Merge pull request #864 from googleads/adcForJava

sarahcaseybot · web-flow · commit 8981e50d42c0 · 2025-11-17T11:09:09.000-05:00
Implement application default credentials
diff --git a/ads.properties.sample b/ads.properties.sample
@@ -6,7 +6,7 @@
 # https://developers.google.com/google-ads/api/docs/client-libs/java/quick-start
 #
 # - By default this is searched for in ~/ads.properties.
-#   e.g. GoogleAdsClient.newBuilder().fromPropertiesFile() 
+#   e.g. GoogleAdsClient.newBuilder().fromPropertiesFile()
 #
 # - Can load from an arbitrary path.
 #   e.g. GoogleAdsClient.newBuilder().fromPropertiesFile("some/path")
@@ -16,7 +16,11 @@
 #          .fromPropertiesFile() // optionally load from config file.
 #          .setDeveloperToken("your_token")
 
-# ------------------------------- OAuth ---------------------------------------
+# ------------------------------- OAuth 2.0 ---------------------------------------
+#
+# The following properties are required for OAuth 2.0 and not required for
+# Application Default Credentials. See comments below for Application Default
+# Credentials.
 
 # OAuth client ID
 #
@@ -29,28 +33,41 @@
 
 # OAuth client secret
 #
-# Specifies the client secret that is used for Google's OAuth 2 API. 
+# Specifies the client secret that is used for Google's OAuth 2 API.
 #
 # - Must be the secret associated with the OAuth clientId.
 # - Created and managed via http://console.developers.google.com.
 #api.googleads.clientSecret=
 
 # OAuth refresh token
 #
-# Credential which authorizes access to a Google account. 
+# Credential which authorizes access to a Google account.
 #
 # - See guide for instructions on how to obtain a refresh token.
 #   https://developers.google.com/google-ads/api/docs/oauth/client-library
 # - Provides access to all Google Ads accounts on which the associated Google
 #   account is a user.
-# - Ad account is specified by the customerId in each request. 
+# - Ad account is specified by the customerId in each request.
 #api.googleads.refreshToken=
 
+# ------------------- Application Default Credentials --------------------------
+#
+# Specifies whether to use application default credentials.
+#
+# - If true, the library will attempt to authenticate using application default
+#   credentials.
+# - If false or not specified, the library will use the OAuth credentials
+#   specified above.
+# - See https://developers.google.com/identity/protocols/application-default-credentials
+#   for more information on how to configure ADC.
+#
+#api.googleads.useApplicationDefaultCredentials=false
+
 # -------------------------- Google Ads API -----------------------------------
 
 # Developer token
-# 
-# Specifies the credential used to access the Google Ads API. 
+#
+# Specifies the credential used to access the Google Ads API.
 #
 # - Grants access to the API, not any Google account or Google Ads account.
 # - Associated with a Google Ads manager accoount.
@@ -65,7 +82,7 @@
 # Specifies an ad account which grants access to ad accounts.
 #
 # - Must be specified if your access to an ad account is via a manager account.
-# - May be specified in all requests if your Google user has direct access to 
+# - May be specified in all requests if your Google user has direct access to
 #   the ad account.
 # - Ad account access can be managed via http://ads.google.com and navigating
 #   to Tools & Settings -> Account Access
diff --git a/google-ads/src/main/java/com/google/ads/googleads/lib/GoogleAdsClient.java b/google-ads/src/main/java/com/google/ads/googleads/lib/GoogleAdsClient.java
@@ -217,6 +217,9 @@ public abstract static class Builder {
      */
     private Optional<GoogleCredentials.Builder> credentialsBuilder = Optional.empty();
 
+    /** Specifies whether to use application default credentials. */
+    private boolean useApplicationDefaultCredentials = false;
+
     /** Returns the credentials currently configured. */
     public abstract Credentials getCredentials();
 
@@ -230,61 +233,81 @@ public abstract static class Builder {
      */
     public abstract Builder setCredentials(Credentials credentials);
 
+    public Builder enableApplicationDefaultCredentials() {
+      this.useApplicationDefaultCredentials = true;
+      return this;
+    }
+
     private void setCredentials(Properties properties) throws IOException {
-      // Validates that entries are present for exactly one of installed app/web flow credentials or
-      // service account credentials.
+      boolean useAdc =
+          Boolean.parseBoolean(
+              ConfigPropertyKey.USE_APPLICATION_DEFAULT_CREDENTIALS.getPropertyValue(properties));
+
       boolean hasInstalledAppKeys =
           INSTALLED_APP_OAUTH_KEYS.stream().anyMatch(k -> k.getPropertyValue(properties) != null);
       boolean hasServiceAccountKeys =
           SERVICE_ACCOUNT_OAUTH_KEYS.stream().anyMatch(k -> k.getPropertyValue(properties) != null);
-      if (!(hasInstalledAppKeys || hasServiceAccountKeys)) {
-        // Entries missing for both types of credentials. Skips any further processing so user can
-        // merge this builder if needed.
-        return;
-      }
 
-      if (hasInstalledAppKeys && hasServiceAccountKeys) {
-        // Entries specified for both types of credentials.
-        throw new IllegalArgumentException(
-            String.format(
-                "Entries found in properties for both %s and %s. Please modify properties to either"
-                    + " include entries for %s if using installed application/web flow credentials,"
-                    + " or %s if using service account credentials.",
-                ConfigPropertyKey.SERVICE_ACCOUNT_SECRETS_PATH,
-                ConfigPropertyKey.REFRESH_TOKEN,
-                INSTALLED_APP_OAUTH_KEYS,
-                SERVICE_ACCOUNT_OAUTH_KEYS));
-      }
-
-      if (credentialsBuilder.isPresent()) {
-        if ((credentialsBuilder.get() instanceof UserCredentials.Builder)
-            && hasServiceAccountKeys) {
+      if (useAdc) {
+        if (hasInstalledAppKeys || hasServiceAccountKeys) {
           throw new IllegalArgumentException(
-              "Entries found in properties for service account credentials, "
-                  + "but this builder is already partially configured for installed application/"
-                  + "web flow credentials.");
-        } else if ((credentialsBuilder.get() instanceof ServiceAccountCredentials.Builder)
-            && hasInstalledAppKeys) {
+              "Cannot use application default credentials when other credential types are"
+                  + " specified in the configuration. Please remove other credential keys or set"
+                  + " useApplicationDefaultCredentials to false.");
+        }
+        enableApplicationDefaultCredentials();
+      } else {
+        // Validates that entries are present for exactly one of installed app/web flow credentials
+        // or service account credentials.
+        if (!(hasInstalledAppKeys || hasServiceAccountKeys)) {
+          // Entries missing for all types of credentials. Skips any further processing so user can
+          // merge this builder if needed.
+          return;
+        }
+
+        if (hasInstalledAppKeys && hasServiceAccountKeys) {
+          // Entries specified for both types of credentials.
           throw new IllegalArgumentException(
-              "Entries found in properties for installed application/web flow credentials, but"
-                  + " this builder is already partially configured for service account"
-                  + " credentials.");
+              String.format(
+                  "Entries found in properties for both %s and %s. Please modify properties to either"
+                      + " include entries for %s if using installed application/web flow credentials,"
+                      + " or %s if using service account credentials.",
+                  ConfigPropertyKey.SERVICE_ACCOUNT_SECRETS_PATH,
+                  ConfigPropertyKey.REFRESH_TOKEN,
+                  INSTALLED_APP_OAUTH_KEYS,
+                  SERVICE_ACCOUNT_OAUTH_KEYS));
+        }
+
+        if (credentialsBuilder.isPresent()) {
+          if ((credentialsBuilder.get() instanceof UserCredentials.Builder)
+              && hasServiceAccountKeys) {
+            throw new IllegalArgumentException(
+                "Entries found in properties for service account credentials, "
+                    + "but this builder is already partially configured for installed application/"
+                    + "web flow credentials.");
+          } else if ((credentialsBuilder.get() instanceof ServiceAccountCredentials.Builder)
+              && hasInstalledAppKeys) {
+            throw new IllegalArgumentException(
+                "Entries found in properties for installed application/web flow credentials, but"
+                    + " this builder is already partially configured for service account"
+                    + " credentials.");
+          }
         }
-      }
 
-      // Clears the explicitly set credentials. This ensures that the credentials configured here
-      // will be used, even if the user previously explicitly set credentials. See build() for
-      // details.
-      setCredentials((Credentials) null);
+        // Clears the explicitly set credentials. This ensures that the credentials configured here
+        // will be used, even if the user previously explicitly set credentials. See build() for
+        // details.
+        setCredentials((Credentials) null);
 
-      // Updates the credentials builder using the appropriate set of properties.
-      GoogleCredentials.Builder updatedBuilder;
-      if (hasInstalledAppKeys) {
-        updatedBuilder = configureUserCredentials(properties, credentialsBuilder);
-      } else {
-        updatedBuilder = configureServiceAccountCredentials(properties, credentialsBuilder);
+        // Updates the credentials builder using the appropriate set of properties.
+        GoogleCredentials.Builder updatedBuilder;
+        if (hasInstalledAppKeys) {
+          updatedBuilder = configureUserCredentials(properties, credentialsBuilder);
+        } else {
+          updatedBuilder = configureServiceAccountCredentials(properties, credentialsBuilder);
+        }
+        credentialsBuilder = Optional.of(updatedBuilder);
       }
-      credentialsBuilder = Optional.of(updatedBuilder);
     }
 
     /**
@@ -342,8 +365,7 @@ private GoogleCredentials.Builder configureServiceAccountCredentials(
         builder = (ServiceAccountCredentials.Builder) optionalBuilder.get();
       } else {
         builder =
-            ServiceAccountCredentials.newBuilder()
-                .setScopes(Collections.singleton(GOOGLE_ADS_API_SCOPE));
+            ServiceAccountCredentials.newBuilder().setScopes(Collections.singleton(GOOGLE_ADS_API_SCOPE));
       }
 
       String serviceAccountSecretsPath =
@@ -614,14 +636,23 @@ public GoogleAdsClient build() {
       //   with properties/environment variables that include credential settings. Note that
       //   fromProperties() will set credentials to null in this case.
       // - The user explicitly set credentials via setCredentials(Credentials).
-      if (getCredentials() == null) {
-        if (credentialsBuilder.isPresent()) {
-          // Sets the credentials using the credentials builder.
-          setCredentials(credentialsBuilder.get().build());
-        } else {
-          throw new IllegalStateException("Property \"credentials\" has not been set");
+      if (useApplicationDefaultCredentials) {
+        try {
+          GoogleCredentials credentials =
+              GoogleCredentials.getApplicationDefault().createScoped(Collections.singleton(GOOGLE_ADS_API_SCOPE));
+          setCredentials(credentials);
+        } catch (IOException e) {
+          throw new RuntimeException("Failed to get application default credentials", e);
         }
       } else {
+        if (getCredentials() == null) {
+          if (credentialsBuilder.isPresent()) {
+            // Sets the credentials using the credentials builder.
+            setCredentials(credentialsBuilder.get().build());
+          } else {
+            throw new IllegalStateException("Property \"credentials\" has not been set");
+          }
+        }
         // The last action by the user was to invoke setCredentials(Credentials), so no further
         // action is needed.
       }
@@ -777,7 +808,8 @@ public enum ConfigPropertyKey {
       // Service account keys
       SERVICE_ACCOUNT_SECRETS_PATH("api.googleads.serviceAccountSecretsPath"),
       SERVICE_ACCOUNT_USER("api.googleads.serviceAccountUser"),
-      MAX_INBOUND_MESSAGE_BYTES("api.googleads.maxInboundMessageSize");
+      MAX_INBOUND_MESSAGE_BYTES("api.googleads.maxInboundMessageSize"),
+      USE_APPLICATION_DEFAULT_CREDENTIALS("api.googleads.useApplicationDefaultCredentials");
 
       private final String key;
 
diff --git a/google-ads/src/test/java/com/google/ads/googleads/lib/GoogleAdsClientTest.java b/google-ads/src/test/java/com/google/ads/googleads/lib/GoogleAdsClientTest.java
@@ -403,6 +403,42 @@ public void buildFromProperties_neitherCredentialsPresent_throwsException_atBuil
     assertThat(throwable.getMessage(), Matchers.containsString("credentials"));
   }
 
+  @Test
+  public void build_withEnableApplicationDefaultCredentials_succeeds() {
+    // Note: this test will fail if run in an environment where ADC are not configured.
+    // For tests, this is configured via the build system.
+    GoogleAdsClient client =
+        GoogleAdsClient.newBuilder()
+            .enableApplicationDefaultCredentials()
+            .setDeveloperToken(DEVELOPER_TOKEN)
+            .build();
+    assertNotNull(client.getCredentials());
+  }
+
+  @Test
+  public void buildFromProperties_withUseApplicationDefaultCredentials_succeeds() {
+    // Note: this test will fail if run in an environment where ADC are not configured.
+    // For tests, this is configured via the build system.
+    testProperties.remove(ConfigPropertyKey.CLIENT_ID.getPropertyKey());
+    testProperties.remove(ConfigPropertyKey.CLIENT_SECRET.getPropertyKey());
+    testProperties.remove(ConfigPropertyKey.REFRESH_TOKEN.getPropertyKey());
+    testProperties.setProperty(
+        ConfigPropertyKey.USE_APPLICATION_DEFAULT_CREDENTIALS.getPropertyKey(), "true");
+    GoogleAdsClient client = GoogleAdsClient.newBuilder().fromProperties(testProperties).build();
+    assertNotNull(client.getCredentials());
+  }
+
+  @Test
+  public void buildFromProperties_withUseApplicationDefaultCredentialsAndOtherCredentials_fails() {
+    testProperties.setProperty(
+        ConfigPropertyKey.USE_APPLICATION_DEFAULT_CREDENTIALS.getPropertyKey(), "true");
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> GoogleAdsClient.newBuilder().fromProperties(testProperties));
+    assertThat(exception.getMessage(), Matchers.containsString("other credential types"));
+  }
+
   @Test
   public void buildFromEnvironment_mergeWithProperties_withUserCredentials() throws IOException {
     Map<String, String> environment =
