From ee52147376137a64c4b98ed9a1c5f2f3cf47a23e Mon Sep 17 00:00:00 2001
From: Min Zhu <zhumin@google.com>
Date: Fri, 17 Jan 2025 10:16:19 -0500
Subject: [PATCH] fix: Add warnings to users about using credentials from
 external sources

---
 .../googleapis/auth/oauth2/GoogleCredential.java   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
index 632b495e6..590a422e2 100644
--- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
+++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
@@ -199,6 +199,13 @@ public static GoogleCredential getApplicationDefault(
    * {@link Beta} <br>
    * Return a credential defined by a Json file.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialStream the stream with the credential definition.
    * @return the credential defined by the credentialStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -212,6 +219,13 @@ public static GoogleCredential fromStream(InputStream credentialStream) throws I
    * {@link Beta} <br>
    * Return a credential defined by a Json file.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialStream the stream with the credential definition.
    * @param transport the transport for Http calls.
    * @param jsonFactory the factory for Json parsing and formatting.