From e3b6176f8b520035c9baacbd5b2c895c41d73679 Mon Sep 17 00:00:00 2001
From: mpeddada1 <mpeddada@google.com>
Date: Tue, 27 May 2025 01:37:41 +0000
Subject: [PATCH 1/3] feat: add logic to set universe domain to sa jwt
 credentials

---
 gapic-generator-java-pom-parent/pom.xml                         | 2 +-
 .../java/com/google/api/gax/core/GoogleCredentialsProvider.java | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/gapic-generator-java-pom-parent/pom.xml b/gapic-generator-java-pom-parent/pom.xml
index 1eb329e157..716a2eb10f 100644
--- a/gapic-generator-java-pom-parent/pom.xml
+++ b/gapic-generator-java-pom-parent/pom.xml
@@ -27,7 +27,7 @@
         consistent across modules in this repository -->
     <javax.annotation-api.version>1.3.2</javax.annotation-api.version>
     <grpc.version>1.70.0</grpc.version>
-    <google.auth.version>1.35.0</google.auth.version>
+    <google.auth.version>1.35.1-SNAPSHOT</google.auth.version>
     <google.http-client.version>1.47.0</google.http-client.version>
     <gson.version>2.12.1</gson.version>
     <guava.version>33.4.0-jre</guava.version>
diff --git a/gax-java/gax/src/main/java/com/google/api/gax/core/GoogleCredentialsProvider.java b/gax-java/gax/src/main/java/com/google/api/gax/core/GoogleCredentialsProvider.java
index 56642ecdee..9ad627876c 100644
--- a/gax-java/gax/src/main/java/com/google/api/gax/core/GoogleCredentialsProvider.java
+++ b/gax-java/gax/src/main/java/com/google/api/gax/core/GoogleCredentialsProvider.java
@@ -88,6 +88,7 @@ public Credentials getCredentials() throws IOException {
           .setPrivateKey(serviceAccount.getPrivateKey())
           .setPrivateKeyId(serviceAccount.getPrivateKeyId())
           .setQuotaProjectId(serviceAccount.getQuotaProjectId())
+          .setUniverseDomain(serviceAccount.getUniverseDomain())
           .build();
     }
 

From 7ed18f275b158e0b591883ef3eb5b7a1eb82330c Mon Sep 17 00:00:00 2001
From: mpeddada1 <mpeddada@google.com>
Date: Fri, 30 May 2025 00:21:42 +0000
Subject: [PATCH 2/3] add testing

---
 .../core/GoogleCredentialsProviderTest.java   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java b/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
index 9b6ad8f63b..195c29b97f 100644
--- a/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
+++ b/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
@@ -68,6 +68,29 @@ void serviceAccountReplacedWithJwtTokens() throws Exception {
     assertThat(jwtCreds.getClientEmail()).isEqualTo(serviceAccountCredentials.getClientEmail());
     assertThat(jwtCreds.getPrivateKeyId()).isEqualTo(serviceAccountCredentials.getPrivateKeyId());
     assertThat(jwtCreds.getPrivateKey()).isEqualTo(serviceAccountCredentials.getPrivateKey());
+    assertThat(jwtCreds.getUniverseDomain()).isEqualTo(Credentials.GOOGLE_DEFAULT_UNIVERSE);
+  }
+
+  @Test
+  void serviceAccountReplacedWithJwtTokens_customUniverseDomain() throws Exception {
+    ServiceAccountCredentials serviceAccountCredentials =
+        CreateServiceAccountCredentials().toBuilder().setUniverseDomain("example.com").build();
+
+    GoogleCredentialsProvider provider =
+        GoogleCredentialsProvider.newBuilder()
+            .setScopesToApply(ImmutableList.of("scope1", "scope2"))
+            .setJwtEnabledScopes(ImmutableList.of("scope1"))
+            .setOAuth2Credentials(serviceAccountCredentials)
+            .build();
+
+    Credentials credentials = provider.getCredentials();
+    assertThat(credentials).isInstanceOf(ServiceAccountJwtAccessCredentials.class);
+    ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials;
+    assertThat(jwtCreds.getClientId()).isEqualTo(serviceAccountCredentials.getClientId());
+    assertThat(jwtCreds.getClientEmail()).isEqualTo(serviceAccountCredentials.getClientEmail());
+    assertThat(jwtCreds.getPrivateKeyId()).isEqualTo(serviceAccountCredentials.getPrivateKeyId());
+    assertThat(jwtCreds.getPrivateKey()).isEqualTo(serviceAccountCredentials.getPrivateKey());
+    assertThat(jwtCreds.getUniverseDomain()).isEqualTo("example.com");
   }
 
   @Test
@@ -94,6 +117,8 @@ void noJwtWithoutScopeMatch() throws Exception {
     assertThat(serviceAccountCredentials2.getPrivateKey())
         .isEqualTo(serviceAccountCredentials.getPrivateKey());
     assertThat(serviceAccountCredentials2.getScopes()).containsExactly("scope1", "scope2");
+    assertThat(serviceAccountCredentials2.getUniverseDomain())
+        .isEqualTo(Credentials.GOOGLE_DEFAULT_UNIVERSE);
   }
 
   @Test
@@ -120,5 +145,7 @@ void useJwtAccessWithScope() throws Exception {
     assertThat(serviceAccountCredentials2.getPrivateKey())
         .isEqualTo(serviceAccountCredentials.getPrivateKey());
     assertTrue(serviceAccountCredentials2.getUseJwtAccessWithScope());
+    assertThat(serviceAccountCredentials2.getUniverseDomain())
+        .isEqualTo(Credentials.GOOGLE_DEFAULT_UNIVERSE);
   }
 }

From b849850d8a810814fa33f2c50e1eb670f11e4457 Mon Sep 17 00:00:00 2001
From: mpeddada1 <mpeddada@google.com>
Date: Fri, 30 May 2025 00:35:30 +0000
Subject: [PATCH 3/3] additional verification for empty domain

---
 .../core/GoogleCredentialsProviderTest.java   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java b/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
index 195c29b97f..927e4a118b 100644
--- a/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
+++ b/gax-java/gax/src/test/java/com/google/api/gax/core/GoogleCredentialsProviderTest.java
@@ -71,6 +71,28 @@ void serviceAccountReplacedWithJwtTokens() throws Exception {
     assertThat(jwtCreds.getUniverseDomain()).isEqualTo(Credentials.GOOGLE_DEFAULT_UNIVERSE);
   }
 
+  @Test
+  void serviceAccountReplacedWithJwtTokens_setEmptyDomain() throws Exception {
+    ServiceAccountCredentials serviceAccountCredentials =
+        CreateServiceAccountCredentials().toBuilder().setUniverseDomain("").build();
+
+    GoogleCredentialsProvider provider =
+        GoogleCredentialsProvider.newBuilder()
+            .setScopesToApply(ImmutableList.of("scope1", "scope2"))
+            .setJwtEnabledScopes(ImmutableList.of("scope1"))
+            .setOAuth2Credentials(serviceAccountCredentials)
+            .build();
+
+    Credentials credentials = provider.getCredentials();
+    assertThat(credentials).isInstanceOf(ServiceAccountJwtAccessCredentials.class);
+    ServiceAccountJwtAccessCredentials jwtCreds = (ServiceAccountJwtAccessCredentials) credentials;
+    assertThat(jwtCreds.getClientId()).isEqualTo(serviceAccountCredentials.getClientId());
+    assertThat(jwtCreds.getClientEmail()).isEqualTo(serviceAccountCredentials.getClientEmail());
+    assertThat(jwtCreds.getPrivateKeyId()).isEqualTo(serviceAccountCredentials.getPrivateKeyId());
+    assertThat(jwtCreds.getPrivateKey()).isEqualTo(serviceAccountCredentials.getPrivateKey());
+    assertThat(jwtCreds.getUniverseDomain()).isEqualTo(Credentials.GOOGLE_DEFAULT_UNIVERSE);
+  }
+
   @Test
   void serviceAccountReplacedWithJwtTokens_customUniverseDomain() throws Exception {
     ServiceAccountCredentials serviceAccountCredentials =