fix(sec): warn users of unsafe credential generation methods (#2604)

diegomarquezp · web-flow · commit d4c0a33ecfd2 · 2025-09-24T10:39:36.000-04:00
* fix(sec): warn users of unsafe credential generation methods

* chore: repeat class level deprecation message

* docs: match deprecated message with guidance

* chore: remove unnecessary comment section

* chore: suggest new credentials class with link
diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
@@ -197,42 +197,64 @@ public static GoogleCredential getApplicationDefault(
 
   /**
    * {@link Beta} <br>
-   * Return a credential defined by a Json file.
    *
-   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
-   * external source for authentication to Google Cloud Platform, you must validate it before
-   * providing it to any Google API or library. Providing an unvalidated credential configuration to
-   * Google APIs can compromise the security of your systems and data. For more information, refer
-   * to {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   * <p>Important: This method does not validate the credential configuration. A security risk holds
+   * when a credential configuration is accepted from a source that is not under your control and
+   * used without validation on your side.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Returns a credential defined by a Json file.
    *
    * @param credentialStream the stream with the credential definition.
    * @return the credential defined by the credentialStream.
    * @throws IOException if the credential cannot be created from the stream.
+   * @deprecated This method is being deprecated because of a potential security risk.
+   *    Please use {@link <a href="https://javadoc.io/doc/com.google.auth/google-auth-library-oauth2-http/latest/com/google/auth/oauth2/GoogleCredentials.html">GoogleCredentials</a> instead.
    */
   @Beta
+  @Deprecated
   public static GoogleCredential fromStream(InputStream credentialStream) throws IOException {
     return fromStream(credentialStream, Utils.getDefaultTransport(), Utils.getDefaultJsonFactory());
   }
 
   /**
    * {@link Beta} <br>
-   * Return a credential defined by a Json file.
    *
-   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
-   * external source for authentication to Google Cloud Platform, you must validate it before
-   * providing it to any Google API or library. Providing an unvalidated credential configuration to
-   * Google APIs can compromise the security of your systems and data. For more information, refer
-   * to {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   * <p>Important: This method does not validate the credential configuration. A security risk holds
+   * when a credential configuration is accepted from a source that is not under your control and
+   * used without validation on your side.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Returns a credential defined by a Json file.
    *
    * @param credentialStream the stream with the credential definition.
-   * @param transport the transport for Http calls.
-   * @param jsonFactory the factory for Json parsing and formatting.
    * @return the credential defined by the credentialStream.
    * @throws IOException if the credential cannot be created from the stream.
+   * @deprecated This method is being deprecated because of a potential security risk.
+   *    Please use {@link <a href="https://javadoc.io/doc/com.google.auth/google-auth-library-oauth2-http/latest/com/google/auth/oauth2/GoogleCredentials.html">GoogleCredentials</a> instead.
    */
   @Beta
+  @Deprecated
   public static GoogleCredential fromStream(
       InputStream credentialStream, HttpTransport transport, JsonFactory jsonFactory)
       throws IOException {
