googleapis · bshaffer · Sep 16, 2025 · Aug 26, 2025 · Sep 11, 2025
@@ -171,8 +171,10 @@ $jsonKey = ['key' => 'value'];
 // define the scopes for your API call
 $scopes = ['https://www.googleapis.com/auth/drive.readonly'];
 
-// Load credentials
-$creds = CredentialsLoader::makeCredentials($scopes, $jsonKey);
+// Load credentials from JSON containing service account credentials.
+// For other credentials types, create those classes explicitly using the
+// "type" field in the JSON key.
+$creds = new ServiceAccountCredentials($scopes, $jsonKey),
 
 // optional caching
 // $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);

@@ -118,7 +118,13 @@ public function __construct(
                 // an ID token, the narrowest scope we can request is `iam`.
                 $scope = self::IAM_SCOPE;
             }
-            $jsonKey['source_credentials'] = CredentialsLoader::makeCredentials($scope, $jsonKey['source_credentials']);
+            $jsonKey['source_credentials'] = match ($jsonKey['source_credentials']['type'] ?? null) {
+                // Do not pass $defaultScope to ServiceAccountCredentials
+                'service_account' => new ServiceAccountCredentials($scope, $jsonKey['source_credentials']),
+                'authorized_user' => new UserRefreshCredentials($scope, $jsonKey['source_credentials']),
+                'external_account' => new ExternalAccountCredentials($scope, $jsonKey['source_credentials']),
+                default => throw new \InvalidArgumentException('invalid value in the type field'),
+            };
         }
 
         $this->targetScope = $scope ?? [];

@@ -120,19 +120,38 @@ public static function fromWellKnownFile()
     /**
      * Create a new Credentials instance.
      *
-     * **Important**: If you accept a credential configuration (credential JSON/File/Stream) from an
-     * external source for authentication to Google Cloud Platform, you must validate it before
-     * providing it to any Google API or library. Providing an unvalidated credential configuration to
-     * Google APIs can compromise the security of your systems and data. For more information
-     * {@see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials}
+     * @deprecated This method is being deprecated because of a potential security risk.
      *
-     * @param string|string[] $scope the scope of the access request, expressed
-     *        either as an Array or as a space-delimited String.
-     * @param array<mixed> $jsonKey the JSON credentials.
-     * @param string|string[] $defaultScope The default scope to use if no
-     *   user-defined scopes exist, expressed either as an Array or as a
-     *   space-delimited string.
+     * This method does not validate the credential configuration. The security
+     * risk occurs when a credential configuration is accepted from a source
+     * that is not under your control and used without validation on your side.
      *
+     * If you know that you will be loading credential configurations of a
+     * specific type, it is recommended to use a credential-type-specific
+     * method.
+     * This will ensure that an unexpected credential type with potential for
+     * malicious intent is not loaded unintentionally. You might still have to do
+     * validation for certain credential types. Please follow the recommendation
+     * for that method. For example, if you want to load only service accounts,
+     * you can create the {@see ServiceAccountCredentials} explicitly:
+     *
+     * ```
+     * use Google\Auth\Credentials\ServiceAccountCredentials;
+     * $creds = new ServiceAccountCredentials($scopes, $json);
+     * ```
+     *
+     * If you are loading your credential configuration from an untrusted source and have
+     * not mitigated the risks (e.g. by validating the configuration yourself), make
+     * these changes as soon as possible to prevent security risks to your environment.
+     *
+     * Regardless of the method used, it is always your responsibility to validate
+     * configurations received from external sources.
+     *
+     * @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+     *
+     * @param string|string[] $scope
+     * @param array<mixed> $jsonKey
+     * @param string|string[] $defaultScope
      * @return ServiceAccountCredentials|UserRefreshCredentials|ImpersonatedServiceAccountCredentials|ExternalAccountCredentials
      */
     public static function makeCredentials(