chore: Add warnings to users about using credentials from external sources

README.md

@@ -16,6 +16,11 @@ credentials. This artifact depends on the App Engine SDK.
 - [*google-auth-library-oauth2-http*](#google-auth-library-oauth2-http): contains a wide variety of
 credentials as well as utility methods to create them and to get Application Default Credentials
 
+> ⚠️ Important: If you accept a credential configuration (credential JSON/File/Stream) from an external source for
+authentication to Google Cloud Platform, you must validate it before providing it to any Google API or library. Providing
+an unvalidated credential configuration to Google APIs can compromise the security of your systems and data. For more
+information, refer to [documentation](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
 **Table of contents:**
 
 

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -158,6 +158,13 @@ public static GoogleCredentials getApplicationDefault(HttpTransportFactory trans
    * <p>The stream can contain a Service Account key file in JSON format from the Google Developers
    * Console or a stored user credential using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -154,6 +154,13 @@ public class ServiceAccountCredentials extends GoogleCredentials
    * Returns service account credentials defined by JSON using the format supported by the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param json a map from the JSON representing the credentials.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.