feat: enable self-signed JWTs by default in ServiceOptions (#13338)

This should improve efficiency/reliability by avoiding OAuth token
exchange - see https://google.aip.dev/auth/4111.

BigQueryOptions (b/523372553) and StorageOptions (b/523372960) are
disabled by default for now.

Author: whowes

java-bigquery/google-cloud-bigquery/src/main/java/com/google/cloud/bigquery/BigQueryOptions.java

@@ -77,7 +77,9 @@ public static class Builder extends ServiceOptions.Builder<BigQuery, BigQueryOpt
     private Tracer openTelemetryTracer;
     private ResultRetryAlgorithm<?> resultRetryAlgorithm;
 
-    private Builder() {}
+    private Builder() {
+      setUseJwtAccessWithScope(false);
+    }
 
     private Builder(BigQueryOptions options) {
       super(options);

java-bigquery/google-cloud-bigquery/src/test/java/com/google/cloud/bigquery/BigQueryOptionsTest.java

@@ -92,4 +92,11 @@ void dataFormatOptionsSetterHasPrecedence() {
 
     assertTrue(options.getDataFormatOptions().useInt64Timestamp());
   }
+
+  @Test
+  void testUseJwtAccessWithScope_defaultsToFalse() {
+    BigQueryOptions options = BigQueryOptions.newBuilder().setProjectId("project-id").build();
+
+    assertFalse(options.getUseJwtAccessWithScope());
+  }
 }

java-storage/google-cloud-storage/src/main/java/com/google/cloud/storage/StorageOptions.java

@@ -112,7 +112,9 @@ public DefaultStorageRpcFactory() {
   public abstract static class Builder
       extends ServiceOptions.Builder<Storage, StorageOptions, Builder> {
 
-    Builder() {}
+    Builder() {
+      setUseJwtAccessWithScope(false);
+    }
 
     Builder(StorageOptions options) {
       super(options);

java-storage/google-cloud-storage/src/test/java/com/google/cloud/storage/StorageOptionsBuilderTest.java

@@ -69,6 +69,15 @@ public void grpc() throws Exception {
         () -> assertThat(rebuilt.hashCode()).isEqualTo(base.hashCode()));
   }
 
+  @Test
+  public void useJwtAccessWithScope_defaultsToFalse() {
+    HttpStorageOptions httpOptions = HttpStorageOptions.http().build();
+    GrpcStorageOptions grpcOptions = GrpcStorageOptions.grpc().build();
+
+    assertThat(httpOptions.getUseJwtAccessWithScope()).isFalse();
+    assertThat(grpcOptions.getUseJwtAccessWithScope()).isFalse();
+  }
+
   private static class MyStorageRetryStrategy implements StorageRetryStrategy {
 
     @Override

sdk-platform-java/java-core/google-cloud-core/src/main/java/com/google/cloud/ServiceOptions.java

@@ -106,6 +106,7 @@ public abstract class ServiceOptions<
   private final TransportOptions transportOptions;
   private final HeaderProvider headerProvider;
   private final String quotaProjectId;
+  private final boolean useJwtAccessWithScope;
 
   private transient ServiceRpcFactory<OptionsT> serviceRpcFactory;
   private transient ServiceFactory<ServiceT, OptionsT> serviceFactory;
@@ -140,6 +141,7 @@ public abstract static class Builder<
     private HeaderProvider headerProvider;
     private String clientLibToken = ServiceOptions.getGoogApiClientLibName();
     private String quotaProjectId;
+    private boolean useJwtAccessWithScope = true;
 
     private ApiTracerFactory apiTracerFactory;
 
@@ -159,6 +161,7 @@ protected Builder(ServiceOptions<ServiceT, OptionsT> options) {
       transportOptions = options.transportOptions;
       clientLibToken = options.clientLibToken;
       quotaProjectId = options.quotaProjectId;
+      useJwtAccessWithScope = options.useJwtAccessWithScope;
       apiTracerFactory = options.apiTracerFactory;
     }
 
@@ -313,6 +316,18 @@ public B setQuotaProjectId(String quotaProjectId) {
       return self();
     }
 
+    /**
+     * Sets the configuration determining whether self-signed JWT with scopes are used for service
+     * account credentials.
+     *
+     * @param useJwtAccessWithScope whether to use self-signed JWT with scopes
+     * @return the builder
+     */
+    public B setUseJwtAccessWithScope(final boolean useJwtAccessWithScope) {
+      this.useJwtAccessWithScope = useJwtAccessWithScope;
+      return self();
+    }
+
     /**
      * Sets the {@link ApiTracerFactory}. It will be used to create an {@link ApiTracer} that is
      * annotated throughout the lifecycle of an RPC operation.
@@ -365,6 +380,7 @@ protected ServiceOptions(
         builder.quotaProjectId != null
             ? builder.quotaProjectId
             : getValueFromCredentialsFile(getCredentialsPath(), "quota_project_id");
+    useJwtAccessWithScope = builder.useJwtAccessWithScope;
     apiTracerFactory = builder.apiTracerFactory;
   }
 
@@ -650,6 +666,11 @@ public Credentials getScopedCredentials() {
         && ((GoogleCredentials) credentials).createScopedRequired()) {
       credentialsToReturn = ((GoogleCredentials) credentials).createScoped(getScopes());
     }
+    if (credentialsToReturn instanceof ServiceAccountCredentials) {
+      credentialsToReturn =
+          ((ServiceAccountCredentials) credentialsToReturn)
+              .createWithUseJwtAccessWithScope(getUseJwtAccessWithScope());
+    }
     return credentialsToReturn;
   }
 
@@ -823,6 +844,15 @@ public String getQuotaProjectId() {
     return quotaProjectId;
   }
 
+  /**
+   * Returns true when self-signed JWT with scopes are used for service account credentials.
+   *
+   * @return true when self-signed JWT with scopes are used
+   */
+  public boolean getUseJwtAccessWithScope() {
+    return useJwtAccessWithScope;
+  }
+
   /**
    * Returns the resolved host for the Service to connect to Google Cloud
    *

sdk-platform-java/java-core/google-cloud-core/src/test/java/com/google/cloud/ServiceOptionsTest.java

@@ -630,6 +630,46 @@ void testIsValidUniverseDomain_userUniverseDomainConfig_nonGDUCredentials() thro
     assertThat(options.hasValidUniverseDomain()).isTrue();
   }
 
+  @Test
+  void testGetScopedCredentials_useJwtAccessWithScope_enablesByDefault() {
+    TestServiceOptions options =
+        TestServiceOptions.newBuilder()
+            .setProjectId("project-id")
+            .setCredentials(credentials)
+            .build();
+    com.google.auth.Credentials scoped = options.getScopedCredentials();
+    assertThat(scoped).isInstanceOf(ServiceAccountCredentials.class);
+    assertThat(((ServiceAccountCredentials) scoped).getUseJwtAccessWithScope()).isTrue();
+  }
+
+  @Test
+  void testGetScopedCredentials_useJwtAccessWithScope_canBeDisabled() {
+    TestServiceOptions options =
+        new TestServiceOptions.Builder()
+            .setProjectId("project-id")
+            .setCredentials(credentials)
+            .setUseJwtAccessWithScope(false)
+            .build();
+    com.google.auth.Credentials scoped = options.getScopedCredentials();
+    assertThat(scoped).isInstanceOf(ServiceAccountCredentials.class);
+    assertThat(((ServiceAccountCredentials) scoped).getUseJwtAccessWithScope()).isFalse();
+  }
+
+  @Test
+  void testGetScopedCredentials_useJwtAccessWithScope_overridesCredentials() {
+    ServiceAccountCredentials trueCredentials =
+        ((ServiceAccountCredentials) credentials).createWithUseJwtAccessWithScope(true);
+    TestServiceOptions options =
+        new TestServiceOptions.Builder()
+            .setProjectId("project-id")
+            .setCredentials(trueCredentials)
+            .setUseJwtAccessWithScope(false)
+            .build();
+    com.google.auth.Credentials scoped = options.getScopedCredentials();
+    assertThat(scoped).isInstanceOf(ServiceAccountCredentials.class);
+    assertThat(((ServiceAccountCredentials) scoped).getUseJwtAccessWithScope()).isFalse();
+  }
+
   private HttpResponse createHttpResponseWithHeader(final Multimap<String, String> headers)
       throws Exception {
     HttpTransport mockHttpTransport =