From 828f50f9c6e2a0c34340660f76fe6e4b2a5f6a0e Mon Sep 17 00:00:00 2001 From: Wes Tarle Date: Mon, 15 Jun 2026 12:46:30 +0000 Subject: [PATCH] test(auth): Assert IOException on custom universe domain with delegation This commit adds a test case to ServiceAccountCredentialsTest to verify that configuring a custom Universe Domain along with Domain-Wide Delegation safely throws the expected IOException. Domain-wide delegation is not supported outside of the default Google universe. This brings the Java library's test suite into alignment with the expected auth specification. Other Google Cloud client libraries like Go, Node.js, and Python natively assert that this configuration combination throws a validation error during credential initialization or token generation. --- .../auth/oauth2/ServiceAccountCredentialsTest.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java index ed26a0af3c6f..3c772801d789 100644 --- a/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java +++ b/google-auth-library-java/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java @@ -1762,6 +1762,16 @@ void createScopes_existingAccessTokenInvalidated() throws IOException { assertNull(newAccessToken); } + @Test + void getRequestMetadata_withUniverseAndDelegation_throws() { + ServiceAccountCredentials credentials = + createDefaultBuilderWithKey(OAuth2Utils.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8)) + .setUniverseDomain("example.com") + .setServiceAccountUser("user@example.com") + .build(); + assertThrows(IOException.class, () -> credentials.getRequestMetadata(CALL_URI)); + } + private void verifyJwtAccess(Map> metadata, String expectedScopeClaim) throws IOException { assertNotNull(metadata);