From ca4af4f74f63c46df192d657cb7fb9fdc04a1245 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Thu, 16 Jan 2025 20:53:52 +0000
Subject: [PATCH 1/3] docs: Include note about validating externally-provided
 credentials

---
 lib/googleauth/credentials.rb         |  8 ++++++++
 lib/googleauth/default_credentials.rb | 12 +++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/googleauth/credentials.rb b/lib/googleauth/credentials.rb
index 2eac48c7..1e66fb3c 100644
--- a/lib/googleauth/credentials.rb
+++ b/lib/googleauth/credentials.rb
@@ -26,6 +26,14 @@ module Auth
     # In most cases, it is subclassed by API-specific credential classes that
     # can be instantiated by clients.
     #
+    # **Important:** If you accept a credential configuration (credential
+    # JSON/File/Stream) from an external source for authentication to Google
+    # Cloud Platform, you must validate it before providing it to any Google
+    # API or library. Providing an unvalidated credential configuration to
+    # Google APIs can compromise the security of your systems and data.
+    # For more information, refer to [Validate credential configurations from
+    # external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+    #
     # ## Options
     #
     # Credentials classes are configured with options that dictate default
diff --git a/lib/googleauth/default_credentials.rb b/lib/googleauth/default_credentials.rb
index db4a0588..40e84e29 100644
--- a/lib/googleauth/default_credentials.rb
+++ b/lib/googleauth/default_credentials.rb
@@ -30,8 +30,18 @@ module Auth
     class DefaultCredentials
       extend CredentialsLoader
 
-      # override CredentialsLoader#make_creds to use the class determined by
+      ##
+      # Override CredentialsLoader#make_creds to use the class determined by
       # loading the json.
+      #
+      # **Important:** If you accept a credential configuration (credential
+      # JSON/File/Stream) from an external source for authentication to Google
+      # Cloud Platform, you must validate it before providing it to any Google
+      # API or library. Providing an unvalidated credential configuration to
+      # Google APIs can compromise the security of your systems and data.
+      # For more information, refer to [Validate credential configurations from
+      # external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+      #
       def self.make_creds options = {}
         json_key_io = options[:json_key_io]
         if json_key_io

From 67896f225cdc9ba2e37f473ff910391982d48152 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Thu, 16 Jan 2025 22:14:34 +0000
Subject: [PATCH 2/3] Add note to the readme as well

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 86cdddef..dbb0b77b 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,16 @@ well as a web variant tailored toward Rack-based applications.
 The authorizers are intended for authorization use cases. For sign-on,
 see [Google Identity Platform](https://developers.google.com/identity/)
 
+## Important notes
+
+If you accept a credential configuration (credential JSON/File/Stream) from an
+external source for authentication to Google Cloud Platform, you must validate
+it before providing it to any Google API or library. Providing an unvalidated
+credential configuration to Google APIs can compromise the security of your
+systems and data.
+For more information, refer to [Validate credential configurations from external
+sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
 ### Example (Web)
 
 ```ruby

From 48734188221538e439495ec1cf797b6778cb8012 Mon Sep 17 00:00:00 2001
From: Daniel Azuma <dazuma@google.com>
Date: Wed, 22 Jan 2025 21:36:40 +0000
Subject: [PATCH 3/3] Remove Platform branding of Google Cloud

---
 README.md                             |  7 +++----
 lib/googleauth/credentials.rb         | 10 +++++-----
 lib/googleauth/default_credentials.rb | 10 +++++-----
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index dbb0b77b..25b06513 100644
--- a/README.md
+++ b/README.md
@@ -67,10 +67,9 @@ see [Google Identity Platform](https://developers.google.com/identity/)
 ## Important notes
 
 If you accept a credential configuration (credential JSON/File/Stream) from an
-external source for authentication to Google Cloud Platform, you must validate
-it before providing it to any Google API or library. Providing an unvalidated
-credential configuration to Google APIs can compromise the security of your
-systems and data.
+external source for authentication to Google Cloud, you must validate it before
+providing it to any Google API or library. Providing an unvalidated credential
+configuration to Google APIs can compromise the security of your systems and data.
 For more information, refer to [Validate credential configurations from external
 sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
 
diff --git a/lib/googleauth/credentials.rb b/lib/googleauth/credentials.rb
index 1e66fb3c..bd8687cd 100644
--- a/lib/googleauth/credentials.rb
+++ b/lib/googleauth/credentials.rb
@@ -28,11 +28,11 @@ module Auth
     #
     # **Important:** If you accept a credential configuration (credential
     # JSON/File/Stream) from an external source for authentication to Google
-    # Cloud Platform, you must validate it before providing it to any Google
-    # API or library. Providing an unvalidated credential configuration to
-    # Google APIs can compromise the security of your systems and data.
-    # For more information, refer to [Validate credential configurations from
-    # external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+    # Cloud, you must validate it before providing it to any Google API or
+    # library. Providing an unvalidated credential configuration to Google APIs
+    # can compromise the security of your systems and data. For more
+    # information, refer to [Validate credential configurations from external
+    # sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
     #
     # ## Options
     #
diff --git a/lib/googleauth/default_credentials.rb b/lib/googleauth/default_credentials.rb
index 40e84e29..558c2efd 100644
--- a/lib/googleauth/default_credentials.rb
+++ b/lib/googleauth/default_credentials.rb
@@ -36,11 +36,11 @@ class DefaultCredentials
       #
       # **Important:** If you accept a credential configuration (credential
       # JSON/File/Stream) from an external source for authentication to Google
-      # Cloud Platform, you must validate it before providing it to any Google
-      # API or library. Providing an unvalidated credential configuration to
-      # Google APIs can compromise the security of your systems and data.
-      # For more information, refer to [Validate credential configurations from
-      # external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+      # Cloud, you must validate it before providing it to any Google API or
+      # library. Providing an unvalidated credential configuration to Google
+      # APIs can compromise the security of your systems and data. For more
+      # information, refer to [Validate credential configurations from external
+      # sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
       #
       def self.make_creds options = {}
         json_key_io = options[:json_key_io]