fix(auth): Fix UserCredentials serialization clientSecret leak (#13465)

lsirac · web-flow · commit 2d9d01cdff84 · 2026-06-16T09:53:38.000-07:00
This PR fixes a critical security issue where the plaintext clientSecret
of UserCredentials was being leaked and written to disk under the key
quota_project, instead of the actual quotaProjectId under
quota_project_id.
diff --git a/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java b/google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java
@@ -328,7 +328,7 @@ private InputStream getUserCredentialsStream() throws IOException {
       json.put("client_secret", clientSecret);
     }
     if (quotaProjectId != null) {
-      json.put("quota_project", clientSecret);
+      json.put("quota_project_id", quotaProjectId);
     }
     json.setFactory(JSON_FACTORY);
     String text = json.toPrettyString();
diff --git a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/UserCredentialsTest.java
@@ -635,6 +635,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept
             .setClientId(CLIENT_ID)
             .setClientSecret(CLIENT_SECRET)
             .setRefreshToken(REFRESH_TOKEN)
+            .setQuotaProjectId(QUOTA_PROJECT)
             .build();
 
     File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);
@@ -649,6 +650,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept
       assertEquals(userCredentials.getClientId(), restoredCredentials.getClientId());
       assertEquals(userCredentials.getClientSecret(), restoredCredentials.getClientSecret());
       assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken());
+      assertEquals(userCredentials.getQuotaProjectId(), restoredCredentials.getQuotaProjectId());
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,7 @@ private InputStream getUserCredentialsStream() throws IOException {`
`328`	`328`	`json.put("client_secret", clientSecret);`
`329`	`329`	`}`
`330`	`330`	`if (quotaProjectId != null) {`
`331`		`- json.put("quota_project", clientSecret);`
	`331`	`+ json.put("quota_project_id", quotaProjectId);`
`332`	`332`	`}`
`333`	`333`	`json.setFactory(JSON_FACTORY);`
`334`	`334`	`String text = json.toPrettyString();`
Original file line number	Diff line number	Diff line change
`@@ -635,6 +635,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept`
`635`	`635`	`.setClientId(CLIENT_ID)`
`636`	`636`	`.setClientSecret(CLIENT_SECRET)`
`637`	`637`	`.setRefreshToken(REFRESH_TOKEN)`
	`638`	`+ .setQuotaProjectId(QUOTA_PROJECT)`
`638`	`639`	`.build();`
`639`	`640`
`640`	`641`	`File file = File.createTempFile("GOOGLE_APPLICATION_CREDENTIALS", null, null);`
`@@ -649,6 +650,7 @@ void saveAndRestoreUserCredential_saveAndRestored_doesNotThrow() throws IOExcept`
`649`	`650`	`assertEquals(userCredentials.getClientId(), restoredCredentials.getClientId());`
`650`	`651`	`assertEquals(userCredentials.getClientSecret(), restoredCredentials.getClientSecret());`
`651`	`652`	`assertEquals(userCredentials.getRefreshToken(), restoredCredentials.getRefreshToken());`
	`653`	`+ assertEquals(userCredentials.getQuotaProjectId(), restoredCredentials.getQuotaProjectId());`
`652`	`654`	`}`
`653`	`655`	`}`
`654`	`656`