t, nil
-}
-
-func parseCredType(typeString string) credentialsType {
-	switch typeString {
-	case "service_account":
-		return serviceAccount
-	case "impersonated_service_account":
-		return impersonatedServiceAccount
-	case "external_account":
-		return externalAccount
-	default:
-		return unknownCredType
+		return nil, fmt.Errorf("idtoken: unsupported credentials type: %q", credType)
 	}
 }
 
@@ -236,17 +255,93 @@ func (w withCustomClaims) Apply(o *internal.DialSettings) {
 // WithCredentialsFile returns a ClientOption that authenticates
 // API calls with the given service account or refresh token JSON
 // credentials file.
+//
+// Deprecated:  This function is being deprecated because of a potential security risk.
+//
+// This function does not validate the credential configuration. The security
+// risk occurs when a credential configuration is accepted from a source that
+// is not under your control and used without validation on your side.
+//
+// If you know that you will be loading credential configurations of a
+// specific type, it is recommended to use a credential-type-specific
+// option function.
+// This will ensure that an unexpected credential type with potential for
+// malicious intent is not loaded unintentionally. You might still have to do
+// validation for certain credential types. Please follow the recommendation
+// for that function. For example, if you want to load only service accounts,
+// you can use [WithAuthCredentialsFile] with [ServiceAccount]:
+//
+//	option.WithAuthCredentialsFile(option.ServiceAccount, "/path/to/file.json")
+//
+// If you are loading your credential configuration from an untrusted source and have
+// not mitigated the risks (e.g. by validating the configuration yourself), make
+// these changes as soon as possible to prevent security risks to your environment.
+//
+// Regardless of the function used, it is always your responsibility to validate
+// configurations received from external sources.
 func WithCredentialsFile(filename string) ClientOption {
 	return option.WithCredentialsFile(filename)
 }
 
+// WithAuthCredentialsFile returns a ClientOption that authenticates API calls
+// with the given JSON credentials file and credential type.
+//
+// Important: If you accept a credential configuration (credential
+// JSON/File/Stream) from an external source for authentication to Google
+// Cloud Platform, you must validate it before providing it to any Google
+// API or library. Providing an unvalidated credential configuration to
+// Google APIs can compromise the security of your systems and data. For
+// more information, refer to [Validate credential configurations from
+// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+func WithAuthCredentialsFile(credType CredentialsType, filename string) ClientOption {
+	return option.WithAuthCredentialsFile(credType, filename)
+}
+
 // WithCredentialsJSON returns a ClientOption that authenticates
 // API calls with the given service account or refresh token JSON
 // credentials.
+//
+// Deprecated:  This function is being deprecated because of a potential security risk.
+//
+// This function does not validate the credential configuration. The security
+// risk occurs when a credential configuration is accepted from a source that
+// is not under your control and used without validation on your side.
+//
+// If you know that you will be loading credential configurations of a
+// specific type, it is recommended to use a credential-type-specific
+// option function.
+// This will ensure that an unexpected credential type with potential for
+// malicious intent is not loaded unintentionally. You might still have to do
+// validation for certain credential types. Please follow the recommendation
+// for that function. For example, if you want to load only service accounts,
+// you can use [WithAuthCredentialsJSON] with [ServiceAccount]:
+//
+//	option.WithAuthCredentialsJSON(option.ServiceAccount, json)
+//
+// If you are loading your credential configuration from an untrusted source and have
+// not mitigated the risks (e.g. by validating the configuration yourself), make
+// these changes as soon as possible to prevent security risks to your environment.
+//
+// Regardless of the function used, it is always your responsibility to validate
+// configurations received from external sources.
 func WithCredentialsJSON(p []byte) ClientOption {
 	return option.WithCredentialsJSON(p)
 }
 
+// WithAuthCredentialsJSON returns a ClientOption that authenticates API calls
+// with the given JSON credentials and credential type.
+//
+// Important: If you accept a credential configuration (credential
+// JSON/File/Stream) from an external source for authentication to Google
+// Cloud Platform, you must validate it before providing it to any Google
+// API or library. Providing an unvalidated credential configuration to
+// Google APIs can compromise the security of your systems and data. For
+// more information, refer to [Validate credential configurations from
+// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+func WithAuthCredentialsJSON(credType CredentialsType, json []byte) ClientOption {
+	return option.WithAuthCredentialsJSON(credType, json)
+}
+
 // WithHTTPClient returns a ClientOption that specifies the HTTP client to use
 // as the basis of communications. This option may only be used with services
 // that support HTTP as their communication transport. When used, the
 
@@ -0,0 +1,96 @@
+// Copyright 2025 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package idtoken
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"google.golang.org/api/internal/credentialstype"
+	"google.golang.org/api/option"
+)
+
+const (
+	serviceAccountJSON = `{
+		"type": "service_account",
+		"project_id": "my-project"
+	}`
+)
+
+func TestNewTokenSource_Validation(t *testing.T) {
+	tempDir := t.TempDir()
+	saFile := filepath.Join(tempDir, "sa.json")
+	if err := os.WriteFile(saFile, []byte(serviceAccountJSON), 0644); err != nil {
+		t.Fatalf("os.WriteFile: %v", err)
+	}
+
+	ctx := context.Background()
+	aud := "test-audience"
+
+	userCreds := []byte(`{"type": "authorized_user"}`)
+	externalCreds := []byte(`{"type": "external_account"}`)
+
+	testCases := []struct {
+		name           string
+		opts           option.ClientOption
+		wantErr        bool
+		errContains    string
+		errNotContains string
+	}{
+		{
+			name:        "FileMismatch",
+			opts:        option.WithAuthCredentialsFile(ExternalAccount, saFile),
+			wantErr:     true,
+			errContains: "credential type mismatch",
+		},
+		{
+			name:        "JSONMismatch",
+			opts:        option.WithAuthCredentialsJSON(ExternalAccount, []byte(serviceAccountJSON)),
+			wantErr:     true,
+			errContains: "credential type mismatch",
+		},
+		{
+			name:           "FileCorrect",
+			opts:           option.WithAuthCredentialsFile(ServiceAccount, saFile),
+			wantErr:        true, // Fails later, but not with a validation error
+			errNotContains: "credential type mismatch",
+		},
+		{
+			name:        "NotAllowed",
+			opts:        option.WithAuthCredentialsJSON(credentialstype.AuthorizedUser, userCreds),
+			wantErr:     true,
+			errContains: "credential type not allowed",
+		},
+		{
+			name:           "Allowed",
+			opts:           option.WithAuthCredentialsJSON(credentialstype.ExternalAccount, externalCreds),
+			wantErr:        true, // Fails later, but not with a validation error
+			errNotContains: "credential type not allowed",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := NewTokenSource(ctx, aud, tc.opts)
+
+			if tc.wantErr {
+				if err == nil {
+					t.Fatal("got nil, want error")
+				}
+				if tc.errContains != "" && !strings.Contains(err.Error(), tc.errContains) {
+					t.Errorf("got %q, want error containing %q", err, tc.errContains)
+				}
+				if tc.errNotContains != "" && strings.Contains(err.Error(), tc.errNotContains) {
+					t.Errorf("got %q, want error NOT containing %q", err, tc.errNotContains)
+				}
+			} else if err != nil {
+				t.Fatalf("got %v, want nil error", err)
+			}
+		})
+	}
+}