chore: Add warnings to users about using credentials from external sources (#1619)

* chore: Update README with warnings about externally source credentials

* chore: Update method javadocs with warning

* chore: Add warnings to all fromStream() calls

* chore: Remove warning from UserCredentials and ServiceAccounJwtAccessCredentials

Author: lqiu96

README.md

@@ -16,6 +16,11 @@ credentials. This artifact depends on the App Engine SDK.
 - [*google-auth-library-oauth2-http*](#google-auth-library-oauth2-http): contains a wide variety of
 credentials as well as utility methods to create them and to get Application Default Credentials
 
+> ⚠️ Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for
+authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing
+an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more
+information, refer to [documentation](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
 **Table of contents:**
 
 

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -127,6 +127,13 @@ private ExternalAccountAuthorizedUserCredentials(Builder builder) {
   /**
    * Returns external account authorized user credentials defined by a JSON file stream.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @return the credential defined by the credentialsStream
    * @throws IOException if the credential cannot be created from the stream
@@ -140,6 +147,13 @@ public static ExternalAccountAuthorizedUserCredentials fromStream(InputStream cr
   /**
    * Returns external account authorized user credentials defined by a JSON file stream.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @param transportFactory the HTTP transport factory used to create the transport to get access
    *     tokens

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -349,6 +349,13 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
    *
    * <p>Returns {@link IdentityPoolCredentials} or {@link AwsCredentials}.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @return the credential defined by the credentialsStream
    * @throws IOException if the credential cannot be created from the stream
@@ -363,6 +370,13 @@ public static ExternalAccountCredentials fromStream(InputStream credentialsStrea
    *
    * <p>Returns a {@link IdentityPoolCredentials} or {@link AwsCredentials}.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @param transportFactory the HTTP transport factory used to create the transport to get access
    *     tokens

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -158,6 +158,13 @@ public static GoogleCredentials getApplicationDefault(HttpTransportFactory trans
    * <p>The stream can contain a Service Account key file in JSON format from the Google Developers
    * Console or a stored user credential using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -172,6 +179,13 @@ public static GoogleCredentials fromStream(InputStream credentialsStream) throws
    * <p>The stream can contain a Service Account key file in JSON format from the Google Developers
    * Console or a stored user credential using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -446,6 +446,13 @@ static ServiceAccountCredentials fromPkcs8(
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -459,6 +466,13 @@ public static ServiceAccountCredentials fromStream(InputStream credentialsStream
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.