From 3bd604d2c29e5d00de9282922a8d542afebb3307 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Mon, 6 Jun 2022 19:58:29 +0530
Subject: [PATCH 01/16] docs(samples): added client code for idtoken, adc and
 metadata server

---
 ...ApplicationDefaultCredentialsImplicit.java |  54 +++++++
 .../IdTokenFromImpersonatedCredentials.java   | 138 +++++++++++++++++
 ...dTokenFromImpersonatedCredentialsREST.java | 146 ++++++++++++++++++
 .../main/java/IdTokenFromMetadataServer.java  | 110 +++++++++++++
 .../main/java/IdTokenFromServiceAccount.java  | 128 +++++++++++++++
 .../java/IdTokenFromServiceAccountREST.java   | 112 ++++++++++++++
 .../src/main/java/VerifyNonGoogleIdToken.java | 113 ++++++++++++++
 7 files changed, 801 insertions(+)
 create mode 100644 samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromMetadataServer.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromServiceAccount.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
 create mode 100644 samples/snippets/src/main/java/VerifyNonGoogleIdToken.java

diff --git a/samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java b/samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java
new file mode 100644
index 000000000..3f411d3dc
--- /dev/null
+++ b/samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java
@@ -0,0 +1,54 @@
+import com.google.cloud.compute.v1.Instance;
+import com.google.cloud.compute.v1.InstancesClient;
+import java.io.IOException;
+
+public class ApplicationDefaultCredentialsImplicit {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(Developer):
+    //  1. Set the following environment variable before running the code.
+    //  APPLICATION_DEFAULT_CREDENTIALS="path-to-the-service-account-json-credential-file"
+    //  2. Replace the below variable.
+    //  3. Make sure you have the necessary permission "compute.instances.list"
+    String projectId = "your-google-cloud-project-id";
+    authenticateImplicitWithAdc(projectId);
+  }
+
+  // ADC - Application Default Credentials
+  // When interacting with Google Cloud Client libraries, the library can auto-detect the
+  // credentials to use, if the "APPLICATION_DEFAULT_CREDENTIALS" is set.
+  // This APPLICATION_DEFAULT_CREDENTIALS is an environment variable/ configuration.
+  // This configuration can be made available to the code in various ways depending upon where the
+  // code is executed.
+  // Examples:
+  // 1. If running your code in local development environment, just set the following environment
+  // variable:
+  //      APPLICATION_DEFAULT_CREDENTIALS="path-to-the-service-account-json-file"  OR
+  // You can also set the ADC with gcloud if you have the gcloud installed:
+  //      gcloud auth application-default login
+  //
+  // 2. When you use a Google Cloud cloud-based development environment such as Cloud Shell or
+  // Cloud Code, the tool uses the credentials you provided when you logged in,
+  // and manages any authorizations required.
+  //
+  // For more environments, see: https://cloud.devsite.corp.google.com/docs/authentication/provide-credentials-adc
+  //
+  // ADC detection is independent of the client library and language and works with all Cloud Client
+  // libraries.
+  public static void authenticateImplicitWithAdc(String project) throws IOException {
+
+    String zone = "us-central1-a";
+    // This snippet demonstrates how to initialize Cloud Compute Engine and list instances.
+    // Note that the credentials are not specified when constructing the client.
+    // Hence, the client library will look for credentials via the
+    // environment variable GOOGLE_APPLICATION_CREDENTIALS.
+    try (InstancesClient instancesClient = InstancesClient.create()) {
+      // Set the project and zone to retrieve instances present in the zone.
+      System.out.printf("Listing instances from %s in %s:", project, zone);
+      for (Instance zoneInstance : instancesClient.list(project, zone).iterateAll()) {
+        System.out.println(zoneInstance.getName());
+      }
+      System.out.println("####### Listing instances complete #######");
+    }
+  }
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
new file mode 100644
index 000000000..7dedf37c0
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -0,0 +1,138 @@
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.services.iamcredentials.v1.IAMCredentials;
+import com.google.api.services.iamcredentials.v1.IAMCredentials.Projects.ServiceAccounts.GenerateIdToken;
+import com.google.api.services.iamcredentials.v1.model.GenerateIdTokenRequest;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.GoogleCredentials;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public class IdTokenFromImpersonatedCredentials {
+
+  public static void main(String[] args)
+      throws IOException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+
+    // Your Google Cloud project id.
+    String projectId = "your-google-cloud-project-id";
+
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/pubsub";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    // The service account name of the limited-privilege account for whom the credential is created.
+    String impersonatedServiceAccount =
+        "name@project.service.gserviceaccount.com";
+
+    getIdTokenFromImpersonatedCredentials(projectId, jsonCredentialPath, impersonatedServiceAccount,
+        scope, targetAudience);
+  }
+
+  public static void getIdTokenFromImpersonatedCredentials(String projectId,
+      String jsonCredentialPath, String impersonatedServiceAccount, String scope,
+      String targetAudience)
+      throws GeneralSecurityException, IOException {
+
+    // Initialize the IAMCredentials service with the source credential and scope.
+    IAMCredentials service = null;
+    try {
+      service = initService(jsonCredentialPath, scope);
+    } catch (IOException | GeneralSecurityException e) {
+      System.out.println("Unable to initialize service: \n" + e);
+      return;
+    }
+
+    // delegates: The chained list of delegates required to grant the final accessToken.
+    //
+    // If set, the sequence of identities must have "Service Account Token Creator" capability
+    // granted to the preceding identity.
+    // For example, if set to [serviceAccountB, serviceAccountC], the source credential must have
+    // the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on
+    // serviceAccountC. Finally, C must have Token Creator on impersonatedServiceAccount.
+    //
+    // If left unset, source credential must have that role on impersonatedServiceAccount.
+    List<String> delegates = null;
+
+    // Set the target audience and Token options.
+    GenerateIdTokenRequest idTokenRequest = new GenerateIdTokenRequest()
+        .setAudience(targetAudience)
+        .setDelegates(delegates)
+        // Setting this will include email in the id token.
+        .setIncludeEmail(Boolean.TRUE);
+
+    // Generate the id token for the impersonated service account, using the generateIdToken()
+    // from IAMCredentials class.
+    GenerateIdToken idToken = service
+        .projects()
+        .serviceAccounts()
+        .generateIdToken(
+            String.format("projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
+            idTokenRequest);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    boolean isVerified = verifyGoogleIdToken(idToken.getAccessToken(), targetAudience);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  private static IAMCredentials initService(String jsonCredentialPath, String scope)
+      throws GeneralSecurityException, IOException {
+    GoogleCredentials credential =
+        GoogleCredentials.fromStream(new FileInputStream(jsonCredentialPath))
+            .createScoped(Arrays.asList(scope));
+
+    // Initialize the IAMCredentials service.
+    return new IAMCredentials.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(),
+        GsonFactory.getDefaultInstance(),
+        new HttpCredentialsAdapter(credential))
+        .setApplicationName("service-accounts")
+        .build();
+  }
+
+  // Verifies the obtained Google id token.
+  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      boolean emailVerified = payload.getEmailVerified();
+      System.out.printf("Email verified: %s", emailVerified);
+      return true;
+    }
+    return false;
+  }
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
new file mode 100644
index 000000000..8f3ef3a09
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
@@ -0,0 +1,146 @@
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.IdTokenCredentials;
+import com.google.auth.oauth2.IdTokenProvider.Option;
+import com.google.auth.oauth2.ImpersonatedCredentials;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public class IdTokenFromImpersonatedCredentialsREST {
+
+  public static void main(String[] args)
+      throws IOException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/pubsub";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    // The service account name of the limited-privilege account for whom the credential is created.
+    String impersonatedServiceAccount =
+        "name@project.service.gserviceaccount.com";
+
+    getIdTokenFromImpersonatedCredentials(jsonCredentialPath, impersonatedServiceAccount, scope,
+        targetAudience);
+  }
+
+  // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
+  // for the impersonated account.
+  // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
+  // on SA2.
+  public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPath,
+      String impersonatedServiceAccount, String scope,
+      String targetAudience) throws IOException, GeneralSecurityException {
+    // Initialize the Service Account Credentials class with the path to the json file.
+    // The caller who issues a request for the short-lived credentials.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
+
+    // delegates: The chained list of delegates required to grant the final accessToken.
+    //
+    // If set, the sequence of identities must have "Service Account Token Creator" capability
+    // granted to the preceding identity.
+    // For example, if set to [serviceAccountB, serviceAccountC], the source credential must have
+    // the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on
+    // serviceAccountC. Finally, C must have Token Creator on impersonatedServiceAccount.
+    //
+    // If left unset, source credential must have that role on impersonatedServiceAccount.
+    List<String> delegates = null;
+
+    // Create the impersonated credential.
+    ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(
+        serviceAccountCredentials,
+        impersonatedServiceAccount,
+        delegates,
+        Arrays.asList(scope),
+        300);
+
+    // Set the impersonated credential, target audience and token options.
+    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
+        .setIdTokenProvider(impersonatedCredentials)
+        .setTargetAudience(targetAudience)
+        // Setting this will include email in the id token.
+        .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
+        .build();
+
+    // Make a http request with the idTokenCredentials to obtain the access token.
+    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
+    // short-lived access token to Google Cloud resources.
+    // https://cloud.google.com/iam/docs/reference/sts/rest
+    String stsEndpoint = "https://sts.googleapis.com/v1/token";
+    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
+        targetAudience);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  // Makes a simple http get call.
+  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+      throws IOException {
+    GenericUrl genericUrl = new GenericUrl(url);
+    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
+    HttpTransport transport = new NetHttpTransport();
+    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
+    request.setThrowExceptionOnExecuteError(false);
+    HttpResponse response = request.execute();
+    System.out.println(response.parseAsString());
+  }
+
+  // Verifies the obtained Google id token.
+  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      boolean emailVerified = payload.getEmailVerified();
+      System.out.printf("Email verified: %s", emailVerified);
+      return true;
+    }
+    return false;
+  }
+
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
new file mode 100644
index 000000000..3b293c07c
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -0,0 +1,110 @@
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.ComputeEngineCredentials;
+import com.google.auth.oauth2.IdTokenCredentials;
+import com.google.auth.oauth2.IdTokenProvider.Option;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+
+public class IdTokenFromMetadataServer {
+
+  public static void main(String[] args)
+      throws IOException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    getIdTokenFromMetadataServer(targetAudience);
+  }
+
+  // Every VM stores its metadata on a metadata server. You can query for default VM metadata,
+  // such as the VM's host name, instance ID, and service account information programmatically
+  // from within a VM.
+  // Here, we query the service account information from the Metadata server exposed by the
+  // ComputeEngine and use that information to obtain an id token.
+  // Appengine 2nd Generation, Cloud Run or even Kubernetes engine's also expose a
+  // metadata server.
+  // For AppEngine, see: https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata#identifying_which_metadata_endpoint_to_use
+  // For CloudRun container instance, see: https://cloud.google.com/run/docs/container-contract#metadata-server
+  public static void getIdTokenFromMetadataServer(String targetAudience)
+      throws GeneralSecurityException, IOException {
+
+    // Optionally, you can also set scopes in computeEngineCredentials.
+    ComputeEngineCredentials computeEngineCredentials = ComputeEngineCredentials.create();
+
+    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
+        .setIdTokenProvider(computeEngineCredentials)
+        .setTargetAudience(targetAudience)
+        // Setting the id token options.
+        .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
+        .build();
+
+    // Make a http request with the idTokenCredentials to obtain the access token.
+    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
+    // short-lived access token to Google Cloud resources.
+    // https://cloud.google.com/iam/docs/reference/sts/rest
+    String stsEndpoint = "https://sts.googleapis.com/v1/token";
+    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
+        targetAudience);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  // Makes a simple http get call.
+  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+      throws IOException {
+    GenericUrl genericUrl = new GenericUrl(url);
+    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
+    HttpTransport transport = new NetHttpTransport();
+    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
+    request.setThrowExceptionOnExecuteError(false);
+    HttpResponse response = request.execute();
+    System.out.println(response.parseAsString());
+  }
+
+  // Verifies the obtained Google id token.
+  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      boolean emailVerified = payload.getEmailVerified();
+      System.out.printf("Email verified: %s", emailVerified);
+      return true;
+    }
+    return false;
+  }
+
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
new file mode 100644
index 000000000..9a2726a38
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -0,0 +1,128 @@
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.auth.oauth2.IdToken;
+import com.google.auth.oauth2.IdTokenProvider.Option;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+public class IdTokenFromServiceAccount {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/pubsub";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
+  }
+
+  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+      String targetAudience)
+      throws IOException, GeneralSecurityException {
+
+    // Initialize the Service Account Credentials class with the path to the json file.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList(scope));
+
+    // Obtain the id token by providing the target audience.
+    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
+    // only for credentials obtained through Compute Engine or Impersonation.
+    List<Option> tokenOption = Arrays.asList();
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
+        targetAudience,
+        tokenOption);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    boolean isVerified = verifyGoogleIdToken(idToken.getTokenValue(), targetAudience);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+
+  // Verifies the obtained Google id token.
+  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      // String email = payload.getEmail();
+      // boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
+      return true;
+    }
+    return false;
+  }
+
+}
+
+//
+// Iam service =
+//     new Iam.Builder(
+//         GoogleNetHttpTransport.newTrustedTransport(),
+//         GsonFactory.getDefaultInstance(),
+//         new HttpCredentialsAdapter(googleCredentials))
+//         .setApplicationName("service-accounts")
+//         .build();
+//
+// try {
+//   ServiceAccount serviceAccount = new ServiceAccount();
+//   serviceAccount.setDisplayName("serviceaccdummy");
+//   CreateServiceAccountRequest request = new CreateServiceAccountRequest();
+//   request.setAccountId("serviceAccountName");
+//   request.setServiceAccount(serviceAccount);
+//
+//   serviceAccount =
+//       service.projects().serviceAccounts().create("projects/" + projectId, request).execute();
+//
+//   System.out.println("Created service account: " + serviceAccount.getEmail());
+//
+//
+// GenerateIdToken iamCredentials = new IAMCredentials(
+//     GoogleNetHttpTransport.newTrustedTransport(),
+//     GsonFactory.getDefaultInstance(),
+//     new HttpCredentialsAdapter(googleCredentialsProvider)
+// ).projects().serviceAccounts().generateIdToken(String.format("projects/%s/serviceAccounts/%s", projectId, serviceAccount),
+//     new GenerateIdTokenRequest().setAudience("https://www.googleapis.com/auth/cloud-platform"));
+//
+// System.out.println(iamCredentials);
+//
+// } catch (IOException e) {
+//   System.out.println("Unable to create service account: \n" + e.toString());
+// }
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
new file mode 100644
index 000000000..43de37796
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
@@ -0,0 +1,112 @@
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.IdTokenCredentials;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.concurrent.ExecutionException;
+
+public class IdTokenFromServiceAccountREST {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/pubsub";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    getIdTokenFromServiceAccountREST(jsonCredentialPath, scope, targetAudience);
+  }
+
+  public static void getIdTokenFromServiceAccountREST(String jsonCredentialPath, String scope,
+      String targetAudience)
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
+    // Initialize the Service Account Credentials class with the path to the json file.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList(scope));
+
+    // Set the service account and target audience.
+    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
+        .setIdTokenProvider(serviceAccountCredentials)
+        .setTargetAudience(targetAudience)
+        .build();
+
+    // Make a http request with the idTokenCredentials to obtain the access token.
+    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
+    // short-lived access token to Google Cloud resources.
+    // https://cloud.google.com/iam/docs/reference/sts/rest
+    String stsEndpoint = "https://sts.googleapis.com/v1/token";
+    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
+        targetAudience);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  // Makes a simple http get call.
+  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+      throws IOException {
+    GenericUrl genericUrl = new GenericUrl(url);
+    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
+    HttpTransport transport = new NetHttpTransport();
+    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
+    request.setThrowExceptionOnExecuteError(false);
+    HttpResponse response = request.execute();
+    System.out.println(response.parseAsString());
+  }
+
+  // Verifies the obtained Google id token.
+  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      // String email = payload.getEmail();
+      // boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
+      return true;
+    }
+    return false;
+  }
+}
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
new file mode 100644
index 000000000..274ee803c
--- /dev/null
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -0,0 +1,113 @@
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkException;
+import com.auth0.jwk.JwkProvider;
+import com.auth0.jwk.UrlJwkProvider;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.google.auth.oauth2.IdToken;
+import com.google.auth.oauth2.IdTokenProvider.Option;
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
+import java.util.Calendar;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+public class VerifyNonGoogleIdToken {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
+    // TODO(Developer): Replace the below variables before running the code.
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/pubsub";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
+  }
+
+  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+      String targetAudience)
+      throws IOException, GeneralSecurityException, JwkException {
+
+    // Initialize the Service Account Credentials class with the path to the json file.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList(scope));
+
+    // Obtain the id token by providing the target audience.
+    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
+    // only for credentials obtained through Compute Engine or Impersonation.
+    List<Option> tokenOption = Arrays.asList();
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
+        targetAudience,
+        tokenOption);
+
+    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
+    //
+    // To verify non-google tokens, get the Json Web Key endpoint (jwk).
+    // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
+    // well-known location containing key-value pairs which provide details about the
+    // OpenID Connect provider's configuration.
+    // For more information on validating the jwt, see: https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+    //
+    // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
+    // For more information on jwk,see: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
+    String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
+    boolean isVerified = verifyNonGoogleIdToken(idToken.getTokenValue(), targetAudience, jwkUrl);
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  public static boolean verifyNonGoogleIdToken(String idToken, String targetAudience, String jwkUrl)
+      throws MalformedURLException, JwkException {
+
+    DecodedJWT jwt = JWT.decode(idToken);
+
+    // Check if the token has expired.
+    if (jwt.getExpiresAt().before(Calendar.getInstance().getTime())) {
+      System.out.println("Token already expired..");
+      return false;
+    }
+
+    // Construct the jwkProvider from the provided jwkURL.
+    JwkProvider jwkProvider = new UrlJwkProvider(new URL(jwkUrl));
+    // Get the jwk from the provided key id.
+    Jwk jwk = jwkProvider.get(jwt.getKeyId());
+    // Retrieve the public key and use that to create an instance of the Algorithm.
+    Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
+    // Create the verifier with the algorithm and target audience.
+    JWTVerifier jwtVerifier = JWT.require(algorithm).withAudience(targetAudience).build();
+
+    try {
+      // Verify the id token.
+      jwt = jwtVerifier.verify(idToken);
+    } catch (JWTVerificationException e) {
+      System.out.println("Could not verify Signature: " + e.getMessage());
+      return false;
+    }
+    return true;
+  }
+
+}

From bd1bc554a1c1334b8547c72fc5cefb5caaf4b14d Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Wed, 8 Jun 2022 13:35:38 +0530
Subject: [PATCH 02/16] docs(samples): added authexplicit and copyright

---
 .../src/main/java/AuthenticateExplicit.java   | 85 +++++++++++++++++++
 ....java => AuthenticateImplicitWithAdc.java} | 25 +++++-
 .../IdTokenFromImpersonatedCredentials.java   | 16 ++++
 ...dTokenFromImpersonatedCredentialsREST.java | 16 ++++
 .../main/java/IdTokenFromMetadataServer.java  | 16 ++++
 .../main/java/IdTokenFromServiceAccount.java  | 53 ++++--------
 .../java/IdTokenFromServiceAccountREST.java   | 16 ++++
 .../src/main/java/VerifyNonGoogleIdToken.java | 16 ++++
 8 files changed, 206 insertions(+), 37 deletions(-)
 create mode 100644 samples/snippets/src/main/java/AuthenticateExplicit.java
 rename samples/snippets/src/main/java/{ApplicationDefaultCredentialsImplicit.java => AuthenticateImplicitWithAdc.java} (72%)

diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
new file mode 100644
index 000000000..942a91a8f
--- /dev/null
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.google.api.gax.paging.Page;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.cloud.storage.Bucket;
+import com.google.cloud.storage.Storage;
+import com.google.cloud.storage.StorageOptions;
+import com.google.common.collect.Lists;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+public class AuthenticateExplicit {
+
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
+    // TODO(Developer):
+    //  1. Replace the below variable.
+    //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+    String projectId = "your-google-cloud-project-id";
+
+    // Path to the service account json credential file.
+    String jsonCredentialPath = "path-to-json-credential-file";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/devstorage.full_control";
+
+    authenticateExplicit(projectId, jsonCredentialPath, scope);
+  }
+
+  // Authenticating using Client libraries can be done in one of the following ways:
+  // 1. Implicit authentication with ADC (Application Default Credentials)
+  // 2. Explicit authentication by specifying the service account
+  // 3. Bring your own (BYO) access token
+  // 4. Using API keys (for libraries that support)
+  //
+  // In this snippet, we demonstrate "Explicit authentication by specifying the service account".
+  public static void authenticateExplicit(String project, String jsonCredentialPath, String scope)
+      throws IOException {
+
+    // This snippet demonstrates how to initialize Cloud Storage and list buckets.
+    // Note that the credentials are explicitly specified when constructing the client.
+    Storage storage = initService(project, jsonCredentialPath, scope);
+
+    System.out.println("Buckets:");
+    Page<Bucket> buckets = storage.list();
+    for (Bucket bucket : buckets.iterateAll()) {
+      System.out.println(bucket.toString());
+    }
+  }
+
+  // Initialize the Storage client by explicitly setting the Service account to use.
+  public static Storage initService(String projectId, String jsonCredentialPath, String scope)
+      throws IOException {
+    // Construct the GoogleCredentials object which accepts the service account json file and
+    // scope as the input parameters.
+    GoogleCredentials credentials = GoogleCredentials
+        .fromStream(new FileInputStream(jsonCredentialPath))
+        .createScoped(Lists.newArrayList(scope));
+
+    // Construct the Storage client.
+    // Note that, here we explicitly specify the service account to use.
+    return StorageOptions.newBuilder()
+        .setCredentials(credentials)
+        .setProjectId(projectId)
+        .build()
+        .getService();
+  }
+}
diff --git a/samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
similarity index 72%
rename from samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java
rename to samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index 3f411d3dc..b80296221 100644
--- a/samples/snippets/src/main/java/ApplicationDefaultCredentialsImplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -1,8 +1,24 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.cloud.compute.v1.Instance;
 import com.google.cloud.compute.v1.InstancesClient;
 import java.io.IOException;
 
-public class ApplicationDefaultCredentialsImplicit {
+public class AuthenticateImplicitWithAdc {
 
   public static void main(String[] args) throws IOException {
     // TODO(Developer):
@@ -14,6 +30,13 @@ public static void main(String[] args) throws IOException {
     authenticateImplicitWithAdc(projectId);
   }
 
+  // Authenticating using Client libraries can be done in one of the following ways:
+  // 1. Implicit authentication with ADC (Application Default Credentials)
+  // 2. Explicit authentication by specifying the service account
+  // 3. Bring your own (BYO) access token
+  // 4. Using API keys (for libraries that support)
+  //
+  // In this snippet, we demonstrate "Implicit authentication with ADC".
   // ADC - Application Default Credentials
   // When interacting with Google Cloud Client libraries, the library can auto-detect the
   // credentials to use, if the "APPLICATION_DEFAULT_CREDENTIALS" is set.
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 7dedf37c0..18b0d0a26 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
index 8f3ef3a09..b198da53b 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 3b293c07c..1bd2eadec 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index 9a2726a38..3e8667e17 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
@@ -90,39 +106,4 @@ public static boolean verifyGoogleIdToken(String idTokenString, String audience)
     return false;
   }
 
-}
-
-//
-// Iam service =
-//     new Iam.Builder(
-//         GoogleNetHttpTransport.newTrustedTransport(),
-//         GsonFactory.getDefaultInstance(),
-//         new HttpCredentialsAdapter(googleCredentials))
-//         .setApplicationName("service-accounts")
-//         .build();
-//
-// try {
-//   ServiceAccount serviceAccount = new ServiceAccount();
-//   serviceAccount.setDisplayName("serviceaccdummy");
-//   CreateServiceAccountRequest request = new CreateServiceAccountRequest();
-//   request.setAccountId("serviceAccountName");
-//   request.setServiceAccount(serviceAccount);
-//
-//   serviceAccount =
-//       service.projects().serviceAccounts().create("projects/" + projectId, request).execute();
-//
-//   System.out.println("Created service account: " + serviceAccount.getEmail());
-//
-//
-// GenerateIdToken iamCredentials = new IAMCredentials(
-//     GoogleNetHttpTransport.newTrustedTransport(),
-//     GsonFactory.getDefaultInstance(),
-//     new HttpCredentialsAdapter(googleCredentialsProvider)
-// ).projects().serviceAccounts().generateIdToken(String.format("projects/%s/serviceAccounts/%s", projectId, serviceAccount),
-//     new GenerateIdTokenRequest().setAudience("https://www.googleapis.com/auth/cloud-platform"));
-//
-// System.out.println(iamCredentials);
-//
-// } catch (IOException e) {
-//   System.out.println("Unable to create service account: \n" + e.toString());
-// }
+}
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
index 43de37796..ef27fec05 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index 274ee803c..fe556b204 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 import com.auth0.jwk.Jwk;
 import com.auth0.jwk.JwkException;
 import com.auth0.jwk.JwkProvider;

From ece1c561c388943ebc9fce8090ff384281e462dc Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Wed, 8 Jun 2022 13:49:21 +0530
Subject: [PATCH 03/16] docs(samples): add auth with metadata server

---
 ...AuthWithCredentialsFromMetadataServer.java | 77 +++++++++++++++++++
 .../src/main/java/AuthenticateExplicit.java   |  6 +-
 .../java/AuthenticateImplicitWithAdc.java     |  6 +-
 3 files changed, 85 insertions(+), 4 deletions(-)
 create mode 100644 samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java

diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
new file mode 100644
index 000000000..809bc94bc
--- /dev/null
+++ b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.google.api.gax.paging.Page;
+import com.google.auth.oauth2.ComputeEngineCredentials;
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.cloud.storage.Bucket;
+import com.google.cloud.storage.Storage;
+import com.google.cloud.storage.StorageOptions;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+public class AuthWithCredentialsFromMetadataServer {
+
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
+    // TODO(Developer):
+    //  1. Replace the below variable.
+    //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+    String projectId = "your-google-cloud-project-id";
+
+    authWithCredentialsFromMetadataServer(projectId);
+  }
+
+  // Authenticating using Client libraries can be done in one of the following ways:
+  // 1. Implicit authentication with ADC (Application Default Credentials)
+  // 2. Explicit authentication by specifying the service account
+  // 3. Authentication with service account credentials obtained from a metadata server, like,
+  // Compute Engine or App Engine etc.,
+  // 4. Bring your own (BYO) access token
+  // 5. Using API keys (for libraries that support)
+  //
+  // In this snippet, we demonstrate "Authentication with service account credentials
+  // obtained from a metadata server".
+  public static void authWithCredentialsFromMetadataServer(String project) {
+
+    // This snippet demonstrates how to initialize Cloud Storage and list buckets.
+    // Note that the credentials are requested from the ComputeEngine metadata server.
+    Storage storage = initService(project);
+
+    System.out.println("Buckets:");
+    Page<Bucket> buckets = storage.list();
+    for (Bucket bucket : buckets.iterateAll()) {
+      System.out.println(bucket.toString());
+    }
+  }
+
+  // Initialize the Storage client by getting the Service account credentials
+  // from a Metadata server.
+  public static Storage initService(String projectId) {
+    // Explicitly request the service account credentials from the ComputeEngine metadata server.
+    GoogleCredentials credentials = ComputeEngineCredentials.create();
+
+    // Alternately, if executing within AppEngine, you can get credentials as follows:
+    // GoogleCredentials credentials = AppEngineCredentials.getApplicationDefault();
+
+    // Construct the Storage client.
+    // Note that, here we explicitly specify the service account to use.
+    return StorageOptions.newBuilder()
+        .setCredentials(credentials)
+        .setProjectId(projectId)
+        .build()
+        .getService();
+  }
+}
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index 942a91a8f..b62412c26 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -47,8 +47,10 @@ public static void main(String[] args) throws IOException, GeneralSecurityExcept
   // Authenticating using Client libraries can be done in one of the following ways:
   // 1. Implicit authentication with ADC (Application Default Credentials)
   // 2. Explicit authentication by specifying the service account
-  // 3. Bring your own (BYO) access token
-  // 4. Using API keys (for libraries that support)
+  // 3. Authentication with service account credentials obtained from metadata server, like,
+  // Compute Engine or App Engine etc.,
+  // 4. Bring your own (BYO) access token
+  // 5. Using API keys (for libraries that support)
   //
   // In this snippet, we demonstrate "Explicit authentication by specifying the service account".
   public static void authenticateExplicit(String project, String jsonCredentialPath, String scope)
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index b80296221..18b8d2ee0 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -33,8 +33,10 @@ public static void main(String[] args) throws IOException {
   // Authenticating using Client libraries can be done in one of the following ways:
   // 1. Implicit authentication with ADC (Application Default Credentials)
   // 2. Explicit authentication by specifying the service account
-  // 3. Bring your own (BYO) access token
-  // 4. Using API keys (for libraries that support)
+  // 3. Authentication with service account credentials obtained from metadata server, like,
+  // Compute Engine or App Engine etc.,
+  // 4. Bring your own (BYO) access token
+  // 5. Using API keys (for libraries that support)
   //
   // In this snippet, we demonstrate "Implicit authentication with ADC".
   // ADC - Application Default Credentials

From 0c26c338a1c8216af9ed6469214fcf34b613e0dc Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Wed, 8 Jun 2022 14:58:55 +0530
Subject: [PATCH 04/16] docs(samples): minor refactoring and added tests

---
 samples/snippets/pom.xml                      | 101 ++++++++++++++
 ...AuthWithCredentialsFromMetadataServer.java |   3 +-
 .../src/main/java/AuthenticateExplicit.java   |   3 +-
 .../IdTokenFromImpersonatedCredentials.java   |   2 +-
 ...dTokenFromImpersonatedCredentialsREST.java |   4 +-
 .../main/java/IdTokenFromMetadataServer.java  |   4 +-
 .../main/java/IdTokenFromServiceAccount.java  |   2 +-
 .../java/IdTokenFromServiceAccountREST.java   |   4 +-
 .../src/main/java/VerifyNonGoogleIdToken.java |  85 ++++++-----
 .../snippets/src/test/java/SnippetsIT.java    | 132 ++++++++++++++++++
 10 files changed, 292 insertions(+), 48 deletions(-)
 create mode 100644 samples/snippets/pom.xml
 create mode 100644 samples/snippets/src/test/java/SnippetsIT.java

diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
new file mode 100644
index 000000000..a8e3fb44c
--- /dev/null
+++ b/samples/snippets/pom.xml
@@ -0,0 +1,101 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.google.auth.samples</groupId>
+  <artifactId>authsamples</artifactId>
+  <version>1.0.0</version>
+  <name>auth-samples</name>
+
+
+  <!--
+    The parent pom defines common style checks and testing strategies for our samples.
+    Removing or replacing it should not affect the execution of the samples in anyway.
+  -->
+  <parent>
+    <groupId>com.google.cloud.samples</groupId>
+    <artifactId>shared-configuration</artifactId>
+    <version>1.2.0</version>
+  </parent>
+
+  <properties>
+    <maven.compiler.target>1.8</maven.compiler.target>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <!-- START dependencies -->
+  <!--  Using libraries-bom to manage versions.
+  See https://github.com/GoogleCloudPlatform/cloud-opensource-java/wiki/The-Google-Cloud-Platform-Libraries-BOM -->
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>com.google.cloud</groupId>
+        <artifactId>libraries-bom</artifactId>
+        <version>25.0.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+
+  <dependencies>
+<!--    OAuth dependency-->
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
+      <version>1.3.0</version>
+    </dependency>
+
+<!--    IAM dependency-->
+    <dependency>
+      <groupId>com.google.apis</groupId>
+      <artifactId>google-api-services-iam</artifactId>
+      <version>v1-rev20220509-1.32.1</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.apis</groupId>
+      <artifactId>google-api-services-iamcredentials</artifactId>
+      <version>v1-rev20211203-1.32.1</version>
+    </dependency>
+
+<!--    JWT dependency-->
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>3.16.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>jwks-rsa</artifactId>
+      <version>0.18.0</version>
+    </dependency>
+
+<!--    GCloud dependency-->
+    <dependency>
+      <artifactId>google-cloud-compute</artifactId>
+      <groupId>com.google.cloud</groupId>
+      <version>1.8.1</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-storage</artifactId>
+    </dependency>
+
+<!--    Test dependencies-->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <artifactId>truth</artifactId>
+      <groupId>com.google.truth</groupId>
+      <scope>test</scope>
+      <version>1.1.3</version>
+    </dependency>
+
+  </dependencies>
+
+</project>
+
diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
index 809bc94bc..e5bf3d1da 100644
--- a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
+++ b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
@@ -55,11 +55,12 @@ public static void authWithCredentialsFromMetadataServer(String project) {
     for (Bucket bucket : buckets.iterateAll()) {
       System.out.println(bucket.toString());
     }
+    System.out.println("Authentication complete.");
   }
 
   // Initialize the Storage client by getting the Service account credentials
   // from a Metadata server.
-  public static Storage initService(String projectId) {
+  private static Storage initService(String projectId) {
     // Explicitly request the service account credentials from the ComputeEngine metadata server.
     GoogleCredentials credentials = ComputeEngineCredentials.create();
 
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index b62412c26..949034098 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -65,10 +65,11 @@ public static void authenticateExplicit(String project, String jsonCredentialPat
     for (Bucket bucket : buckets.iterateAll()) {
       System.out.println(bucket.toString());
     }
+    System.out.println("Authentication complete.");
   }
 
   // Initialize the Storage client by explicitly setting the Service account to use.
-  public static Storage initService(String projectId, String jsonCredentialPath, String scope)
+  private static Storage initService(String projectId, String jsonCredentialPath, String scope)
       throws IOException {
     // Construct the GoogleCredentials object which accepts the service account json file and
     // scope as the input parameters.
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 18b0d0a26..9037ecfea 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -127,7 +127,7 @@ private static IAMCredentials initService(String jsonCredentialPath, String scop
   }
 
   // Verifies the obtained Google id token.
-  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
     GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
index b198da53b..2d42786df 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
@@ -122,7 +122,7 @@ public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPa
   }
 
   // Makes a simple http get call.
-  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
       throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
     HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
@@ -134,7 +134,7 @@ public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredential
   }
 
   // Verifies the obtained Google id token.
-  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
     GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 1bd2eadec..701999922 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -86,7 +86,7 @@ public static void getIdTokenFromMetadataServer(String targetAudience)
   }
 
   // Makes a simple http get call.
-  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
       throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
     HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
@@ -98,7 +98,7 @@ public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredential
   }
 
   // Verifies the obtained Google id token.
-  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
     GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index 3e8667e17..faf5d3d87 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -81,7 +81,7 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath, Strin
 
 
   // Verifies the obtained Google id token.
-  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
     GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
index ef27fec05..9e0fa04e4 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
@@ -89,7 +89,7 @@ public static void getIdTokenFromServiceAccountREST(String jsonCredentialPath, S
   }
 
   // Makes a simple http get call.
-  public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
+  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
       throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
     HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
@@ -101,7 +101,7 @@ public static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredential
   }
 
   // Verifies the obtained Google id token.
-  public static boolean verifyGoogleIdToken(String idTokenString, String audience)
+  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
     GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index fe556b204..a7ec3708a 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -28,7 +28,6 @@
 import com.google.auth.oauth2.ServiceAccountCredentials;
 import java.io.FileInputStream;
 import java.io.IOException;
-import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.interfaces.RSAPublicKey;
@@ -55,30 +54,6 @@ public static void main(String[] args)
     // logical identifier of an API service, such as "pubsub.googleapis.com".
     String targetAudience = "pubsub.googleapis.com";
 
-    getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
-  }
-
-  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
-      String targetAudience)
-      throws IOException, GeneralSecurityException, JwkException {
-
-    // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
-
-    // Obtain the id token by providing the target audience.
-    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
-    // only for credentials obtained through Compute Engine or Impersonation.
-    List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
-
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    //
     // To verify non-google tokens, get the Json Web Key endpoint (jwk).
     // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
     // well-known location containing key-value pairs which provide details about the
@@ -88,23 +63,28 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath, Strin
     // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
     // For more information on jwk,see: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
     String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
-    boolean isVerified = verifyNonGoogleIdToken(idToken.getTokenValue(), targetAudience, jwkUrl);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
-  }
 
-  public static boolean verifyNonGoogleIdToken(String idToken, String targetAudience, String jwkUrl)
-      throws MalformedURLException, JwkException {
+    verifyNonGoogleIdToken(jsonCredentialPath, targetAudience, scope, jwkUrl);
+  }
 
+  // Verify a non-google id token. Here, we are using the Google's jwk. The procedure is the same
+  // even if the jwk is from a different provider.
+  public static void verifyNonGoogleIdToken(String jsonCredentialPath, String targetAudience,
+      String scope, String jwkUrl)
+      throws IOException, JwkException, GeneralSecurityException {
+    // Create an id token from the given service account.
+    // Since we are using Google's jwk, we are creating an id token from a Google service account.
+    // If a different provider is used, then generate an id token accordingly.
+    String idToken = getIdTokenFromServiceAccount(jsonCredentialPath, scope,
+        targetAudience).getTokenValue();
+
+    // Start verification.
     DecodedJWT jwt = JWT.decode(idToken);
 
     // Check if the token has expired.
     if (jwt.getExpiresAt().before(Calendar.getInstance().getTime())) {
       System.out.println("Token already expired..");
-      return false;
+      return;
     }
 
     // Construct the jwkProvider from the provided jwkURL.
@@ -116,14 +96,43 @@ public static boolean verifyNonGoogleIdToken(String idToken, String targetAudien
     // Create the verifier with the algorithm and target audience.
     JWTVerifier jwtVerifier = JWT.require(algorithm).withAudience(targetAudience).build();
 
+    boolean isVerified = true;
     try {
-      // Verify the id token.
+      // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
       jwt = jwtVerifier.verify(idToken);
     } catch (JWTVerificationException e) {
       System.out.println("Could not verify Signature: " + e.getMessage());
-      return false;
+      isVerified = false;
     }
-    return true;
+
+    if (isVerified) {
+      System.out.println("Id token verified.");
+      return;
+    }
+    System.out.println("Unable to verify id token.");
+  }
+
+  // Get an id token from a Google service account.
+  private static IdToken getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+      String targetAudience)
+      throws IOException, GeneralSecurityException, JwkException {
+
+    // Initialize the Service Account Credentials class with the path to the json file.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList(scope));
+
+    // Obtain the id token by providing the target audience.
+    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
+    // only for credentials obtained through Compute Engine or Impersonation.
+    List<Option> tokenOption = Arrays.asList();
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
+        targetAudience,
+        tokenOption);
+
+    return idToken;
   }
 
 }
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
new file mode 100644
index 000000000..ff6479d39
--- /dev/null
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import static com.google.common.truth.Truth.assertThat;
+import static com.google.common.truth.Truth.assertWithMessage;
+
+import com.auth0.jwk.JwkException;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.security.GeneralSecurityException;
+import java.util.concurrent.ExecutionException;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+@RunWith(JUnit4.class)
+public class SnippetsIT {
+
+  private static final String PROJECT_ID = System.getenv("GOOGLE_CLOUD_PROJECT");
+  private static final String CREDENTIALS = System.getenv("GOOGLE_APPLICATION_CREDENTIALS");
+  private ByteArrayOutputStream stdOut;
+
+  // Check if the required environment variables are set.
+  public static void requireEnvVar(String envVarName) {
+    assertWithMessage(String.format("Missing environment variable '%s' ", envVarName))
+        .that(System.getenv(envVarName)).isNotEmpty();
+  }
+
+  @BeforeClass
+  public static void setup() throws IOException {
+    final PrintStream out = System.out;
+    ByteArrayOutputStream stdOut = new ByteArrayOutputStream();
+    System.setOut(new PrintStream(stdOut));
+    requireEnvVar("GOOGLE_APPLICATION_CREDENTIALS");
+    requireEnvVar("GOOGLE_CLOUD_PROJECT");
+
+    stdOut.close();
+    System.setOut(out);
+  }
+
+  @AfterClass
+  public static void cleanup() {
+  }
+
+  @Before
+  public void beforeEach() {
+    stdOut = new ByteArrayOutputStream();
+    System.setOut(new PrintStream(stdOut));
+  }
+
+  @After
+  public void afterEach() {
+    stdOut = null;
+    System.setOut(null);
+  }
+
+  @Test
+  public void testIdTokenFromServiceAccount() throws GeneralSecurityException, IOException {
+    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
+        CREDENTIALS,
+        "https://www.googleapis.com/auth/pubsub",
+        "pubsub.googleapis.com");
+    assertThat(stdOut.toString()).contains("Id token verified.");
+  }
+
+  @Test
+  public void testIdTokenFromServiceAccountRest()
+      throws GeneralSecurityException, IOException, ExecutionException, InterruptedException {
+    IdTokenFromServiceAccountREST.getIdTokenFromServiceAccountREST(
+        CREDENTIALS,
+        "https://www.googleapis.com/auth/pubsub",
+        "pubsub.googleapis.com");
+    assertThat(stdOut.toString()).contains("Id token verified.");
+  }
+
+  @Test
+  public void testVerifyNonGoogleIdToken()
+      throws GeneralSecurityException, IOException, JwkException {
+    VerifyNonGoogleIdToken.verifyNonGoogleIdToken(
+        CREDENTIALS,
+        "https://www.googleapis.com/auth/pubsub",
+        "pubsub.googleapis.com",
+        "https://www.googleapis.com/oauth2/v3/certs");
+    assertThat(stdOut.toString()).contains("Id token verified.");
+  }
+
+  @Test
+  public void testIdTokenFromMetadataServer() throws GeneralSecurityException, IOException {
+    IdTokenFromMetadataServer.getIdTokenFromMetadataServer("pubsub.googleapis.com");
+    assertThat(stdOut.toString()).contains("Id token verified.");
+  }
+
+  @Test
+  public void testAuthenticateImplicitWithAdc() throws IOException {
+    AuthenticateImplicitWithAdc.authenticateImplicitWithAdc(PROJECT_ID);
+    assertThat(stdOut.toString()).contains("Listing instances complete");
+  }
+
+  @Test
+  public void testAuthenticateExplicit() throws IOException {
+    AuthenticateExplicit.authenticateExplicit(
+        PROJECT_ID,
+        CREDENTIALS,
+        "https://www.googleapis.com/auth/devstorage.full_control");
+    assertThat(stdOut.toString()).contains("Authentication complete.");
+  }
+
+  @Test
+  public void testAuthWithCredentialsFromMetadataServer() {
+    AuthWithCredentialsFromMetadataServer.authWithCredentialsFromMetadataServer(PROJECT_ID);
+    assertThat(stdOut.toString()).contains("Authentication complete.");
+  }
+
+}

From 45449b220588773b03c70fcfc287d92e708972e9 Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Wed, 8 Jun 2022 09:37:19 +0000
Subject: [PATCH 05/16] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?=
 =?UTF-8?q?post-processor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
---
 ...AuthWithCredentialsFromMetadataServer.java |  3 +-
 .../src/main/java/AuthenticateExplicit.java   |  9 +--
 .../java/AuthenticateImplicitWithAdc.java     |  3 +-
 .../IdTokenFromImpersonatedCredentials.java   | 57 ++++++++-------
 ...dTokenFromImpersonatedCredentialsREST.java | 69 ++++++++++---------
 .../main/java/IdTokenFromMetadataServer.java  | 36 +++++-----
 .../main/java/IdTokenFromServiceAccount.java  | 29 ++++----
 .../java/IdTokenFromServiceAccountREST.java   | 34 ++++-----
 .../src/main/java/VerifyNonGoogleIdToken.java | 34 ++++-----
 .../snippets/src/test/java/SnippetsIT.java    | 19 ++---
 10 files changed, 150 insertions(+), 143 deletions(-)

diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
index e5bf3d1da..69ea35f43 100644
--- a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
+++ b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
@@ -28,7 +28,8 @@ public class AuthWithCredentialsFromMetadataServer {
   public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer):
     //  1. Replace the below variable.
-    //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+    //  2. Make sure you have the necessary permission to list storage buckets
+    // "storage.buckets.list"
     String projectId = "your-google-cloud-project-id";
 
     authWithCredentialsFromMetadataServer(projectId);
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index 949034098..e687dfe60 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -29,7 +29,8 @@ public class AuthenticateExplicit {
   public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer):
     //  1. Replace the below variable.
-    //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+    //  2. Make sure you have the necessary permission to list storage buckets
+    // "storage.buckets.list"
     String projectId = "your-google-cloud-project-id";
 
     // Path to the service account json credential file.
@@ -73,9 +74,9 @@ private static Storage initService(String projectId, String jsonCredentialPath,
       throws IOException {
     // Construct the GoogleCredentials object which accepts the service account json file and
     // scope as the input parameters.
-    GoogleCredentials credentials = GoogleCredentials
-        .fromStream(new FileInputStream(jsonCredentialPath))
-        .createScoped(Lists.newArrayList(scope));
+    GoogleCredentials credentials =
+        GoogleCredentials.fromStream(new FileInputStream(jsonCredentialPath))
+            .createScoped(Lists.newArrayList(scope));
 
     // Construct the Storage client.
     // Note that, here we explicitly specify the service account to use.
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index 18b8d2ee0..fd37abf78 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -56,7 +56,8 @@ public static void main(String[] args) throws IOException {
   // Cloud Code, the tool uses the credentials you provided when you logged in,
   // and manages any authorizations required.
   //
-  // For more environments, see: https://cloud.devsite.corp.google.com/docs/authentication/provide-credentials-adc
+  // For more environments, see:
+  // https://cloud.devsite.corp.google.com/docs/authentication/provide-credentials-adc
   //
   // ADC detection is independent of the client library and language and works with all Cloud Client
   // libraries.
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 9037ecfea..94e31c34c 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -33,8 +33,7 @@
 
 public class IdTokenFromImpersonatedCredentials {
 
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
 
     // Your Google Cloud project id.
@@ -54,15 +53,17 @@ public static void main(String[] args)
     String targetAudience = "pubsub.googleapis.com";
 
     // The service account name of the limited-privilege account for whom the credential is created.
-    String impersonatedServiceAccount =
-        "name@project.service.gserviceaccount.com";
+    String impersonatedServiceAccount = "name@project.service.gserviceaccount.com";
 
-    getIdTokenFromImpersonatedCredentials(projectId, jsonCredentialPath, impersonatedServiceAccount,
-        scope, targetAudience);
+    getIdTokenFromImpersonatedCredentials(
+        projectId, jsonCredentialPath, impersonatedServiceAccount, scope, targetAudience);
   }
 
-  public static void getIdTokenFromImpersonatedCredentials(String projectId,
-      String jsonCredentialPath, String impersonatedServiceAccount, String scope,
+  public static void getIdTokenFromImpersonatedCredentials(
+      String projectId,
+      String jsonCredentialPath,
+      String impersonatedServiceAccount,
+      String scope,
       String targetAudience)
       throws GeneralSecurityException, IOException {
 
@@ -87,20 +88,23 @@ public static void getIdTokenFromImpersonatedCredentials(String projectId,
     List<String> delegates = null;
 
     // Set the target audience and Token options.
-    GenerateIdTokenRequest idTokenRequest = new GenerateIdTokenRequest()
-        .setAudience(targetAudience)
-        .setDelegates(delegates)
-        // Setting this will include email in the id token.
-        .setIncludeEmail(Boolean.TRUE);
+    GenerateIdTokenRequest idTokenRequest =
+        new GenerateIdTokenRequest()
+            .setAudience(targetAudience)
+            .setDelegates(delegates)
+            // Setting this will include email in the id token.
+            .setIncludeEmail(Boolean.TRUE);
 
     // Generate the id token for the impersonated service account, using the generateIdToken()
     // from IAMCredentials class.
-    GenerateIdToken idToken = service
-        .projects()
-        .serviceAccounts()
-        .generateIdToken(
-            String.format("projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
-            idTokenRequest);
+    GenerateIdToken idToken =
+        service
+            .projects()
+            .serviceAccounts()
+            .generateIdToken(
+                String.format(
+                    "projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
+                idTokenRequest);
 
     // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
     boolean isVerified = verifyGoogleIdToken(idToken.getAccessToken(), targetAudience);
@@ -119,9 +123,9 @@ private static IAMCredentials initService(String jsonCredentialPath, String scop
 
     // Initialize the IAMCredentials service.
     return new IAMCredentials.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(),
-        GsonFactory.getDefaultInstance(),
-        new HttpCredentialsAdapter(credential))
+            GoogleNetHttpTransport.newTrustedTransport(),
+            GsonFactory.getDefaultInstance(),
+            new HttpCredentialsAdapter(credential))
         .setApplicationName("service-accounts")
         .build();
   }
@@ -130,10 +134,11 @@ private static IAMCredentials initService(String jsonCredentialPath, String scop
   private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
index 2d42786df..8ecc301f5 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
@@ -38,8 +38,7 @@
 
 public class IdTokenFromImpersonatedCredentialsREST {
 
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
     // Path to the service account json credential file.
     String jsonCredentialPath = "path-to-json-credential-file";
@@ -55,27 +54,31 @@ public static void main(String[] args)
     String targetAudience = "pubsub.googleapis.com";
 
     // The service account name of the limited-privilege account for whom the credential is created.
-    String impersonatedServiceAccount =
-        "name@project.service.gserviceaccount.com";
+    String impersonatedServiceAccount = "name@project.service.gserviceaccount.com";
 
-    getIdTokenFromImpersonatedCredentials(jsonCredentialPath, impersonatedServiceAccount, scope,
-        targetAudience);
+    getIdTokenFromImpersonatedCredentials(
+        jsonCredentialPath, impersonatedServiceAccount, scope, targetAudience);
   }
 
   // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
   // for the impersonated account.
   // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
   // on SA2.
-  public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPath,
-      String impersonatedServiceAccount, String scope,
-      String targetAudience) throws IOException, GeneralSecurityException {
+  public static void getIdTokenFromImpersonatedCredentials(
+      String jsonCredentialPath,
+      String impersonatedServiceAccount,
+      String scope,
+      String targetAudience)
+      throws IOException, GeneralSecurityException {
     // Initialize the Service Account Credentials class with the path to the json file.
     // The caller who issues a request for the short-lived credentials.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
     // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
+    serviceAccountCredentials =
+        (ServiceAccountCredentials)
+            serviceAccountCredentials.createScoped(
+                Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
 
     // delegates: The chained list of delegates required to grant the final accessToken.
     //
@@ -89,20 +92,22 @@ public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPa
     List<String> delegates = null;
 
     // Create the impersonated credential.
-    ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(
-        serviceAccountCredentials,
-        impersonatedServiceAccount,
-        delegates,
-        Arrays.asList(scope),
-        300);
+    ImpersonatedCredentials impersonatedCredentials =
+        ImpersonatedCredentials.create(
+            serviceAccountCredentials,
+            impersonatedServiceAccount,
+            delegates,
+            Arrays.asList(scope),
+            300);
 
     // Set the impersonated credential, target audience and token options.
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(impersonatedCredentials)
-        .setTargetAudience(targetAudience)
-        // Setting this will include email in the id token.
-        .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
-        .build();
+    IdTokenCredentials idTokenCredentials =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(impersonatedCredentials)
+            .setTargetAudience(targetAudience)
+            // Setting this will include email in the id token.
+            .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
+            .build();
 
     // Make a http request with the idTokenCredentials to obtain the access token.
     // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
@@ -112,8 +117,8 @@ public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPa
     makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
 
     // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
+    boolean isVerified =
+        verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(), targetAudience);
     if (isVerified) {
       System.out.println("Id token verified.");
       return;
@@ -137,10 +142,11 @@ private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentia
   private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
@@ -158,5 +164,4 @@ private static boolean verifyGoogleIdToken(String idTokenString, String audience
     }
     return false;
   }
-
 }
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 701999922..a8a2cad16 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -35,8 +35,7 @@
 
 public class IdTokenFromMetadataServer {
 
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
 
     // The service name for which the id token is requested. Service name refers to the
@@ -53,20 +52,23 @@ public static void main(String[] args)
   // ComputeEngine and use that information to obtain an id token.
   // Appengine 2nd Generation, Cloud Run or even Kubernetes engine's also expose a
   // metadata server.
-  // For AppEngine, see: https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata#identifying_which_metadata_endpoint_to_use
-  // For CloudRun container instance, see: https://cloud.google.com/run/docs/container-contract#metadata-server
+  // For AppEngine, see:
+  // https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata#identifying_which_metadata_endpoint_to_use
+  // For CloudRun container instance, see:
+  // https://cloud.google.com/run/docs/container-contract#metadata-server
   public static void getIdTokenFromMetadataServer(String targetAudience)
       throws GeneralSecurityException, IOException {
 
     // Optionally, you can also set scopes in computeEngineCredentials.
     ComputeEngineCredentials computeEngineCredentials = ComputeEngineCredentials.create();
 
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(computeEngineCredentials)
-        .setTargetAudience(targetAudience)
-        // Setting the id token options.
-        .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
-        .build();
+    IdTokenCredentials idTokenCredentials =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(computeEngineCredentials)
+            .setTargetAudience(targetAudience)
+            // Setting the id token options.
+            .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
+            .build();
 
     // Make a http request with the idTokenCredentials to obtain the access token.
     // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
@@ -76,8 +78,8 @@ public static void getIdTokenFromMetadataServer(String targetAudience)
     makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
 
     // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
+    boolean isVerified =
+        verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(), targetAudience);
     if (isVerified) {
       System.out.println("Id token verified.");
       return;
@@ -101,10 +103,11 @@ private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentia
   private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
@@ -122,5 +125,4 @@ private static boolean verifyGoogleIdToken(String idTokenString, String audience
     }
     return false;
   }
-
 }
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index faf5d3d87..355ebf02c 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -51,24 +51,22 @@ public static void main(String[] args)
     getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
   }
 
-  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
-      String targetAudience)
+  public static void getIdTokenFromServiceAccount(
+      String jsonCredentialPath, String scope, String targetAudience)
       throws IOException, GeneralSecurityException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
     // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
+    serviceAccountCredentials =
+        (ServiceAccountCredentials) serviceAccountCredentials.createScoped(Arrays.asList(scope));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
     // only for credentials obtained through Compute Engine or Impersonation.
     List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(targetAudience, tokenOption);
 
     // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
     boolean isVerified = verifyGoogleIdToken(idToken.getTokenValue(), targetAudience);
@@ -79,15 +77,15 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath, Strin
     System.out.println("Unable to verify id token.");
   }
 
-
   // Verifies the obtained Google id token.
   private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
@@ -105,5 +103,4 @@ private static boolean verifyGoogleIdToken(String idTokenString, String audience
     }
     return false;
   }
-
-}
\ No newline at end of file
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
index 9e0fa04e4..d6519d93e 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
@@ -55,21 +55,22 @@ public static void main(String[] args)
     getIdTokenFromServiceAccountREST(jsonCredentialPath, scope, targetAudience);
   }
 
-  public static void getIdTokenFromServiceAccountREST(String jsonCredentialPath, String scope,
-      String targetAudience)
+  public static void getIdTokenFromServiceAccountREST(
+      String jsonCredentialPath, String scope, String targetAudience)
       throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
     // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
     // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
+    serviceAccountCredentials =
+        (ServiceAccountCredentials) serviceAccountCredentials.createScoped(Arrays.asList(scope));
 
     // Set the service account and target audience.
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(serviceAccountCredentials)
-        .setTargetAudience(targetAudience)
-        .build();
+    IdTokenCredentials idTokenCredentials =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(serviceAccountCredentials)
+            .setTargetAudience(targetAudience)
+            .build();
 
     // Make a http request with the idTokenCredentials to obtain the access token.
     // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
@@ -79,8 +80,8 @@ public static void getIdTokenFromServiceAccountREST(String jsonCredentialPath, S
     makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
 
     // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
+    boolean isVerified =
+        verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(), targetAudience);
     if (isVerified) {
       System.out.println("Id token verified.");
       return;
@@ -104,10 +105,11 @@ private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentia
   private static boolean verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index a7ec3708a..5b93066c2 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -39,7 +39,8 @@
 public class VerifyNonGoogleIdToken {
 
   public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException,
+          JwkException {
     // TODO(Developer): Replace the below variables before running the code.
     // Path to the service account json credential file.
     String jsonCredentialPath = "path-to-json-credential-file";
@@ -58,10 +59,12 @@ public static void main(String[] args)
     // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
     // well-known location containing key-value pairs which provide details about the
     // OpenID Connect provider's configuration.
-    // For more information on validating the jwt, see: https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+    // For more information on validating the jwt, see:
+    // https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
     //
     // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
-    // For more information on jwk,see: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
+    // For more information on jwk,see:
+    // https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
     String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
 
     verifyNonGoogleIdToken(jsonCredentialPath, targetAudience, scope, jwkUrl);
@@ -69,14 +72,14 @@ public static void main(String[] args)
 
   // Verify a non-google id token. Here, we are using the Google's jwk. The procedure is the same
   // even if the jwk is from a different provider.
-  public static void verifyNonGoogleIdToken(String jsonCredentialPath, String targetAudience,
-      String scope, String jwkUrl)
+  public static void verifyNonGoogleIdToken(
+      String jsonCredentialPath, String targetAudience, String scope, String jwkUrl)
       throws IOException, JwkException, GeneralSecurityException {
     // Create an id token from the given service account.
     // Since we are using Google's jwk, we are creating an id token from a Google service account.
     // If a different provider is used, then generate an id token accordingly.
-    String idToken = getIdTokenFromServiceAccount(jsonCredentialPath, scope,
-        targetAudience).getTokenValue();
+    String idToken =
+        getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience).getTokenValue();
 
     // Start verification.
     DecodedJWT jwt = JWT.decode(idToken);
@@ -113,26 +116,23 @@ public static void verifyNonGoogleIdToken(String jsonCredentialPath, String targ
   }
 
   // Get an id token from a Google service account.
-  private static IdToken getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
-      String targetAudience)
+  private static IdToken getIdTokenFromServiceAccount(
+      String jsonCredentialPath, String scope, String targetAudience)
       throws IOException, GeneralSecurityException, JwkException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
     // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
+    serviceAccountCredentials =
+        (ServiceAccountCredentials) serviceAccountCredentials.createScoped(Arrays.asList(scope));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
     // only for credentials obtained through Compute Engine or Impersonation.
     List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(targetAudience, tokenOption);
 
     return idToken;
   }
-
 }
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index ff6479d39..7a35e7344 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -41,7 +41,8 @@ public class SnippetsIT {
   // Check if the required environment variables are set.
   public static void requireEnvVar(String envVarName) {
     assertWithMessage(String.format("Missing environment variable '%s' ", envVarName))
-        .that(System.getenv(envVarName)).isNotEmpty();
+        .that(System.getenv(envVarName))
+        .isNotEmpty();
   }
 
   @BeforeClass
@@ -57,8 +58,7 @@ public static void setup() throws IOException {
   }
 
   @AfterClass
-  public static void cleanup() {
-  }
+  public static void cleanup() {}
 
   @Before
   public void beforeEach() {
@@ -75,9 +75,7 @@ public void afterEach() {
   @Test
   public void testIdTokenFromServiceAccount() throws GeneralSecurityException, IOException {
     IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/pubsub",
-        "pubsub.googleapis.com");
+        CREDENTIALS, "https://www.googleapis.com/auth/pubsub", "pubsub.googleapis.com");
     assertThat(stdOut.toString()).contains("Id token verified.");
   }
 
@@ -85,9 +83,7 @@ public void testIdTokenFromServiceAccount() throws GeneralSecurityException, IOE
   public void testIdTokenFromServiceAccountRest()
       throws GeneralSecurityException, IOException, ExecutionException, InterruptedException {
     IdTokenFromServiceAccountREST.getIdTokenFromServiceAccountREST(
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/pubsub",
-        "pubsub.googleapis.com");
+        CREDENTIALS, "https://www.googleapis.com/auth/pubsub", "pubsub.googleapis.com");
     assertThat(stdOut.toString()).contains("Id token verified.");
   }
 
@@ -117,9 +113,7 @@ public void testAuthenticateImplicitWithAdc() throws IOException {
   @Test
   public void testAuthenticateExplicit() throws IOException {
     AuthenticateExplicit.authenticateExplicit(
-        PROJECT_ID,
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/devstorage.full_control");
+        PROJECT_ID, CREDENTIALS, "https://www.googleapis.com/auth/devstorage.full_control");
     assertThat(stdOut.toString()).contains("Authentication complete.");
   }
 
@@ -128,5 +122,4 @@ public void testAuthWithCredentialsFromMetadataServer() {
     AuthWithCredentialsFromMetadataServer.authWithCredentialsFromMetadataServer(PROJECT_ID);
     assertThat(stdOut.toString()).contains("Authentication complete.");
   }
-
 }

From b2f367ec2cf72eff7f3c86a543300a584361ba38 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Mon, 18 Jul 2022 15:58:07 +0530
Subject: [PATCH 06/16] refactored acc to review comments

---
 samples/snippets/pom.xml                      |   2 +-
 ...AuthWithCredentialsFromMetadataServer.java |  14 +-
 .../src/main/java/AuthenticateExplicit.java   |  42 ++---
 .../java/AuthenticateImplicitWithAdc.java     |  37 +----
 .../IdTokenFromImpersonatedCredentials.java   | 154 ------------------
 ...dTokenFromImpersonatedCredentials_IAM.java | 105 ++++++++++++
 ...kenFromImpersonatedCredentials_OAuth.java} |  89 +++-------
 .../main/java/IdTokenFromMetadataServer.java  |  93 +++--------
 .../main/java/IdTokenFromServiceAccount.java  |  56 ++-----
 .../java/IdTokenFromServiceAccountREST.java   | 128 ---------------
 .../src/main/java/VerifyGoogleIdToken.java    |  68 ++++++++
 .../src/main/java/VerifyNonGoogleIdToken.java |  54 +-----
 .../snippets/src/test/java/SnippetsIT.java    |  55 +++++--
 13 files changed, 294 insertions(+), 603 deletions(-)
 delete mode 100644 samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
 create mode 100644 samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java
 rename samples/snippets/src/main/java/{IdTokenFromImpersonatedCredentialsREST.java => IdTokenFromImpersonatedCredentials_OAuth.java} (52%)
 delete mode 100644 samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
 create mode 100644 samples/snippets/src/main/java/VerifyGoogleIdToken.java

diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
index a8e3fb44c..866c37041 100644
--- a/samples/snippets/pom.xml
+++ b/samples/snippets/pom.xml
@@ -8,7 +8,7 @@
 
   <!--
     The parent pom defines common style checks and testing strategies for our samples.
-    Removing or replacing it should not affect the execution of the samples in anyway.
+    Removing or replacing it should not affect the execution of the samples in any way.
   -->
   <parent>
     <groupId>com.google.cloud.samples</groupId>
diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
index e5bf3d1da..f7d1c71de 100644
--- a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
+++ b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
@@ -34,15 +34,7 @@ public static void main(String[] args) throws IOException, GeneralSecurityExcept
     authWithCredentialsFromMetadataServer(projectId);
   }
 
-  // Authenticating using Client libraries can be done in one of the following ways:
-  // 1. Implicit authentication with ADC (Application Default Credentials)
-  // 2. Explicit authentication by specifying the service account
-  // 3. Authentication with service account credentials obtained from a metadata server, like,
-  // Compute Engine or App Engine etc.,
-  // 4. Bring your own (BYO) access token
-  // 5. Using API keys (for libraries that support)
-  //
-  // In this snippet, we demonstrate "Authentication with service account credentials
+  // In this snippet, we demonstrate "Authentication with account credentials
   // obtained from a metadata server".
   public static void authWithCredentialsFromMetadataServer(String project) {
 
@@ -58,10 +50,10 @@ public static void authWithCredentialsFromMetadataServer(String project) {
     System.out.println("Authentication complete.");
   }
 
-  // Initialize the Storage client by getting the Service account credentials
+  // Initialize the Storage client by getting the credentials
   // from a Metadata server.
   private static Storage initService(String projectId) {
-    // Explicitly request the service account credentials from the ComputeEngine metadata server.
+    // Explicitly request the credentials from the ComputeEngine metadata server.
     GoogleCredentials credentials = ComputeEngineCredentials.create();
 
     // Alternately, if executing within AppEngine, you can get credentials as follows:
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index 949034098..b3a6f5860 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -19,8 +19,6 @@
 import com.google.cloud.storage.Bucket;
 import com.google.cloud.storage.Storage;
 import com.google.cloud.storage.StorageOptions;
-import com.google.common.collect.Lists;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 
@@ -32,33 +30,22 @@ public static void main(String[] args) throws IOException, GeneralSecurityExcept
     //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
     String projectId = "your-google-cloud-project-id";
 
-    // Path to the service account json credential file.
-    String jsonCredentialPath = "path-to-json-credential-file";
-
     // Provide the scopes that you might need to request to access Google APIs,
     // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
     // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/devstorage.full_control";
+    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
+    // https://cloud.google.com/docs/authentication#authorization_for_services
+    String scope = "https://www.googleapis.com/auth/cloud-platform";
 
-    authenticateExplicit(projectId, jsonCredentialPath, scope);
+    authenticateExplicit(projectId, scope);
   }
 
-  // Authenticating using Client libraries can be done in one of the following ways:
-  // 1. Implicit authentication with ADC (Application Default Credentials)
-  // 2. Explicit authentication by specifying the service account
-  // 3. Authentication with service account credentials obtained from metadata server, like,
-  // Compute Engine or App Engine etc.,
-  // 4. Bring your own (BYO) access token
-  // 5. Using API keys (for libraries that support)
-  //
-  // In this snippet, we demonstrate "Explicit authentication by specifying the service account".
-  public static void authenticateExplicit(String project, String jsonCredentialPath, String scope)
+  // List storage buckets by authenticating with ADC.
+  public static void authenticateExplicit(String project, String scope)
       throws IOException {
 
-    // This snippet demonstrates how to initialize Cloud Storage and list buckets.
-    // Note that the credentials are explicitly specified when constructing the client.
-    Storage storage = initService(project, jsonCredentialPath, scope);
+    // Initialize the storage client.
+    Storage storage = initService(project, scope);
 
     System.out.println("Buckets:");
     Page<Bucket> buckets = storage.list();
@@ -68,17 +55,14 @@ public static void authenticateExplicit(String project, String jsonCredentialPat
     System.out.println("Authentication complete.");
   }
 
-  // Initialize the Storage client by explicitly setting the Service account to use.
-  private static Storage initService(String projectId, String jsonCredentialPath, String scope)
+  // Initialize the Storage client using ADC (Application Default Credentials).
+  private static Storage initService(String projectId, String scope)
       throws IOException {
-    // Construct the GoogleCredentials object which accepts the service account json file and
-    // scope as the input parameters.
-    GoogleCredentials credentials = GoogleCredentials
-        .fromStream(new FileInputStream(jsonCredentialPath))
-        .createScoped(Lists.newArrayList(scope));
+    // Construct the GoogleCredentials object which obtains the default configuration from your
+    // working environment.
+    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault().createScoped(scope);
 
     // Construct the Storage client.
-    // Note that, here we explicitly specify the service account to use.
     return StorageOptions.newBuilder()
         .setCredentials(credentials)
         .setProjectId(projectId)
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index 18b8d2ee0..69b3e60d2 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -22,42 +22,16 @@ public class AuthenticateImplicitWithAdc {
 
   public static void main(String[] args) throws IOException {
     // TODO(Developer):
-    //  1. Set the following environment variable before running the code.
-    //  APPLICATION_DEFAULT_CREDENTIALS="path-to-the-service-account-json-credential-file"
-    //  2. Replace the below variable.
+    //  1. Before running this sample, authenticate using ADC as mentioned in:
+    //  https://cloud.google.com/docs/authentication/provide-credentials-adc#how_to_provide_credentials_to_adc
+    //  2. Replace the projectId variable.
     //  3. Make sure you have the necessary permission "compute.instances.list"
     String projectId = "your-google-cloud-project-id";
     authenticateImplicitWithAdc(projectId);
   }
 
-  // Authenticating using Client libraries can be done in one of the following ways:
-  // 1. Implicit authentication with ADC (Application Default Credentials)
-  // 2. Explicit authentication by specifying the service account
-  // 3. Authentication with service account credentials obtained from metadata server, like,
-  // Compute Engine or App Engine etc.,
-  // 4. Bring your own (BYO) access token
-  // 5. Using API keys (for libraries that support)
-  //
-  // In this snippet, we demonstrate "Implicit authentication with ADC".
-  // ADC - Application Default Credentials
   // When interacting with Google Cloud Client libraries, the library can auto-detect the
-  // credentials to use, if the "APPLICATION_DEFAULT_CREDENTIALS" is set.
-  // This APPLICATION_DEFAULT_CREDENTIALS is an environment variable/ configuration.
-  // This configuration can be made available to the code in various ways depending upon where the
-  // code is executed.
-  // Examples:
-  // 1. If running your code in local development environment, just set the following environment
-  // variable:
-  //      APPLICATION_DEFAULT_CREDENTIALS="path-to-the-service-account-json-file"  OR
-  // You can also set the ADC with gcloud if you have the gcloud installed:
-  //      gcloud auth application-default login
-  //
-  // 2. When you use a Google Cloud cloud-based development environment such as Cloud Shell or
-  // Cloud Code, the tool uses the credentials you provided when you logged in,
-  // and manages any authorizations required.
-  //
-  // For more environments, see: https://cloud.devsite.corp.google.com/docs/authentication/provide-credentials-adc
-  //
+  // credentials to use.
   // ADC detection is independent of the client library and language and works with all Cloud Client
   // libraries.
   public static void authenticateImplicitWithAdc(String project) throws IOException {
@@ -65,8 +39,7 @@ public static void authenticateImplicitWithAdc(String project) throws IOExceptio
     String zone = "us-central1-a";
     // This snippet demonstrates how to initialize Cloud Compute Engine and list instances.
     // Note that the credentials are not specified when constructing the client.
-    // Hence, the client library will look for credentials via the
-    // environment variable GOOGLE_APPLICATION_CREDENTIALS.
+    // Hence, the client library will look for credentials using ADC.
     try (InstancesClient instancesClient = InstancesClient.create()) {
       // Set the project and zone to retrieve instances present in the zone.
       System.out.printf("Listing instances from %s in %s:", project, zone);
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
deleted file mode 100644
index 9037ecfea..000000000
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * Copyright 2022 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import com.google.api.services.iamcredentials.v1.IAMCredentials;
-import com.google.api.services.iamcredentials.v1.IAMCredentials.Projects.ServiceAccounts.GenerateIdToken;
-import com.google.api.services.iamcredentials.v1.model.GenerateIdTokenRequest;
-import com.google.auth.http.HttpCredentialsAdapter;
-import com.google.auth.oauth2.GoogleCredentials;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-public class IdTokenFromImpersonatedCredentials {
-
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
-    // TODO(Developer): Replace the below variables before running the code.
-
-    // Your Google Cloud project id.
-    String projectId = "your-google-cloud-project-id";
-
-    // Path to the service account json credential file.
-    String jsonCredentialPath = "path-to-json-credential-file";
-
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/pubsub";
-
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
-
-    // The service account name of the limited-privilege account for whom the credential is created.
-    String impersonatedServiceAccount =
-        "name@project.service.gserviceaccount.com";
-
-    getIdTokenFromImpersonatedCredentials(projectId, jsonCredentialPath, impersonatedServiceAccount,
-        scope, targetAudience);
-  }
-
-  public static void getIdTokenFromImpersonatedCredentials(String projectId,
-      String jsonCredentialPath, String impersonatedServiceAccount, String scope,
-      String targetAudience)
-      throws GeneralSecurityException, IOException {
-
-    // Initialize the IAMCredentials service with the source credential and scope.
-    IAMCredentials service = null;
-    try {
-      service = initService(jsonCredentialPath, scope);
-    } catch (IOException | GeneralSecurityException e) {
-      System.out.println("Unable to initialize service: \n" + e);
-      return;
-    }
-
-    // delegates: The chained list of delegates required to grant the final accessToken.
-    //
-    // If set, the sequence of identities must have "Service Account Token Creator" capability
-    // granted to the preceding identity.
-    // For example, if set to [serviceAccountB, serviceAccountC], the source credential must have
-    // the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on
-    // serviceAccountC. Finally, C must have Token Creator on impersonatedServiceAccount.
-    //
-    // If left unset, source credential must have that role on impersonatedServiceAccount.
-    List<String> delegates = null;
-
-    // Set the target audience and Token options.
-    GenerateIdTokenRequest idTokenRequest = new GenerateIdTokenRequest()
-        .setAudience(targetAudience)
-        .setDelegates(delegates)
-        // Setting this will include email in the id token.
-        .setIncludeEmail(Boolean.TRUE);
-
-    // Generate the id token for the impersonated service account, using the generateIdToken()
-    // from IAMCredentials class.
-    GenerateIdToken idToken = service
-        .projects()
-        .serviceAccounts()
-        .generateIdToken(
-            String.format("projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
-            idTokenRequest);
-
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idToken.getAccessToken(), targetAudience);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
-  }
-
-  private static IAMCredentials initService(String jsonCredentialPath, String scope)
-      throws GeneralSecurityException, IOException {
-    GoogleCredentials credential =
-        GoogleCredentials.fromStream(new FileInputStream(jsonCredentialPath))
-            .createScoped(Arrays.asList(scope));
-
-    // Initialize the IAMCredentials service.
-    return new IAMCredentials.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(),
-        GsonFactory.getDefaultInstance(),
-        new HttpCredentialsAdapter(credential))
-        .setApplicationName("service-accounts")
-        .build();
-  }
-
-  // Verifies the obtained Google id token.
-  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
-
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
-      // Get the user id.
-      String userId = payload.getSubject();
-      System.out.println("User ID: " + userId);
-
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
-      // email was verified.
-      boolean emailVerified = payload.getEmailVerified();
-      System.out.printf("Email verified: %s", emailVerified);
-      return true;
-    }
-    return false;
-  }
-}
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java
new file mode 100644
index 000000000..39950181e
--- /dev/null
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.services.iamcredentials.v1.IAMCredentials;
+import com.google.api.services.iamcredentials.v1.IAMCredentials.Projects.ServiceAccounts.GenerateIdToken;
+import com.google.api.services.iamcredentials.v1.model.GenerateIdTokenRequest;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.GoogleCredentials;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+public class IdTokenFromImpersonatedCredentials_IAM {
+
+  public static void main(String[] args)
+      throws IOException, GeneralSecurityException {
+    // TODO(Developer): Replace the below variables before running the code.
+
+    // Your Google Cloud project id.
+    String projectId = "your-google-cloud-project-id";
+
+    // Provide the scopes that you might need to request to access Google APIs,
+    // depending on the level of access you need.
+    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
+    // https://cloud.google.com/docs/authentication#authorization_for_services
+    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/cloud-platform";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "iap.googleapis.com";
+
+    // The service account name of the limited-privilege account for whom the credential is created.
+    String impersonatedServiceAccount =
+        "name@project.service.gserviceaccount.com";
+
+    getIdTokenUsingIAM(projectId, impersonatedServiceAccount, scope, targetAudience);
+  }
+
+  // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
+  // for the impersonated account using the IAM library.
+  // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
+  // on SA2.
+  public static void getIdTokenUsingIAM(String projectId, String impersonatedServiceAccount,
+      String scope, String targetAudience)
+      throws IOException {
+
+    // Initialize the IAMCredentials service with the source credential and scope.
+    IAMCredentials service = null;
+    try {
+      service = initService(scope);
+    } catch (IOException | GeneralSecurityException e) {
+      System.out.println("Unable to initialize service: \n" + e);
+      return;
+    }
+
+    // Set the target audience and Token options.
+    GenerateIdTokenRequest idTokenRequest = new GenerateIdTokenRequest()
+        .setAudience(targetAudience)
+        // Setting this will include email in the id token.
+        .setIncludeEmail(Boolean.TRUE);
+
+    // Generate the id token for the impersonated service account, using the generateIdToken()
+    // from IAMCredentials class.
+    GenerateIdToken idToken = service
+        .projects()
+        .serviceAccounts()
+        .generateIdToken(
+            String.format("projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
+            idTokenRequest);
+
+    System.out.printf("Generated ID token: %s", idToken.getAccessToken());
+  }
+
+  // Initialize the IAM service.
+  private static IAMCredentials initService(String scope)
+      throws GeneralSecurityException, IOException {
+    // Construct the GoogleCredentials object which obtains the default configuration from your
+    // working environment.
+    GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(scope);
+
+    // Initialize the IAMCredentials service.
+    return new IAMCredentials.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(),
+        GsonFactory.getDefaultInstance(),
+        new HttpCredentialsAdapter(credential))
+        .setApplicationName("service-accounts")
+        .build();
+  }
+
+}
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java
similarity index 52%
rename from samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
rename to samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java
index 2d42786df..3695c26d7 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentialsREST.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java
@@ -14,68 +14,56 @@
  * limitations under the License.
  */
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.IdTokenCredentials;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import com.google.auth.oauth2.ImpersonatedCredentials;
-import com.google.auth.oauth2.ServiceAccountCredentials;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 
-public class IdTokenFromImpersonatedCredentialsREST {
+public class IdTokenFromImpersonatedCredentials_OAuth {
 
   public static void main(String[] args)
       throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
-    // Path to the service account json credential file.
-    String jsonCredentialPath = "path-to-json-credential-file";
 
     // Provide the scopes that you might need to request to access Google APIs,
     // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
+    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
+    // https://cloud.google.com/docs/authentication#authorization_for_services
     // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/pubsub";
+    String scope = "https://www.googleapis.com/auth/cloud-platform";
 
     // The service name for which the id token is requested. Service name refers to the
     // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
+    String targetAudience = "iap.googleapis.com";
 
     // The service account name of the limited-privilege account for whom the credential is created.
     String impersonatedServiceAccount =
         "name@project.service.gserviceaccount.com";
 
-    getIdTokenFromImpersonatedCredentials(jsonCredentialPath, impersonatedServiceAccount, scope,
-        targetAudience);
+    getIdTokenUsingOAuth2(impersonatedServiceAccount, scope, targetAudience);
   }
 
   // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
   // for the impersonated account.
   // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
   // on SA2.
-  public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPath,
-      String impersonatedServiceAccount, String scope,
-      String targetAudience) throws IOException, GeneralSecurityException {
-    // Initialize the Service Account Credentials class with the path to the json file.
-    // The caller who issues a request for the short-lived credentials.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
+  public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, String scope,
+      String targetAudience) throws IOException {
+
+    // Construct the GoogleCredentials object which obtains the default configuration from your
+    // working environment.
+    GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault()
+        .createScoped(scope);
 
     // delegates: The chained list of delegates required to grant the final accessToken.
     //
@@ -90,7 +78,7 @@ public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPa
 
     // Create the impersonated credential.
     ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(
-        serviceAccountCredentials,
+        googleCredentials,
         impersonatedServiceAccount,
         delegates,
         Arrays.asList(scope),
@@ -104,24 +92,14 @@ public static void getIdTokenFromImpersonatedCredentials(String jsonCredentialPa
         .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
         .build();
 
-    // Make a http request with the idTokenCredentials to obtain the access token.
-    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
-    // short-lived access token to Google Cloud resources.
-    // https://cloud.google.com/iam/docs/reference/sts/rest
-    String stsEndpoint = "https://sts.googleapis.com/v1/token";
-    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
+    // Get the ID token.
+    System.out.printf("ID token: %s", idTokenCredentials.refreshAccessToken().getTokenValue());
 
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
+    String url = "url-to-make-authenticated-request";
+    makeAuthenticatedRequest(idTokenCredentials, url);
   }
 
-  // Makes a simple http get call.
+  // Makes a simple HTTP call.
   private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
       throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
@@ -132,31 +110,4 @@ private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentia
     HttpResponse response = request.execute();
     System.out.println(response.parseAsString());
   }
-
-  // Verifies the obtained Google id token.
-  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
-
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
-      // Get the user id.
-      String userId = payload.getSubject();
-      System.out.println("User ID: " + userId);
-
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
-      // email was verified.
-      boolean emailVerified = payload.getEmailVerified();
-      System.out.printf("Email verified: %s", emailVerified);
-      return true;
-    }
-    return false;
-  }
-
 }
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 701999922..05ae8246f 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -14,24 +14,19 @@
  * limitations under the License.
  */
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.http.HttpCredentialsAdapter;
-import com.google.auth.oauth2.ComputeEngineCredentials;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.IdTokenCredentials;
+import com.google.auth.oauth2.IdTokenProvider;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
-import java.util.Collections;
 
 public class IdTokenFromMetadataServer {
 
@@ -39,53 +34,38 @@ public static void main(String[] args)
       throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
 
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
+    // The url or target audience to obtain the ID token for.
+    String url = "http://www.abc.com";
 
-    getIdTokenFromMetadataServer(targetAudience);
+    getIdTokenFromMetadataServer(url);
   }
 
-  // Every VM stores its metadata on a metadata server. You can query for default VM metadata,
-  // such as the VM's host name, instance ID, and service account information programmatically
-  // from within a VM.
-  // Here, we query the service account information from the Metadata server exposed by the
-  // ComputeEngine and use that information to obtain an id token.
-  // Appengine 2nd Generation, Cloud Run or even Kubernetes engine's also expose a
-  // metadata server.
-  // For AppEngine, see: https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata#identifying_which_metadata_endpoint_to_use
-  // For CloudRun container instance, see: https://cloud.google.com/run/docs/container-contract#metadata-server
-  public static void getIdTokenFromMetadataServer(String targetAudience)
-      throws GeneralSecurityException, IOException {
-
-    // Optionally, you can also set scopes in computeEngineCredentials.
-    ComputeEngineCredentials computeEngineCredentials = ComputeEngineCredentials.create();
+  // Use the Google Cloud metadata server in the Cloud Run (or AppEngine or Kubernetes etc.,)
+  // environment to create an identity token and add it to the HTTP request as part of an
+  // Authorization header.
+  public static void getIdTokenFromMetadataServer(String url)
+      throws IOException {
+    // Construct the GoogleCredentials object which obtains the default configuration from your
+    // working environment.
+    // Optionally, you can also set scopes.
+    GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();
 
     IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(computeEngineCredentials)
-        .setTargetAudience(targetAudience)
-        // Setting the id token options.
+        .setIdTokenProvider((IdTokenProvider) googleCredentials)
+        .setTargetAudience(url)
+        // Setting the ID token options.
         .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
         .build();
 
-    // Make a http request with the idTokenCredentials to obtain the access token.
-    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
-    // short-lived access token to Google Cloud resources.
-    // https://cloud.google.com/iam/docs/reference/sts/rest
-    String stsEndpoint = "https://sts.googleapis.com/v1/token";
-    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
+    // Get the ID token.
+    System.out.printf("Generated ID token: %s", idTokenCredentials.refreshAccessToken().getTokenValue());
 
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
+    // Make an authenticated HTTP request with the idTokenCredentials.
+    makeAuthenticatedRequest(idTokenCredentials, url);
   }
 
-  // Makes a simple http get call.
+  // Create a new HTTP request authenticated by a JSON Web Tokens (JWT)
+  // retrieved from Application Default Credentials.
   private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
       throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
@@ -96,31 +76,4 @@ private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentia
     HttpResponse response = request.execute();
     System.out.println(response.parseAsString());
   }
-
-  // Verifies the obtained Google id token.
-  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
-
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
-      // Get the user id.
-      String userId = payload.getSubject();
-      System.out.println("User ID: " + userId);
-
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
-      // email was verified.
-      boolean emailVerified = payload.getEmailVerified();
-      System.out.printf("Email verified: %s", emailVerified);
-      return true;
-    }
-    return false;
-  }
-
 }
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index faf5d3d87..8c451b7d2 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -14,11 +14,6 @@
  * limitations under the License.
  */
 
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
 import com.google.auth.oauth2.IdToken;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import com.google.auth.oauth2.ServiceAccountCredentials;
@@ -26,7 +21,6 @@
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
 
@@ -35,25 +29,27 @@ public class IdTokenFromServiceAccount {
   public static void main(String[] args)
       throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
+    //  Using Service account key is discouraged. Please consider alternate approaches first.
     // Path to the service account json credential file.
     String jsonCredentialPath = "path-to-json-credential-file";
 
     // Provide the scopes that you might need to request to access Google APIs,
     // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
     // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/pubsub";
+    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
+    // https://cloud.google.com/docs/authentication#authorization_for_services
+    String scope = "https://www.googleapis.com/auth/cloud-platform";
 
     // The service name for which the id token is requested. Service name refers to the
     // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
+    String targetAudience = "iap.googleapis.com";
 
     getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
   }
 
   public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
       String targetAudience)
-      throws IOException, GeneralSecurityException {
+      throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
@@ -70,40 +66,12 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath, Strin
         targetAudience,
         tokenOption);
 
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idToken.getTokenValue(), targetAudience);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
-  }
-
-
-  // Verifies the obtained Google id token.
-  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    // The following method can also be used to generate the ID token.
+    // IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
+    //     .setIdTokenProvider(serviceAccountCredentials)
+    //     .setTargetAudience(targetAudience)
+    //     .build();
 
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
-      // Get the user id.
-      String userId = payload.getSubject();
-      System.out.println("User ID: " + userId);
-
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
-      // email was verified.
-      // String email = payload.getEmail();
-      // boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
-      return true;
-    }
-    return false;
+    System.out.printf("Generated ID token %s", idToken.getTokenValue());
   }
-
 }
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java b/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
deleted file mode 100644
index 9e0fa04e4..000000000
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccountREST.java
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * Copyright 2022 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import com.google.auth.http.HttpCredentialsAdapter;
-import com.google.auth.oauth2.IdTokenCredentials;
-import com.google.auth.oauth2.ServiceAccountCredentials;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.concurrent.ExecutionException;
-
-public class IdTokenFromServiceAccountREST {
-
-  public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
-    // TODO(Developer): Replace the below variables before running the code.
-    // Path to the service account json credential file.
-    String jsonCredentialPath = "path-to-json-credential-file";
-
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/pubsub";
-
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
-
-    getIdTokenFromServiceAccountREST(jsonCredentialPath, scope, targetAudience);
-  }
-
-  public static void getIdTokenFromServiceAccountREST(String jsonCredentialPath, String scope,
-      String targetAudience)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
-    // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
-
-    // Set the service account and target audience.
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(serviceAccountCredentials)
-        .setTargetAudience(targetAudience)
-        .build();
-
-    // Make a http request with the idTokenCredentials to obtain the access token.
-    // stsEndpoint: The Security Token Service exchanges Google or third-party credentials for a
-    // short-lived access token to Google Cloud resources.
-    // https://cloud.google.com/iam/docs/reference/sts/rest
-    String stsEndpoint = "https://sts.googleapis.com/v1/token";
-    makeAuthenticatedRequest(idTokenCredentials, stsEndpoint);
-
-    // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-    boolean isVerified = verifyGoogleIdToken(idTokenCredentials.getAccessToken().getTokenValue(),
-        targetAudience);
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify id token.");
-  }
-
-  // Makes a simple http get call.
-  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
-      throws IOException {
-    GenericUrl genericUrl = new GenericUrl(url);
-    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
-    HttpTransport transport = new NetHttpTransport();
-    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
-    request.setThrowExceptionOnExecuteError(false);
-    HttpResponse response = request.execute();
-    System.out.println(response.parseAsString());
-  }
-
-  // Verifies the obtained Google id token.
-  private static boolean verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
-
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
-      // Get the user id.
-      String userId = payload.getSubject();
-      System.out.println("User ID: " + userId);
-
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
-      // email was verified.
-      // String email = payload.getEmail();
-      // boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
-      return true;
-    }
-    return false;
-  }
-}
diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
new file mode 100644
index 000000000..9877ba83b
--- /dev/null
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2022 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.auth0.jwk.JwkException;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
+import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.Collections;
+import java.util.concurrent.ExecutionException;
+
+public class VerifyGoogleIdToken {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
+    // TODO(Developer): Replace the below variables before running the code.
+    // The Google ID token to verify.
+    String idToken = "id-token";
+
+    // The service name for which the id token is requested. Service name refers to the
+    // logical identifier of an API service, such as "pubsub.googleapis.com".
+    String targetAudience = "pubsub.googleapis.com";
+
+    verifyGoogleIdToken(idToken, targetAudience);
+  }
+
+  // Verifies the obtained Google id token. This is done at the receiving end of the OIDC endpoint.
+  public static void verifyGoogleIdToken(String idTokenString, String audience)
+      throws GeneralSecurityException, IOException {
+    // Initialize the Google id token verifier and set the audience.
+    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
+        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+        .setAudience(Collections.singletonList(audience))
+        .build();
+
+    // Verify the id token.
+    GoogleIdToken idToken = verifier.verify(idTokenString);
+    if (idToken != null) {
+      Payload payload = idToken.getPayload();
+      // Get the user id.
+      String userId = payload.getSubject();
+      System.out.println("User ID: " + userId);
+
+      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // email was verified.
+      boolean emailVerified = payload.getEmailVerified();
+      System.out.printf("Email verified: %s", emailVerified);
+    }
+    System.out.println("Unable to verify the token!");
+  }
+
+}
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index a7ec3708a..266f54b6d 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -23,17 +23,11 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
-import com.google.auth.oauth2.IdToken;
-import com.google.auth.oauth2.IdTokenProvider.Option;
-import com.google.auth.oauth2.ServiceAccountCredentials;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.interfaces.RSAPublicKey;
-import java.util.Arrays;
 import java.util.Calendar;
-import java.util.List;
 import java.util.concurrent.ExecutionException;
 
 public class VerifyNonGoogleIdToken {
@@ -41,14 +35,8 @@ public class VerifyNonGoogleIdToken {
   public static void main(String[] args)
       throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
     // TODO(Developer): Replace the below variables before running the code.
-    // Path to the service account json credential file.
-    String jsonCredentialPath = "path-to-json-credential-file";
-
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // Example: The following scope lets you view and manage Pub/Sub topics and subscriptions.
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/pubsub";
+    // The non-Google ID token to verify.
+    String idToken = "id-token";
 
     // The service name for which the id token is requested. Service name refers to the
     // logical identifier of an API service, such as "pubsub.googleapis.com".
@@ -64,19 +52,14 @@ public static void main(String[] args)
     // For more information on jwk,see: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
     String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
 
-    verifyNonGoogleIdToken(jsonCredentialPath, targetAudience, scope, jwkUrl);
+    verifyNonGoogleIdToken(idToken, targetAudience, jwkUrl);
   }
 
   // Verify a non-google id token. Here, we are using the Google's jwk. The procedure is the same
   // even if the jwk is from a different provider.
-  public static void verifyNonGoogleIdToken(String jsonCredentialPath, String targetAudience,
-      String scope, String jwkUrl)
-      throws IOException, JwkException, GeneralSecurityException {
-    // Create an id token from the given service account.
-    // Since we are using Google's jwk, we are creating an id token from a Google service account.
-    // If a different provider is used, then generate an id token accordingly.
-    String idToken = getIdTokenFromServiceAccount(jsonCredentialPath, scope,
-        targetAudience).getTokenValue();
+  public static void verifyNonGoogleIdToken(String idToken, String targetAudience,
+      String jwkUrl)
+      throws IOException, JwkException {
 
     // Start verification.
     DecodedJWT jwt = JWT.decode(idToken);
@@ -109,30 +92,7 @@ public static void verifyNonGoogleIdToken(String jsonCredentialPath, String targ
       System.out.println("Id token verified.");
       return;
     }
-    System.out.println("Unable to verify id token.");
-  }
-
-  // Get an id token from a Google service account.
-  private static IdToken getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
-      String targetAudience)
-      throws IOException, GeneralSecurityException, JwkException {
-
-    // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
-
-    // Obtain the id token by providing the target audience.
-    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
-    // only for credentials obtained through Compute Engine or Impersonation.
-    List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
-
-    return idToken;
+    System.out.println("Unable to verify ID token.");
   }
 
 }
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index ff6479d39..e544821ce 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -18,11 +18,16 @@
 import static com.google.common.truth.Truth.assertWithMessage;
 
 import com.auth0.jwk.JwkException;
+import com.google.auth.oauth2.IdToken;
+import com.google.auth.oauth2.IdTokenProvider.Option;
+import com.google.auth.oauth2.ServiceAccountCredentials;
 import java.io.ByteArrayOutputStream;
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.security.GeneralSecurityException;
-import java.util.concurrent.ExecutionException;
+import java.util.Arrays;
+import java.util.List;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
@@ -72,31 +77,46 @@ public void afterEach() {
     System.setOut(null);
   }
 
-  @Test
-  public void testIdTokenFromServiceAccount() throws GeneralSecurityException, IOException {
-    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/pubsub",
-        "pubsub.googleapis.com");
-    assertThat(stdOut.toString()).contains("Id token verified.");
+  // Get an id token from a Google service account.
+  private static String getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+      String targetAudience)
+      throws IOException, GeneralSecurityException, JwkException {
+
+    // Initialize the Service Account Credentials class with the path to the json file.
+    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
+        new FileInputStream(jsonCredentialPath));
+    // Restrict the scope of the service account.
+    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
+        Arrays.asList(scope));
+
+    // Obtain the id token by providing the target audience.
+    // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
+    // only for credentials obtained through Compute Engine or Impersonation.
+    List<Option> tokenOption = Arrays.asList();
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
+        targetAudience,
+        tokenOption);
+
+    return idToken.getTokenValue();
   }
 
   @Test
-  public void testIdTokenFromServiceAccountRest()
-      throws GeneralSecurityException, IOException, ExecutionException, InterruptedException {
-    IdTokenFromServiceAccountREST.getIdTokenFromServiceAccountREST(
+  public void testIdTokenFromServiceAccount() throws IOException {
+    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
         CREDENTIALS,
         "https://www.googleapis.com/auth/pubsub",
         "pubsub.googleapis.com");
-    assertThat(stdOut.toString()).contains("Id token verified.");
+    assertThat(stdOut.toString()).contains("Generated ID token");
   }
 
   @Test
   public void testVerifyNonGoogleIdToken()
       throws GeneralSecurityException, IOException, JwkException {
+    String idToken = getIdTokenFromServiceAccount(CREDENTIALS,
+        "https://www.googleapis.com/auth/cloud-platform", "pubsub.googleapis.com");
+
     VerifyNonGoogleIdToken.verifyNonGoogleIdToken(
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/pubsub",
+        idToken,
         "pubsub.googleapis.com",
         "https://www.googleapis.com/oauth2/v3/certs");
     assertThat(stdOut.toString()).contains("Id token verified.");
@@ -104,8 +124,8 @@ public void testVerifyNonGoogleIdToken()
 
   @Test
   public void testIdTokenFromMetadataServer() throws GeneralSecurityException, IOException {
-    IdTokenFromMetadataServer.getIdTokenFromMetadataServer("pubsub.googleapis.com");
-    assertThat(stdOut.toString()).contains("Id token verified.");
+    IdTokenFromMetadataServer.getIdTokenFromMetadataServer("https://www.google.com");
+    assertThat(stdOut.toString()).contains("Generated ID token:");
   }
 
   @Test
@@ -118,8 +138,7 @@ public void testAuthenticateImplicitWithAdc() throws IOException {
   public void testAuthenticateExplicit() throws IOException {
     AuthenticateExplicit.authenticateExplicit(
         PROJECT_ID,
-        CREDENTIALS,
-        "https://www.googleapis.com/auth/devstorage.full_control");
+        "https://www.googleapis.com/auth/cloud-platform");
     assertThat(stdOut.toString()).contains("Authentication complete.");
   }
 

From 3ed6be0c076f470eff51321bf854c3ddbc746d47 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Sat, 23 Jul 2022 01:47:48 +0530
Subject: [PATCH 07/16] refactored acc to review comments

---
 ...AuthWithCredentialsFromMetadataServer.java |   7 +-
 .../src/main/java/AuthenticateExplicit.java   |  19 ++--
 .../java/AuthenticateImplicitWithAdc.java     |  18 +--
 ...> IdTokenFromImpersonatedCredentials.java} |  33 ++----
 ...dTokenFromImpersonatedCredentials_IAM.java | 105 ------------------
 .../main/java/IdTokenFromMetadataServer.java  |  30 ++---
 .../main/java/IdTokenFromServiceAccount.java  |  34 +++---
 .../src/main/java/VerifyGoogleIdToken.java    |   4 +-
 .../src/main/java/VerifyNonGoogleIdToken.java |   4 +-
 .../snippets/src/test/java/SnippetsIT.java    |   8 +-
 10 files changed, 68 insertions(+), 194 deletions(-)
 rename samples/snippets/src/main/java/{IdTokenFromImpersonatedCredentials_OAuth.java => IdTokenFromImpersonatedCredentials.java} (77%)
 delete mode 100644 samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java

diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
index 9eb740800..0c9781ec4 100644
--- a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
+++ b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_metadata_server]
+
 import com.google.api.gax.paging.Page;
 import com.google.auth.oauth2.ComputeEngineCredentials;
 import com.google.auth.oauth2.GoogleCredentials;
@@ -27,9 +29,9 @@ public class AuthWithCredentialsFromMetadataServer {
 
   public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer):
-    //  1. Replace the below variable.
+    //  1. Replace the project variable below.
     //  2. Make sure you have the necessary permission to list storage buckets
-    // "storage.buckets.list"
+    //  "storage.buckets.list"
     String projectId = "your-google-cloud-project-id";
 
     authWithCredentialsFromMetadataServer(projectId);
@@ -69,3 +71,4 @@ private static Storage initService(String projectId) {
         .getService();
   }
 }
+// [END auth_cloud_metadata_server]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index b3a6f5860..dd88d3091 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_explicit_adc]
+
 import com.google.api.gax.paging.Page;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.storage.Bucket;
@@ -26,16 +28,18 @@ public class AuthenticateExplicit {
 
   public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer):
-    //  1. Replace the below variable.
+    //  1. Replace the project variable below.
     //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+
     String projectId = "your-google-cloud-project-id";
 
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
-    // https://cloud.google.com/docs/authentication#authorization_for_services
-    String scope = "https://www.googleapis.com/auth/cloud-platform";
+    // If you are authenticating to a Cloud API, you do not need to specify a scope;
+    // use Application Default Credentials as described in
+    // https://cloud.google.com/docs/authentication/external/set-up-adc.
+    // If you need to provide a scope, specify it here.
+    // For more information on scopes to use,
+    // see: https://developers.google.com/identity/protocols/oauth2/scopes
+    String scope = "https://www.googleapis.com/auth/PRODUCT_NAME";
 
     authenticateExplicit(projectId, scope);
   }
@@ -70,3 +74,4 @@ private static Storage initService(String projectId, String scope)
         .getService();
   }
 }
+// [END auth_cloud_explicit_adc]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index 69b3e60d2..278cbf7ff 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_implicit_adc]
+
 import com.google.cloud.compute.v1.Instance;
 import com.google.cloud.compute.v1.InstancesClient;
 import java.io.IOException;
@@ -22,22 +24,23 @@ public class AuthenticateImplicitWithAdc {
 
   public static void main(String[] args) throws IOException {
     // TODO(Developer):
-    //  1. Before running this sample, authenticate using ADC as mentioned in:
-    //  https://cloud.google.com/docs/authentication/provide-credentials-adc#how_to_provide_credentials_to_adc
-    //  2. Replace the projectId variable.
-    //  3. Make sure you have the necessary permission "compute.instances.list"
+    //  1. Before running this sample,
+    //  set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
+    //  2. Replace the project variable below.
+    //  3. Make sure that the user account or service account that you are using
+    //  has the required permissions. For this sample, you must have "compute.instances.list".
     String projectId = "your-google-cloud-project-id";
     authenticateImplicitWithAdc(projectId);
   }
 
   // When interacting with Google Cloud Client libraries, the library can auto-detect the
   // credentials to use.
-  // ADC detection is independent of the client library and language and works with all Cloud Client
-  // libraries.
   public static void authenticateImplicitWithAdc(String project) throws IOException {
 
     String zone = "us-central1-a";
-    // This snippet demonstrates how to initialize Cloud Compute Engine and list instances.
+    // This snippet demonstrates how to list instances.
+    // *NOTE*: Replace the client created below with the client required for your application.
+    //
     // Note that the credentials are not specified when constructing the client.
     // Hence, the client library will look for credentials using ADC.
     try (InstancesClient instancesClient = InstancesClient.create()) {
@@ -50,3 +53,4 @@ public static void authenticateImplicitWithAdc(String project) throws IOExceptio
     }
   }
 }
+// [END auth_cloud_implicit_adc]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
similarity index 77%
rename from samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java
rename to samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 3695c26d7..79323b207 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_OAuth.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -14,25 +14,20 @@
  * limitations under the License.
  */
 
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.auth.http.HttpCredentialsAdapter;
+// [auth_cloud_idtoken_impersonated_credentials]
+
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.IdTokenCredentials;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import com.google.auth.oauth2.ImpersonatedCredentials;
 import java.io.IOException;
-import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.List;
 
-public class IdTokenFromImpersonatedCredentials_OAuth {
+public class IdTokenFromImpersonatedCredentials {
 
   public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
+      throws IOException {
     // TODO(Developer): Replace the below variables before running the code.
 
     // Provide the scopes that you might need to request to access Google APIs,
@@ -62,8 +57,7 @@ public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, Stri
 
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
-    GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault()
-        .createScoped(scope);
+    GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();
 
     // delegates: The chained list of delegates required to grant the final accessToken.
     //
@@ -93,21 +87,10 @@ public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, Stri
         .build();
 
     // Get the ID token.
+    // Once you've obtained the ID token, use it to make an authenticated call
+    // to the target audience.
     System.out.printf("ID token: %s", idTokenCredentials.refreshAccessToken().getTokenValue());
 
-    String url = "url-to-make-authenticated-request";
-    makeAuthenticatedRequest(idTokenCredentials, url);
-  }
-
-  // Makes a simple HTTP call.
-  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
-      throws IOException {
-    GenericUrl genericUrl = new GenericUrl(url);
-    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
-    HttpTransport transport = new NetHttpTransport();
-    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
-    request.setThrowExceptionOnExecuteError(false);
-    HttpResponse response = request.execute();
-    System.out.println(response.parseAsString());
   }
 }
+// [auth_cloud_idtoken_impersonated_credentials]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java
deleted file mode 100644
index 39950181e..000000000
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials_IAM.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright 2022 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import com.google.api.services.iamcredentials.v1.IAMCredentials;
-import com.google.api.services.iamcredentials.v1.IAMCredentials.Projects.ServiceAccounts.GenerateIdToken;
-import com.google.api.services.iamcredentials.v1.model.GenerateIdTokenRequest;
-import com.google.auth.http.HttpCredentialsAdapter;
-import com.google.auth.oauth2.GoogleCredentials;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-
-public class IdTokenFromImpersonatedCredentials_IAM {
-
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
-    // TODO(Developer): Replace the below variables before running the code.
-
-    // Your Google Cloud project id.
-    String projectId = "your-google-cloud-project-id";
-
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
-    // https://cloud.google.com/docs/authentication#authorization_for_services
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/cloud-platform";
-
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "iap.googleapis.com";
-
-    // The service account name of the limited-privilege account for whom the credential is created.
-    String impersonatedServiceAccount =
-        "name@project.service.gserviceaccount.com";
-
-    getIdTokenUsingIAM(projectId, impersonatedServiceAccount, scope, targetAudience);
-  }
-
-  // Use a service account (SA1) to impersonate as another service account (SA2) and obtain id token
-  // for the impersonated account using the IAM library.
-  // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
-  // on SA2.
-  public static void getIdTokenUsingIAM(String projectId, String impersonatedServiceAccount,
-      String scope, String targetAudience)
-      throws IOException {
-
-    // Initialize the IAMCredentials service with the source credential and scope.
-    IAMCredentials service = null;
-    try {
-      service = initService(scope);
-    } catch (IOException | GeneralSecurityException e) {
-      System.out.println("Unable to initialize service: \n" + e);
-      return;
-    }
-
-    // Set the target audience and Token options.
-    GenerateIdTokenRequest idTokenRequest = new GenerateIdTokenRequest()
-        .setAudience(targetAudience)
-        // Setting this will include email in the id token.
-        .setIncludeEmail(Boolean.TRUE);
-
-    // Generate the id token for the impersonated service account, using the generateIdToken()
-    // from IAMCredentials class.
-    GenerateIdToken idToken = service
-        .projects()
-        .serviceAccounts()
-        .generateIdToken(
-            String.format("projects/%s/serviceAccounts/%s", projectId, impersonatedServiceAccount),
-            idTokenRequest);
-
-    System.out.printf("Generated ID token: %s", idToken.getAccessToken());
-  }
-
-  // Initialize the IAM service.
-  private static IAMCredentials initService(String scope)
-      throws GeneralSecurityException, IOException {
-    // Construct the GoogleCredentials object which obtains the default configuration from your
-    // working environment.
-    GoogleCredentials credential = GoogleCredentials.getApplicationDefault().createScoped(scope);
-
-    // Initialize the IAMCredentials service.
-    return new IAMCredentials.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(),
-        GsonFactory.getDefaultInstance(),
-        new HttpCredentialsAdapter(credential))
-        .setApplicationName("service-accounts")
-        .build();
-  }
-
-}
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 05ae8246f..246e1fd7f 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -14,12 +14,8 @@
  * limitations under the License.
  */
 
-import com.google.api.client.http.GenericUrl;
-import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpResponse;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.auth.http.HttpCredentialsAdapter;
+// [START auth_cloud_idtoken_metadata_server]
+
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.IdTokenCredentials;
 import com.google.auth.oauth2.IdTokenProvider;
@@ -47,7 +43,6 @@ public static void getIdTokenFromMetadataServer(String url)
       throws IOException {
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
-    // Optionally, you can also set scopes.
     GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();
 
     IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
@@ -58,22 +53,11 @@ public static void getIdTokenFromMetadataServer(String url)
         .build();
 
     // Get the ID token.
-    System.out.printf("Generated ID token: %s", idTokenCredentials.refreshAccessToken().getTokenValue());
-
-    // Make an authenticated HTTP request with the idTokenCredentials.
-    makeAuthenticatedRequest(idTokenCredentials, url);
-  }
+    // Once you've obtained the ID token, use it to make an authenticated call
+    // to the target audience.
+    System.out.printf("Generated ID token: %s",
+        idTokenCredentials.refreshAccessToken().getTokenValue());
 
-  // Create a new HTTP request authenticated by a JSON Web Tokens (JWT)
-  // retrieved from Application Default Credentials.
-  private static void makeAuthenticatedRequest(IdTokenCredentials idTokenCredentials, String url)
-      throws IOException {
-    GenericUrl genericUrl = new GenericUrl(url);
-    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
-    HttpTransport transport = new NetHttpTransport();
-    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
-    request.setThrowExceptionOnExecuteError(false);
-    HttpResponse response = request.execute();
-    System.out.println(response.parseAsString());
   }
 }
+// [END auth_cloud_idtoken_metadata_server]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index 8c451b7d2..75907cb6f 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_idtoken_service_account]
+
 import com.google.auth.oauth2.IdToken;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import com.google.auth.oauth2.ServiceAccountCredentials;
@@ -29,34 +31,31 @@ public class IdTokenFromServiceAccount {
   public static void main(String[] args)
       throws IOException, ExecutionException, InterruptedException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
-    //  Using Service account key is discouraged. Please consider alternate approaches first.
+
+    // *NOTE*:
+    // Using service account keys introduces risk; they are long-lived, and can be used by anyone
+    // that obtains the key. Proper rotation and storage reduce this risk but do not eliminate it.
+    // For these reasons, you should consider an alternative approach that
+    // does not use a service account key. Several alternatives to service account keys
+    // are described here:
+    // https://cloud.google.com/docs/authentication/external/set-up-adc
+
     // Path to the service account json credential file.
     String jsonCredentialPath = "path-to-json-credential-file";
 
-    // Provide the scopes that you might need to request to access Google APIs,
-    // depending on the level of access you need.
-    // For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes
-    // The best practice is to use the cloud-wide scope and use IAM to narrow the permissions.
-    // https://cloud.google.com/docs/authentication#authorization_for_services
-    String scope = "https://www.googleapis.com/auth/cloud-platform";
-
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "iap.googleapis.com";
+    // The url or target audience to obtain the ID token for.
+    String targetAudience = "http://www.abc.com";
 
-    getIdTokenFromServiceAccount(jsonCredentialPath, scope, targetAudience);
+    getIdTokenFromServiceAccount(jsonCredentialPath, targetAudience);
   }
 
-  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+  public static void getIdTokenFromServiceAccount(String jsonCredentialPath,
       String targetAudience)
       throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
         new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
@@ -74,4 +73,5 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath, Strin
 
     System.out.printf("Generated ID token %s", idToken.getTokenValue());
   }
-}
\ No newline at end of file
+}
+// [END auth_cloud_idtoken_service_account]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index 9877ba83b..d6e7f9e0b 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_verify_google_idtoken]
+
 import com.auth0.jwk.JwkException;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
@@ -64,5 +66,5 @@ public static void verifyGoogleIdToken(String idTokenString, String audience)
     }
     System.out.println("Unable to verify the token!");
   }
-
 }
+// [END auth_cloud_verify_google_idtoken]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index 266f54b6d..3695f2ff7 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+// [START auth_cloud_verify_non_google_idtoken]
+
 import com.auth0.jwk.Jwk;
 import com.auth0.jwk.JwkException;
 import com.auth0.jwk.JwkProvider;
@@ -94,5 +96,5 @@ public static void verifyNonGoogleIdToken(String idToken, String targetAudience,
     }
     System.out.println("Unable to verify ID token.");
   }
-
 }
+// [END auth_cloud_verify_non_google_idtoken]
\ No newline at end of file
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index e544821ce..dd6d91cb2 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -78,16 +78,13 @@ public void afterEach() {
   }
 
   // Get an id token from a Google service account.
-  private static String getIdTokenFromServiceAccount(String jsonCredentialPath, String scope,
+  private static String getIdTokenFromServiceAccount(String jsonCredentialPath,
       String targetAudience)
       throws IOException, GeneralSecurityException, JwkException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
         new FileInputStream(jsonCredentialPath));
-    // Restrict the scope of the service account.
-    serviceAccountCredentials = (ServiceAccountCredentials) serviceAccountCredentials.createScoped(
-        Arrays.asList(scope));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
@@ -104,7 +101,6 @@ private static String getIdTokenFromServiceAccount(String jsonCredentialPath, St
   public void testIdTokenFromServiceAccount() throws IOException {
     IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
         CREDENTIALS,
-        "https://www.googleapis.com/auth/pubsub",
         "pubsub.googleapis.com");
     assertThat(stdOut.toString()).contains("Generated ID token");
   }
@@ -113,7 +109,7 @@ public void testIdTokenFromServiceAccount() throws IOException {
   public void testVerifyNonGoogleIdToken()
       throws GeneralSecurityException, IOException, JwkException {
     String idToken = getIdTokenFromServiceAccount(CREDENTIALS,
-        "https://www.googleapis.com/auth/cloud-platform", "pubsub.googleapis.com");
+        "pubsub.googleapis.com");
 
     VerifyNonGoogleIdToken.verifyNonGoogleIdToken(
         idToken,

From 5eb65060328d3b67c388ec49640cfa966ac4c221 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Fri, 29 Jul 2022 00:17:59 +0530
Subject: [PATCH 08/16] refactored acc to review comments

---
 samples/snippets/pom.xml                      | 14 +---
 ...AuthWithCredentialsFromMetadataServer.java | 74 -------------------
 .../src/main/java/AuthenticateExplicit.java   | 48 ++++++------
 .../java/AuthenticateImplicitWithAdc.java     |  6 +-
 .../IdTokenFromImpersonatedCredentials.java   |  5 +-
 .../main/java/IdTokenFromMetadataServer.java  |  5 +-
 .../main/java/IdTokenFromServiceAccount.java  |  3 +-
 .../snippets/src/test/java/SnippetsIT.java    | 15 +---
 8 files changed, 41 insertions(+), 129 deletions(-)
 delete mode 100644 samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java

diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
index 866c37041..997efc113 100644
--- a/samples/snippets/pom.xml
+++ b/samples/snippets/pom.xml
@@ -48,14 +48,9 @@
 
 <!--    IAM dependency-->
     <dependency>
-      <groupId>com.google.apis</groupId>
-      <artifactId>google-api-services-iam</artifactId>
-      <version>v1-rev20220509-1.32.1</version>
-    </dependency>
-    <dependency>
-      <groupId>com.google.apis</groupId>
-      <artifactId>google-api-services-iamcredentials</artifactId>
-      <version>v1-rev20211203-1.32.1</version>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-iam-admin</artifactId>
+      <version>1.2.1</version>
     </dependency>
 
 <!--    JWT dependency-->
@@ -72,9 +67,8 @@
 
 <!--    GCloud dependency-->
     <dependency>
-      <artifactId>google-cloud-compute</artifactId>
       <groupId>com.google.cloud</groupId>
-      <version>1.8.1</version>
+      <artifactId>google-cloud-compute</artifactId>
     </dependency>
     <dependency>
       <groupId>com.google.cloud</groupId>
diff --git a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java b/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
deleted file mode 100644
index 0c9781ec4..000000000
--- a/samples/snippets/src/main/java/AuthWithCredentialsFromMetadataServer.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright 2022 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// [START auth_cloud_metadata_server]
-
-import com.google.api.gax.paging.Page;
-import com.google.auth.oauth2.ComputeEngineCredentials;
-import com.google.auth.oauth2.GoogleCredentials;
-import com.google.cloud.storage.Bucket;
-import com.google.cloud.storage.Storage;
-import com.google.cloud.storage.StorageOptions;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-
-public class AuthWithCredentialsFromMetadataServer {
-
-  public static void main(String[] args) throws IOException, GeneralSecurityException {
-    // TODO(Developer):
-    //  1. Replace the project variable below.
-    //  2. Make sure you have the necessary permission to list storage buckets
-    //  "storage.buckets.list"
-    String projectId = "your-google-cloud-project-id";
-
-    authWithCredentialsFromMetadataServer(projectId);
-  }
-
-  // In this snippet, we demonstrate "Authentication with account credentials
-  // obtained from a metadata server".
-  public static void authWithCredentialsFromMetadataServer(String project) {
-
-    // This snippet demonstrates how to initialize Cloud Storage and list buckets.
-    // Note that the credentials are requested from the ComputeEngine metadata server.
-    Storage storage = initService(project);
-
-    System.out.println("Buckets:");
-    Page<Bucket> buckets = storage.list();
-    for (Bucket bucket : buckets.iterateAll()) {
-      System.out.println(bucket.toString());
-    }
-    System.out.println("Authentication complete.");
-  }
-
-  // Initialize the Storage client by getting the credentials
-  // from a Metadata server.
-  private static Storage initService(String projectId) {
-    // Explicitly request the credentials from the ComputeEngine metadata server.
-    GoogleCredentials credentials = ComputeEngineCredentials.create();
-
-    // Alternately, if executing within AppEngine, you can get credentials as follows:
-    // GoogleCredentials credentials = AppEngineCredentials.getApplicationDefault();
-
-    // Construct the Storage client.
-    // Note that, here we explicitly specify the service account to use.
-    return StorageOptions.newBuilder()
-        .setCredentials(credentials)
-        .setProjectId(projectId)
-        .build()
-        .getService();
-  }
-}
-// [END auth_cloud_metadata_server]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index dd88d3091..40f2b50d2 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -33,45 +33,39 @@ public static void main(String[] args) throws IOException, GeneralSecurityExcept
 
     String projectId = "your-google-cloud-project-id";
 
-    // If you are authenticating to a Cloud API, you do not need to specify a scope;
-    // use Application Default Credentials as described in
-    // https://cloud.google.com/docs/authentication/external/set-up-adc.
-    // If you need to provide a scope, specify it here.
-    // For more information on scopes to use,
-    // see: https://developers.google.com/identity/protocols/oauth2/scopes
-    String scope = "https://www.googleapis.com/auth/PRODUCT_NAME";
-
-    authenticateExplicit(projectId, scope);
+    authenticateExplicit(projectId);
   }
 
   // List storage buckets by authenticating with ADC.
-  public static void authenticateExplicit(String project, String scope)
-      throws IOException {
-
-    // Initialize the storage client.
-    Storage storage = initService(project, scope);
-
-    System.out.println("Buckets:");
-    Page<Bucket> buckets = storage.list();
-    for (Bucket bucket : buckets.iterateAll()) {
-      System.out.println(bucket.toString());
-    }
-    System.out.println("Authentication complete.");
-  }
-
-  // Initialize the Storage client using ADC (Application Default Credentials).
-  private static Storage initService(String projectId, String scope)
+  public static void authenticateExplicit(String projectId)
       throws IOException {
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
-    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault().createScoped(scope);
+    // GoogleCredentials.getApplicationDefault() will give you ComputeEngineCredentials
+    // if you are on a GCE (or other metadata server supported environments).
+    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
+    // If you are authenticating to a Cloud API, you can let the library include the default scope,
+    // https://www.googleapis.com/auth/cloud-platform, because IAM is used to provide fine-grained
+    // permissions for Cloud.
+    // If you need to provide a scope, specify it as follows:
+    // GoogleCredentials credentials = GoogleCredentials.getApplicationDefault()
+    //     .createScoped(scope);
+    // For more information on scopes to use,
+    // see: https://developers.google.com/identity/protocols/oauth2/scopes
 
     // Construct the Storage client.
-    return StorageOptions.newBuilder()
+    Storage storage = StorageOptions.newBuilder()
         .setCredentials(credentials)
         .setProjectId(projectId)
         .build()
         .getService();
+
+    System.out.println("Buckets:");
+    Page<Bucket> buckets = storage.list();
+    for (Bucket bucket : buckets.iterateAll()) {
+      System.out.println(bucket.toString());
+    }
+    System.out.println("Listed all storage buckets.");
   }
 }
 // [END auth_cloud_explicit_adc]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index 278cbf7ff..b23f60dad 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -40,9 +40,13 @@ public static void authenticateImplicitWithAdc(String project) throws IOExceptio
     String zone = "us-central1-a";
     // This snippet demonstrates how to list instances.
     // *NOTE*: Replace the client created below with the client required for your application.
-    //
     // Note that the credentials are not specified when constructing the client.
     // Hence, the client library will look for credentials using ADC.
+    //
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the `instancesClient.close()` method on the client to safely
+    // clean up any remaining background resources.
     try (InstancesClient instancesClient = InstancesClient.create()) {
       // Set the project and zone to retrieve instances present in the zone.
       System.out.printf("Listing instances from %s in %s:", project, zone);
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 79323b207..1dca800a8 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -41,7 +41,7 @@ public static void main(String[] args)
     // logical identifier of an API service, such as "pubsub.googleapis.com".
     String targetAudience = "iap.googleapis.com";
 
-    // The service account name of the limited-privilege account for whom the credential is created.
+    // The name of the privilege-bearing service account for whom the credential is created.
     String impersonatedServiceAccount =
         "name@project.service.gserviceaccount.com";
 
@@ -89,7 +89,8 @@ public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, Stri
     // Get the ID token.
     // Once you've obtained the ID token, use it to make an authenticated call
     // to the target audience.
-    System.out.printf("ID token: %s", idTokenCredentials.refreshAccessToken().getTokenValue());
+    String idToken = idTokenCredentials.refreshAccessToken().getTokenValue();
+    System.out.println("Generated ID token.");
 
   }
 }
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 246e1fd7f..99b047c65 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -55,9 +55,8 @@ public static void getIdTokenFromMetadataServer(String url)
     // Get the ID token.
     // Once you've obtained the ID token, use it to make an authenticated call
     // to the target audience.
-    System.out.printf("Generated ID token: %s",
-        idTokenCredentials.refreshAccessToken().getTokenValue());
-
+    String idToken = idTokenCredentials.refreshAccessToken().getTokenValue();
+    System.out.println("Generated ID token.");
   }
 }
 // [END auth_cloud_idtoken_metadata_server]
\ No newline at end of file
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index 75907cb6f..0e8bb723f 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -71,7 +71,8 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath,
     //     .setTargetAudience(targetAudience)
     //     .build();
 
-    System.out.printf("Generated ID token %s", idToken.getTokenValue());
+    String token = idToken.getTokenValue();
+    System.out.println("Generated ID token.");
   }
 }
 // [END auth_cloud_idtoken_service_account]
\ No newline at end of file
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index dd6d91cb2..31b66a2a6 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -102,7 +102,7 @@ public void testIdTokenFromServiceAccount() throws IOException {
     IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
         CREDENTIALS,
         "pubsub.googleapis.com");
-    assertThat(stdOut.toString()).contains("Generated ID token");
+    assertThat(stdOut.toString()).contains("Generated ID token.");
   }
 
   @Test
@@ -121,7 +121,7 @@ public void testVerifyNonGoogleIdToken()
   @Test
   public void testIdTokenFromMetadataServer() throws GeneralSecurityException, IOException {
     IdTokenFromMetadataServer.getIdTokenFromMetadataServer("https://www.google.com");
-    assertThat(stdOut.toString()).contains("Generated ID token:");
+    assertThat(stdOut.toString()).contains("Generated ID token.");
   }
 
   @Test
@@ -133,15 +133,8 @@ public void testAuthenticateImplicitWithAdc() throws IOException {
   @Test
   public void testAuthenticateExplicit() throws IOException {
     AuthenticateExplicit.authenticateExplicit(
-        PROJECT_ID,
-        "https://www.googleapis.com/auth/cloud-platform");
-    assertThat(stdOut.toString()).contains("Authentication complete.");
-  }
-
-  @Test
-  public void testAuthWithCredentialsFromMetadataServer() {
-    AuthWithCredentialsFromMetadataServer.authWithCredentialsFromMetadataServer(PROJECT_ID);
-    assertThat(stdOut.toString()).contains("Authentication complete.");
+        PROJECT_ID);
+    assertThat(stdOut.toString()).contains("Listed all storage buckets.");
   }
 
 }

From 7c6863482d833538efde1b9693a1b904bab3f083 Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Thu, 28 Jul 2022 18:50:33 +0000
Subject: [PATCH 09/16] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?=
 =?UTF-8?q?post-processor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
---
 .../src/main/java/AuthenticateExplicit.java   | 19 +++++-----
 .../java/AuthenticateImplicitWithAdc.java     |  2 +-
 .../IdTokenFromImpersonatedCredentials.java   | 35 ++++++++-----------
 .../main/java/IdTokenFromMetadataServer.java  | 21 ++++++-----
 .../main/java/IdTokenFromServiceAccount.java  | 13 +++----
 .../src/main/java/VerifyGoogleIdToken.java    | 14 ++++----
 .../src/main/java/VerifyNonGoogleIdToken.java | 14 ++++----
 .../snippets/src/test/java/SnippetsIT.java    | 33 +++++++----------
 8 files changed, 69 insertions(+), 82 deletions(-)

diff --git a/samples/snippets/src/main/java/AuthenticateExplicit.java b/samples/snippets/src/main/java/AuthenticateExplicit.java
index 40f2b50d2..ccd189db9 100644
--- a/samples/snippets/src/main/java/AuthenticateExplicit.java
+++ b/samples/snippets/src/main/java/AuthenticateExplicit.java
@@ -29,7 +29,8 @@ public class AuthenticateExplicit {
   public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer):
     //  1. Replace the project variable below.
-    //  2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+    //  2. Make sure you have the necessary permission to list storage buckets
+    // "storage.buckets.list"
 
     String projectId = "your-google-cloud-project-id";
 
@@ -37,8 +38,7 @@ public static void main(String[] args) throws IOException, GeneralSecurityExcept
   }
 
   // List storage buckets by authenticating with ADC.
-  public static void authenticateExplicit(String projectId)
-      throws IOException {
+  public static void authenticateExplicit(String projectId) throws IOException {
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
     // GoogleCredentials.getApplicationDefault() will give you ComputeEngineCredentials
@@ -54,11 +54,12 @@ public static void authenticateExplicit(String projectId)
     // see: https://developers.google.com/identity/protocols/oauth2/scopes
 
     // Construct the Storage client.
-    Storage storage = StorageOptions.newBuilder()
-        .setCredentials(credentials)
-        .setProjectId(projectId)
-        .build()
-        .getService();
+    Storage storage =
+        StorageOptions.newBuilder()
+            .setCredentials(credentials)
+            .setProjectId(projectId)
+            .build()
+            .getService();
 
     System.out.println("Buckets:");
     Page<Bucket> buckets = storage.list();
@@ -68,4 +69,4 @@ public static void authenticateExplicit(String projectId)
     System.out.println("Listed all storage buckets.");
   }
 }
-// [END auth_cloud_explicit_adc]
\ No newline at end of file
+// [END auth_cloud_explicit_adc]
diff --git a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
index b23f60dad..9b69429ef 100644
--- a/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
+++ b/samples/snippets/src/main/java/AuthenticateImplicitWithAdc.java
@@ -57,4 +57,4 @@ public static void authenticateImplicitWithAdc(String project) throws IOExceptio
     }
   }
 }
-// [END auth_cloud_implicit_adc]
\ No newline at end of file
+// [END auth_cloud_implicit_adc]
diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 1dca800a8..61fcbac4e 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -26,8 +26,7 @@
 
 public class IdTokenFromImpersonatedCredentials {
 
-  public static void main(String[] args)
-      throws IOException {
+  public static void main(String[] args) throws IOException {
     // TODO(Developer): Replace the below variables before running the code.
 
     // Provide the scopes that you might need to request to access Google APIs,
@@ -42,8 +41,7 @@ public static void main(String[] args)
     String targetAudience = "iap.googleapis.com";
 
     // The name of the privilege-bearing service account for whom the credential is created.
-    String impersonatedServiceAccount =
-        "name@project.service.gserviceaccount.com";
+    String impersonatedServiceAccount = "name@project.service.gserviceaccount.com";
 
     getIdTokenUsingOAuth2(impersonatedServiceAccount, scope, targetAudience);
   }
@@ -52,8 +50,8 @@ public static void main(String[] args)
   // for the impersonated account.
   // To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission
   // on SA2.
-  public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, String scope,
-      String targetAudience) throws IOException {
+  public static void getIdTokenUsingOAuth2(
+      String impersonatedServiceAccount, String scope, String targetAudience) throws IOException {
 
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
@@ -71,27 +69,24 @@ public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, Stri
     List<String> delegates = null;
 
     // Create the impersonated credential.
-    ImpersonatedCredentials impersonatedCredentials = ImpersonatedCredentials.create(
-        googleCredentials,
-        impersonatedServiceAccount,
-        delegates,
-        Arrays.asList(scope),
-        300);
+    ImpersonatedCredentials impersonatedCredentials =
+        ImpersonatedCredentials.create(
+            googleCredentials, impersonatedServiceAccount, delegates, Arrays.asList(scope), 300);
 
     // Set the impersonated credential, target audience and token options.
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider(impersonatedCredentials)
-        .setTargetAudience(targetAudience)
-        // Setting this will include email in the id token.
-        .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
-        .build();
+    IdTokenCredentials idTokenCredentials =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(impersonatedCredentials)
+            .setTargetAudience(targetAudience)
+            // Setting this will include email in the id token.
+            .setOptions(Arrays.asList(Option.INCLUDE_EMAIL))
+            .build();
 
     // Get the ID token.
     // Once you've obtained the ID token, use it to make an authenticated call
     // to the target audience.
     String idToken = idTokenCredentials.refreshAccessToken().getTokenValue();
     System.out.println("Generated ID token.");
-
   }
 }
-// [auth_cloud_idtoken_impersonated_credentials]
\ No newline at end of file
+// [auth_cloud_idtoken_impersonated_credentials]
diff --git a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
index 99b047c65..3358ccdbe 100644
--- a/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
+++ b/samples/snippets/src/main/java/IdTokenFromMetadataServer.java
@@ -26,8 +26,7 @@
 
 public class IdTokenFromMetadataServer {
 
-  public static void main(String[] args)
-      throws IOException, GeneralSecurityException {
+  public static void main(String[] args) throws IOException, GeneralSecurityException {
     // TODO(Developer): Replace the below variables before running the code.
 
     // The url or target audience to obtain the ID token for.
@@ -39,18 +38,18 @@ public static void main(String[] args)
   // Use the Google Cloud metadata server in the Cloud Run (or AppEngine or Kubernetes etc.,)
   // environment to create an identity token and add it to the HTTP request as part of an
   // Authorization header.
-  public static void getIdTokenFromMetadataServer(String url)
-      throws IOException {
+  public static void getIdTokenFromMetadataServer(String url) throws IOException {
     // Construct the GoogleCredentials object which obtains the default configuration from your
     // working environment.
     GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();
 
-    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
-        .setIdTokenProvider((IdTokenProvider) googleCredentials)
-        .setTargetAudience(url)
-        // Setting the ID token options.
-        .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
-        .build();
+    IdTokenCredentials idTokenCredentials =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider((IdTokenProvider) googleCredentials)
+            .setTargetAudience(url)
+            // Setting the ID token options.
+            .setOptions(Arrays.asList(Option.FORMAT_FULL, Option.LICENSES_TRUE))
+            .build();
 
     // Get the ID token.
     // Once you've obtained the ID token, use it to make an authenticated call
@@ -59,4 +58,4 @@ public static void getIdTokenFromMetadataServer(String url)
     System.out.println("Generated ID token.");
   }
 }
-// [END auth_cloud_idtoken_metadata_server]
\ No newline at end of file
+// [END auth_cloud_idtoken_metadata_server]
diff --git a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
index 0e8bb723f..232288805 100644
--- a/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
+++ b/samples/snippets/src/main/java/IdTokenFromServiceAccount.java
@@ -49,21 +49,18 @@ public static void main(String[] args)
     getIdTokenFromServiceAccount(jsonCredentialPath, targetAudience);
   }
 
-  public static void getIdTokenFromServiceAccount(String jsonCredentialPath,
-      String targetAudience)
+  public static void getIdTokenFromServiceAccount(String jsonCredentialPath, String targetAudience)
       throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
     // only for credentials obtained through Compute Engine or Impersonation.
     List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(targetAudience, tokenOption);
 
     // The following method can also be used to generate the ID token.
     // IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
@@ -75,4 +72,4 @@ public static void getIdTokenFromServiceAccount(String jsonCredentialPath,
     System.out.println("Generated ID token.");
   }
 }
-// [END auth_cloud_idtoken_service_account]
\ No newline at end of file
+// [END auth_cloud_idtoken_service_account]
diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index d6e7f9e0b..b71b94f71 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -30,7 +30,8 @@
 public class VerifyGoogleIdToken {
 
   public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException,
+          JwkException {
     // TODO(Developer): Replace the below variables before running the code.
     // The Google ID token to verify.
     String idToken = "id-token";
@@ -46,10 +47,11 @@ public static void main(String[] args)
   public static void verifyGoogleIdToken(String idTokenString, String audience)
       throws GeneralSecurityException, IOException {
     // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(
-        GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-        .setAudience(Collections.singletonList(audience))
-        .build();
+    GoogleIdTokenVerifier verifier =
+        new GoogleIdTokenVerifier.Builder(
+                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
+            .setAudience(Collections.singletonList(audience))
+            .build();
 
     // Verify the id token.
     GoogleIdToken idToken = verifier.verify(idTokenString);
@@ -67,4 +69,4 @@ public static void verifyGoogleIdToken(String idTokenString, String audience)
     System.out.println("Unable to verify the token!");
   }
 }
-// [END auth_cloud_verify_google_idtoken]
\ No newline at end of file
+// [END auth_cloud_verify_google_idtoken]
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
index 3695f2ff7..2cf88f027 100644
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
@@ -35,7 +35,8 @@
 public class VerifyNonGoogleIdToken {
 
   public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException, JwkException {
+      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException,
+          JwkException {
     // TODO(Developer): Replace the below variables before running the code.
     // The non-Google ID token to verify.
     String idToken = "id-token";
@@ -48,10 +49,12 @@ public static void main(String[] args)
     // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
     // well-known location containing key-value pairs which provide details about the
     // OpenID Connect provider's configuration.
-    // For more information on validating the jwt, see: https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+    // For more information on validating the jwt, see:
+    // https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
     //
     // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
-    // For more information on jwk,see: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
+    // For more information on jwk,see:
+    // https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
     String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
 
     verifyNonGoogleIdToken(idToken, targetAudience, jwkUrl);
@@ -59,8 +62,7 @@ public static void main(String[] args)
 
   // Verify a non-google id token. Here, we are using the Google's jwk. The procedure is the same
   // even if the jwk is from a different provider.
-  public static void verifyNonGoogleIdToken(String idToken, String targetAudience,
-      String jwkUrl)
+  public static void verifyNonGoogleIdToken(String idToken, String targetAudience, String jwkUrl)
       throws IOException, JwkException {
 
     // Start verification.
@@ -97,4 +99,4 @@ public static void verifyNonGoogleIdToken(String idToken, String targetAudience,
     System.out.println("Unable to verify ID token.");
   }
 }
-// [END auth_cloud_verify_non_google_idtoken]
\ No newline at end of file
+// [END auth_cloud_verify_non_google_idtoken]
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index 31b66a2a6..f6182ee4f 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -46,7 +46,8 @@ public class SnippetsIT {
   // Check if the required environment variables are set.
   public static void requireEnvVar(String envVarName) {
     assertWithMessage(String.format("Missing environment variable '%s' ", envVarName))
-        .that(System.getenv(envVarName)).isNotEmpty();
+        .that(System.getenv(envVarName))
+        .isNotEmpty();
   }
 
   @BeforeClass
@@ -62,8 +63,7 @@ public static void setup() throws IOException {
   }
 
   @AfterClass
-  public static void cleanup() {
-  }
+  public static void cleanup() {}
 
   @Before
   public void beforeEach() {
@@ -78,43 +78,36 @@ public void afterEach() {
   }
 
   // Get an id token from a Google service account.
-  private static String getIdTokenFromServiceAccount(String jsonCredentialPath,
-      String targetAudience)
+  private static String getIdTokenFromServiceAccount(
+      String jsonCredentialPath, String targetAudience)
       throws IOException, GeneralSecurityException, JwkException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
-    ServiceAccountCredentials serviceAccountCredentials = ServiceAccountCredentials.fromStream(
-        new FileInputStream(jsonCredentialPath));
+    ServiceAccountCredentials serviceAccountCredentials =
+        ServiceAccountCredentials.fromStream(new FileInputStream(jsonCredentialPath));
 
     // Obtain the id token by providing the target audience.
     // tokenOption: Enum of various credential-specific options to apply to the token. Applicable
     // only for credentials obtained through Compute Engine or Impersonation.
     List<Option> tokenOption = Arrays.asList();
-    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(
-        targetAudience,
-        tokenOption);
+    IdToken idToken = serviceAccountCredentials.idTokenWithAudience(targetAudience, tokenOption);
 
     return idToken.getTokenValue();
   }
 
   @Test
   public void testIdTokenFromServiceAccount() throws IOException {
-    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(
-        CREDENTIALS,
-        "pubsub.googleapis.com");
+    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(CREDENTIALS, "pubsub.googleapis.com");
     assertThat(stdOut.toString()).contains("Generated ID token.");
   }
 
   @Test
   public void testVerifyNonGoogleIdToken()
       throws GeneralSecurityException, IOException, JwkException {
-    String idToken = getIdTokenFromServiceAccount(CREDENTIALS,
-        "pubsub.googleapis.com");
+    String idToken = getIdTokenFromServiceAccount(CREDENTIALS, "pubsub.googleapis.com");
 
     VerifyNonGoogleIdToken.verifyNonGoogleIdToken(
-        idToken,
-        "pubsub.googleapis.com",
-        "https://www.googleapis.com/oauth2/v3/certs");
+        idToken, "pubsub.googleapis.com", "https://www.googleapis.com/oauth2/v3/certs");
     assertThat(stdOut.toString()).contains("Id token verified.");
   }
 
@@ -132,9 +125,7 @@ public void testAuthenticateImplicitWithAdc() throws IOException {
 
   @Test
   public void testAuthenticateExplicit() throws IOException {
-    AuthenticateExplicit.authenticateExplicit(
-        PROJECT_ID);
+    AuthenticateExplicit.authenticateExplicit(PROJECT_ID);
     assertThat(stdOut.toString()).contains("Listed all storage buckets.");
   }
-
 }

From 1baeebed5764b78fcc6f2bd9e7f2366a5282e6d4 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Fri, 29 Jul 2022 00:43:42 +0530
Subject: [PATCH 10/16] minor comment update

---
 .../main/java/IdTokenFromImpersonatedCredentials.java | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
index 1dca800a8..6efa8d3d9 100644
--- a/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
+++ b/samples/snippets/src/main/java/IdTokenFromImpersonatedCredentials.java
@@ -60,14 +60,9 @@ public static void getIdTokenUsingOAuth2(String impersonatedServiceAccount, Stri
     GoogleCredentials googleCredentials = GoogleCredentials.getApplicationDefault();
 
     // delegates: The chained list of delegates required to grant the final accessToken.
-    //
-    // If set, the sequence of identities must have "Service Account Token Creator" capability
-    // granted to the preceding identity.
-    // For example, if set to [serviceAccountB, serviceAccountC], the source credential must have
-    // the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on
-    // serviceAccountC. Finally, C must have Token Creator on impersonatedServiceAccount.
-    //
-    // If left unset, source credential must have that role on impersonatedServiceAccount.
+    // For more information, see:
+    // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
+    // Delegate is NOT USED here.
     List<String> delegates = null;
 
     // Create the impersonated credential.

From 680cfdd7d29ee2e00583c3a7852ef543ac4d5632 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Sat, 30 Jul 2022 00:44:03 +0530
Subject: [PATCH 11/16] modified google id token verification and removed third
 party dependency

---
 .../src/main/java/VerifyGoogleIdToken.java    |  64 ++++++-----
 .../src/main/java/VerifyNonGoogleIdToken.java | 102 ------------------
 .../snippets/src/test/java/SnippetsIT.java    |  16 ++-
 3 files changed, 42 insertions(+), 140 deletions(-)
 delete mode 100644 samples/snippets/src/main/java/VerifyNonGoogleIdToken.java

diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index b71b94f71..7f8766aa8 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -16,22 +16,12 @@
 
 // [START auth_cloud_verify_google_idtoken]
 
-import com.auth0.jwk.JwkException;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.json.gson.GsonFactory;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.Collections;
-import java.util.concurrent.ExecutionException;
+import com.google.api.client.json.webtoken.JsonWebToken;
+import com.google.auth.oauth2.TokenVerifier;
 
 public class VerifyGoogleIdToken {
 
-  public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException,
-          JwkException {
+  public static void main(String[] args) {
     // TODO(Developer): Replace the below variables before running the code.
     // The Google ID token to verify.
     String idToken = "id-token";
@@ -40,33 +30,49 @@ public static void main(String[] args)
     // logical identifier of an API service, such as "pubsub.googleapis.com".
     String targetAudience = "pubsub.googleapis.com";
 
-    verifyGoogleIdToken(idToken, targetAudience);
+    // To verify id tokens, get the Json Web Key endpoint (jwk).
+    // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
+    // well-known location containing key-value pairs which provide details about the
+    // OpenID Connect provider's configuration.
+    // For more information on validating the jwt, see:
+    // https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+    //
+    // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
+    // For more information on jwk,see:
+    // https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
+    String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
+
+    verifyGoogleIdToken(idToken, targetAudience, jwkUrl);
   }
 
   // Verifies the obtained Google id token. This is done at the receiving end of the OIDC endpoint.
-  public static void verifyGoogleIdToken(String idTokenString, String audience)
-      throws GeneralSecurityException, IOException {
-    // Initialize the Google id token verifier and set the audience.
-    GoogleIdTokenVerifier verifier =
-        new GoogleIdTokenVerifier.Builder(
-                GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance())
-            .setAudience(Collections.singletonList(audience))
+  public static void verifyGoogleIdToken(String idToken, String audience, String jwkUrl) {
+    // Initialize the Token verifier and set the audience.
+    TokenVerifier tokenVerifier =
+        TokenVerifier.newBuilder()
+            .setAudience(audience)
+            .setIssuer(jwkUrl)
             .build();
 
-    // Verify the id token.
-    GoogleIdToken idToken = verifier.verify(idTokenString);
-    if (idToken != null) {
-      Payload payload = idToken.getPayload();
+    try {
+      // Verify the token.
+      JsonWebToken jsonWebToken = tokenVerifier.verify(idToken);
+
+      // Verify that the token contains subject and email claims.
+      JsonWebToken.Payload payload = jsonWebToken.getPayload();
       // Get the user id.
       String userId = payload.getSubject();
       System.out.println("User ID: " + userId);
 
-      // Optionally, if "INCLUDE_EMAIL" was set in the "IdTokenProvider.Option", check if the
+      // Optionally, if "INCLUDE_EMAIL" was set in the token options, check if the
       // email was verified.
-      boolean emailVerified = payload.getEmailVerified();
-      System.out.printf("Email verified: %s", emailVerified);
+      if (payload.get("email") != null) {
+        System.out.printf("Email verified: %s", payload.get("email"));
+      }
+    } catch (TokenVerifier.VerificationException e) {
+      System.out.printf("Unable to verify the token: %s", e.getMessage());
     }
-    System.out.println("Unable to verify the token!");
   }
+
 }
 // [END auth_cloud_verify_google_idtoken]
diff --git a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java b/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
deleted file mode 100644
index 2cf88f027..000000000
--- a/samples/snippets/src/main/java/VerifyNonGoogleIdToken.java
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright 2022 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// [START auth_cloud_verify_non_google_idtoken]
-
-import com.auth0.jwk.Jwk;
-import com.auth0.jwk.JwkException;
-import com.auth0.jwk.JwkProvider;
-import com.auth0.jwk.UrlJwkProvider;
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.JWTVerifier;
-import com.auth0.jwt.algorithms.Algorithm;
-import com.auth0.jwt.exceptions.JWTVerificationException;
-import com.auth0.jwt.interfaces.DecodedJWT;
-import java.io.IOException;
-import java.net.URL;
-import java.security.GeneralSecurityException;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Calendar;
-import java.util.concurrent.ExecutionException;
-
-public class VerifyNonGoogleIdToken {
-
-  public static void main(String[] args)
-      throws IOException, ExecutionException, InterruptedException, GeneralSecurityException,
-          JwkException {
-    // TODO(Developer): Replace the below variables before running the code.
-    // The non-Google ID token to verify.
-    String idToken = "id-token";
-
-    // The service name for which the id token is requested. Service name refers to the
-    // logical identifier of an API service, such as "pubsub.googleapis.com".
-    String targetAudience = "pubsub.googleapis.com";
-
-    // To verify non-google tokens, get the Json Web Key endpoint (jwk).
-    // OpenID Connect allows the use of a "Discovery document," a JSON document found at a
-    // well-known location containing key-value pairs which provide details about the
-    // OpenID Connect provider's configuration.
-    // For more information on validating the jwt, see:
-    // https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
-    //
-    // Here, we validate Google's token using Google's OpenID Connect service (jwkUrl).
-    // For more information on jwk,see:
-    // https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
-    String jwkUrl = "https://www.googleapis.com/oauth2/v3/certs";
-
-    verifyNonGoogleIdToken(idToken, targetAudience, jwkUrl);
-  }
-
-  // Verify a non-google id token. Here, we are using the Google's jwk. The procedure is the same
-  // even if the jwk is from a different provider.
-  public static void verifyNonGoogleIdToken(String idToken, String targetAudience, String jwkUrl)
-      throws IOException, JwkException {
-
-    // Start verification.
-    DecodedJWT jwt = JWT.decode(idToken);
-
-    // Check if the token has expired.
-    if (jwt.getExpiresAt().before(Calendar.getInstance().getTime())) {
-      System.out.println("Token already expired..");
-      return;
-    }
-
-    // Construct the jwkProvider from the provided jwkURL.
-    JwkProvider jwkProvider = new UrlJwkProvider(new URL(jwkUrl));
-    // Get the jwk from the provided key id.
-    Jwk jwk = jwkProvider.get(jwt.getKeyId());
-    // Retrieve the public key and use that to create an instance of the Algorithm.
-    Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
-    // Create the verifier with the algorithm and target audience.
-    JWTVerifier jwtVerifier = JWT.require(algorithm).withAudience(targetAudience).build();
-
-    boolean isVerified = true;
-    try {
-      // Verify the obtained id token. This is done at the receiving end of the OIDC endpoint.
-      jwt = jwtVerifier.verify(idToken);
-    } catch (JWTVerificationException e) {
-      System.out.println("Could not verify Signature: " + e.getMessage());
-      isVerified = false;
-    }
-
-    if (isVerified) {
-      System.out.println("Id token verified.");
-      return;
-    }
-    System.out.println("Unable to verify ID token.");
-  }
-}
-// [END auth_cloud_verify_non_google_idtoken]
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index f6182ee4f..6c5540051 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -17,7 +17,6 @@
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth.assertWithMessage;
 
-import com.auth0.jwk.JwkException;
 import com.google.auth.oauth2.IdToken;
 import com.google.auth.oauth2.IdTokenProvider.Option;
 import com.google.auth.oauth2.ServiceAccountCredentials;
@@ -80,7 +79,7 @@ public void afterEach() {
   // Get an id token from a Google service account.
   private static String getIdTokenFromServiceAccount(
       String jsonCredentialPath, String targetAudience)
-      throws IOException, GeneralSecurityException, JwkException {
+      throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials =
@@ -97,18 +96,17 @@ private static String getIdTokenFromServiceAccount(
 
   @Test
   public void testIdTokenFromServiceAccount() throws IOException {
-    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(CREDENTIALS, "pubsub.googleapis.com");
+    IdTokenFromServiceAccount.getIdTokenFromServiceAccount(CREDENTIALS, "iap.googleapis.com");
     assertThat(stdOut.toString()).contains("Generated ID token.");
   }
 
   @Test
-  public void testVerifyNonGoogleIdToken()
-      throws GeneralSecurityException, IOException, JwkException {
-    String idToken = getIdTokenFromServiceAccount(CREDENTIALS, "pubsub.googleapis.com");
+  public void testVerifyGoogleIdToken()
+      throws IOException {
+    String idToken = getIdTokenFromServiceAccount(CREDENTIALS, "iap.googleapis.com");
 
-    VerifyNonGoogleIdToken.verifyNonGoogleIdToken(
-        idToken, "pubsub.googleapis.com", "https://www.googleapis.com/oauth2/v3/certs");
-    assertThat(stdOut.toString()).contains("Id token verified.");
+    VerifyGoogleIdToken.verifyGoogleIdToken(idToken, "iap.googleapis.com",
+        "https://www.googleapis.com/oauth2/v3/certs");
   }
 
   @Test

From a9432909a6a23f99257695a306fe25d935f9654d Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Sat, 30 Jul 2022 00:45:02 +0530
Subject: [PATCH 12/16] removed third party deps from pom

---
 samples/snippets/pom.xml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/samples/snippets/pom.xml b/samples/snippets/pom.xml
index 997efc113..d0ff21c82 100644
--- a/samples/snippets/pom.xml
+++ b/samples/snippets/pom.xml
@@ -53,18 +53,6 @@
       <version>1.2.1</version>
     </dependency>
 
-<!--    JWT dependency-->
-    <dependency>
-      <groupId>com.auth0</groupId>
-      <artifactId>java-jwt</artifactId>
-      <version>3.16.0</version>
-    </dependency>
-    <dependency>
-      <groupId>com.auth0</groupId>
-      <artifactId>jwks-rsa</artifactId>
-      <version>0.18.0</version>
-    </dependency>
-
 <!--    GCloud dependency-->
     <dependency>
       <groupId>com.google.cloud</groupId>

From d7d6257cdd37125034ab321480c0cfd7988cfc9c Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Fri, 29 Jul 2022 19:16:31 +0000
Subject: [PATCH 13/16] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?=
 =?UTF-8?q?post-processor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
---
 .../snippets/src/main/java/VerifyGoogleIdToken.java    |  6 +-----
 samples/snippets/src/test/java/SnippetsIT.java         | 10 ++++------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index 7f8766aa8..503e0b6b6 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -49,10 +49,7 @@ public static void main(String[] args) {
   public static void verifyGoogleIdToken(String idToken, String audience, String jwkUrl) {
     // Initialize the Token verifier and set the audience.
     TokenVerifier tokenVerifier =
-        TokenVerifier.newBuilder()
-            .setAudience(audience)
-            .setIssuer(jwkUrl)
-            .build();
+        TokenVerifier.newBuilder().setAudience(audience).setIssuer(jwkUrl).build();
 
     try {
       // Verify the token.
@@ -73,6 +70,5 @@ public static void verifyGoogleIdToken(String idToken, String audience, String j
       System.out.printf("Unable to verify the token: %s", e.getMessage());
     }
   }
-
 }
 // [END auth_cloud_verify_google_idtoken]
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index 6c5540051..ec7a718ce 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -78,8 +78,7 @@ public void afterEach() {
 
   // Get an id token from a Google service account.
   private static String getIdTokenFromServiceAccount(
-      String jsonCredentialPath, String targetAudience)
-      throws IOException {
+      String jsonCredentialPath, String targetAudience) throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials =
@@ -101,12 +100,11 @@ public void testIdTokenFromServiceAccount() throws IOException {
   }
 
   @Test
-  public void testVerifyGoogleIdToken()
-      throws IOException {
+  public void testVerifyGoogleIdToken() throws IOException {
     String idToken = getIdTokenFromServiceAccount(CREDENTIALS, "iap.googleapis.com");
 
-    VerifyGoogleIdToken.verifyGoogleIdToken(idToken, "iap.googleapis.com",
-        "https://www.googleapis.com/oauth2/v3/certs");
+    VerifyGoogleIdToken.verifyGoogleIdToken(
+        idToken, "iap.googleapis.com", "https://www.googleapis.com/oauth2/v3/certs");
   }
 
   @Test

From b910be5ff75ac6a52fca8f3bcc4ecc99e91a3161 Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Fri, 29 Jul 2022 19:17:22 +0000
Subject: [PATCH 14/16] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?=
 =?UTF-8?q?post-processor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
---
 .../snippets/src/main/java/VerifyGoogleIdToken.java    |  6 +-----
 samples/snippets/src/test/java/SnippetsIT.java         | 10 ++++------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index 7f8766aa8..503e0b6b6 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -49,10 +49,7 @@ public static void main(String[] args) {
   public static void verifyGoogleIdToken(String idToken, String audience, String jwkUrl) {
     // Initialize the Token verifier and set the audience.
     TokenVerifier tokenVerifier =
-        TokenVerifier.newBuilder()
-            .setAudience(audience)
-            .setIssuer(jwkUrl)
-            .build();
+        TokenVerifier.newBuilder().setAudience(audience).setIssuer(jwkUrl).build();
 
     try {
       // Verify the token.
@@ -73,6 +70,5 @@ public static void verifyGoogleIdToken(String idToken, String audience, String j
       System.out.printf("Unable to verify the token: %s", e.getMessage());
     }
   }
-
 }
 // [END auth_cloud_verify_google_idtoken]
diff --git a/samples/snippets/src/test/java/SnippetsIT.java b/samples/snippets/src/test/java/SnippetsIT.java
index 6c5540051..ec7a718ce 100644
--- a/samples/snippets/src/test/java/SnippetsIT.java
+++ b/samples/snippets/src/test/java/SnippetsIT.java
@@ -78,8 +78,7 @@ public void afterEach() {
 
   // Get an id token from a Google service account.
   private static String getIdTokenFromServiceAccount(
-      String jsonCredentialPath, String targetAudience)
-      throws IOException {
+      String jsonCredentialPath, String targetAudience) throws IOException {
 
     // Initialize the Service Account Credentials class with the path to the json file.
     ServiceAccountCredentials serviceAccountCredentials =
@@ -101,12 +100,11 @@ public void testIdTokenFromServiceAccount() throws IOException {
   }
 
   @Test
-  public void testVerifyGoogleIdToken()
-      throws IOException {
+  public void testVerifyGoogleIdToken() throws IOException {
     String idToken = getIdTokenFromServiceAccount(CREDENTIALS, "iap.googleapis.com");
 
-    VerifyGoogleIdToken.verifyGoogleIdToken(idToken, "iap.googleapis.com",
-        "https://www.googleapis.com/oauth2/v3/certs");
+    VerifyGoogleIdToken.verifyGoogleIdToken(
+        idToken, "iap.googleapis.com", "https://www.googleapis.com/oauth2/v3/certs");
   }
 
   @Test

From 591d0e6e5bf649f1ad5fe9b298d20963b71eaa02 Mon Sep 17 00:00:00 2001
From: SitaLakshmi <sita1996@gmail.com>
Date: Thu, 4 Aug 2022 22:03:17 +0530
Subject: [PATCH 15/16] included comment about verifying Google ID tokens

---
 samples/snippets/src/main/java/VerifyGoogleIdToken.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index 7f8766aa8..37b7b6533 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -46,11 +46,15 @@ public static void main(String[] args) {
   }
 
   // Verifies the obtained Google id token. This is done at the receiving end of the OIDC endpoint.
+  // The most common use case for verifying the ID token is when you are protecting
+  // your own APIs with IAP. Google services already verify credentials as a platform,
+  // so verifying ID tokens before making Google API calls is usually unnecessary.
   public static void verifyGoogleIdToken(String idToken, String audience, String jwkUrl) {
     // Initialize the Token verifier and set the audience.
     TokenVerifier tokenVerifier =
         TokenVerifier.newBuilder()
             .setAudience(audience)
+            // Optional, when verifying a Google ID token, the jwk url is set by default.
             .setIssuer(jwkUrl)
             .build();
 

From 54013b5fdbdf2352103c8887b4f942f9bfc96d72 Mon Sep 17 00:00:00 2001
From: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Date: Thu, 4 Aug 2022 16:36:56 +0000
Subject: [PATCH 16/16] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot=20?=
 =?UTF-8?q?post-processor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md
---
 samples/snippets/src/main/java/VerifyGoogleIdToken.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/samples/snippets/src/main/java/VerifyGoogleIdToken.java b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
index 37b7b6533..cce6c5aa8 100644
--- a/samples/snippets/src/main/java/VerifyGoogleIdToken.java
+++ b/samples/snippets/src/main/java/VerifyGoogleIdToken.java
@@ -77,6 +77,5 @@ public static void verifyGoogleIdToken(String idToken, String audience, String j
       System.out.printf("Unable to verify the token: %s", e.getMessage());
     }
   }
-
 }
 // [END auth_cloud_verify_google_idtoken]