googleapis · blakeli0 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
@@ -57,7 +57,6 @@
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Sets;
 import java.io.IOException;
-import java.net.URI;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -355,14 +354,7 @@ static GdchCredentials getGdchCredentials(
     } else {
       throw new IllegalArgumentException("Could not infer GDCH api audience from settings");
     }
-
-    URI gdchAudienceUri;
-    try {
-      gdchAudienceUri = URI.create(audienceString);
-    } catch (IllegalArgumentException ex) { // thrown when passing a malformed uri string
-      throw new IllegalArgumentException("The GDC-H API audience string is not a valid URI", ex);
-    }
-    return ((GdchCredentials) credentials).createWithGdchAudience(gdchAudienceUri);
+    return ((GdchCredentials) credentials).createWithGdchAudience(audienceString);
   }
 
   /**

@@ -33,6 +33,7 @@
 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNotSame;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -63,7 +64,6 @@
 import com.google.common.collect.ImmutableMap;
 import com.google.common.truth.Truth;
 import java.io.IOException;
-import java.net.URI;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -890,16 +890,16 @@ void testExecutorSettings() throws Exception {
     assertThat(transportChannel.getExecutor()).isSameInstanceAs(executorProvider.getExecutor());
   }
 
-  private GdchCredentials getMockGdchCredentials() throws IOException {
+  private GdchCredentials getMockGdchCredentials() {
     GdchCredentials creds = Mockito.mock(GdchCredentials.class);
 
     // GdchCredentials builder is mocked to accept a well-formed uri
     GdchCredentials.Builder gdchCredsBuilder = Mockito.mock(GdchCredentials.Builder.class);
-    Mockito.when(gdchCredsBuilder.setGdchAudience(Mockito.any(URI.class)))
+    Mockito.when(gdchCredsBuilder.setGdchAudience(Mockito.anyString()))
         .thenReturn(gdchCredsBuilder);
     Mockito.when(gdchCredsBuilder.build()).thenReturn(creds);
     Mockito.when(creds.toBuilder()).thenReturn(gdchCredsBuilder);
-    Mockito.when(creds.createWithGdchAudience(Mockito.any()))
+    Mockito.when(creds.createWithGdchAudience(Mockito.anyString()))
         .thenAnswer((uri) -> getMockGdchCredentials());
     return creds;
   }
@@ -939,7 +939,7 @@ void testCreateClientContext_withGdchCredentialNoAudienceNoEndpoint() throws IOE
     assertThat(fromProvider).isInstanceOf(GdchCredentials.class);
     assertNotSame(fromContext, fromProvider);
     verify((GdchCredentials) fromProvider, times(1))
-        .createWithGdchAudience(URI.create("test.googleapis.com:443"));
+        .createWithGdchAudience("test.googleapis.com:443");
   }
 
   @Test
@@ -994,8 +994,7 @@ void testCreateClientContext_withGdchCredentialWithoutAudienceWithEndpoint_corre
     assertThat(fromContext).isInstanceOf(GdchCredentials.class);
     assertThat(fromProvider).isInstanceOf(GdchCredentials.class);
     assertNotSame(fromContext, fromProvider);
-    verify((GdchCredentials) fromProvider, times(1))
-        .createWithGdchAudience(URI.create("test-endpoint"));
+    verify((GdchCredentials) fromProvider, times(1)).createWithGdchAudience("test-endpoint");
   }
 
   @Test
@@ -1021,14 +1020,13 @@ void testCreateClientContext_withGdchCredentialAndValidAudience() throws IOExcep
     assertNotNull(fromContext);
     // using an audience should have made the context to recreate the credentials
     assertNotSame(fromContext, fromProvider);
-    verify((GdchCredentials) fromProvider, times(1))
-        .createWithGdchAudience(URI.create("valid-uri"));
-    verify((GdchCredentials) fromProvider, times(0))
-        .createWithGdchAudience(URI.create("test-endpoint"));
+    verify((GdchCredentials) fromProvider, times(1)).createWithGdchAudience("valid-uri");
+    verify((GdchCredentials) fromProvider, times(0)).createWithGdchAudience("test-endpoint");
   }
 
   @Test
-  void testCreateClientContext_withGdchCredentialAndInvalidAudience_throws() throws IOException {
+  void testCreateClientContext_withGdchCredentialAndInvalidAudience_doesNotThrow()
+      throws IOException {
     TransportChannelProvider transportChannelProvider = getFakeTransportChannelProvider();
     Credentials creds = getMockGdchCredentials();
     CredentialsProvider provider = FixedCredentialsProvider.create(creds);
@@ -1044,17 +1042,14 @@ void testCreateClientContext_withGdchCredentialAndInvalidAudience_throws() throw
     clientSettingsBuilder.setCredentialsProvider(provider);
     clientSettingsBuilder.setTransportChannelProvider(transportChannelProvider);
     final ClientSettings withGdchCredentialsAndMalformedApiAudience = clientSettingsBuilder.build();
-    // should throw
-    String exMessage =
-        assertThrows(
-                IllegalArgumentException.class,
-                () -> ClientContext.create(withGdchCredentialsAndMalformedApiAudience))
-            .getMessage();
-    assertThat(exMessage).contains("The GDC-H API audience string is not a valid URI");
+
+    // There is an invalid URI for the GDCH audience, but we do not validate the URI
+    // There are some use cases where there the GDCH audience is not a URI.
+    ClientContext clientContext = ClientContext.create(withGdchCredentialsAndMalformedApiAudience);
+    assertInstanceOf(GdchCredentials.class, clientContext.getCredentials());
 
     Credentials fromProvider = provider.getCredentials();
-    verify((GdchCredentials) fromProvider, times(0))
-        .createWithGdchAudience(URI.create("test-endpoint"));
+    verify((GdchCredentials) fromProvider, times(0)).createWithGdchAudience("test-endpoint");
   }
 
   @Test

@@ -156,7 +156,9 @@ void testCreateClient_withGdchCredentialAndNoAudience_defaultsToEndpointBasedAud
     NullPointerException expectedEx =
         assertThrows(NullPointerException.class, () -> initialCredentials.refresh());
     assertTrue(
-        expectedEx.getMessage().contains("Audience are not configured for GDCH service account"));
+        expectedEx
+            .getMessage()
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // However, the credentials prepared in ClientContext should be able to refresh since the
     // audience would be
@@ -201,7 +203,7 @@ void testCreateClient_withGdchCredentialWithValidAudience_usesCredentialWithPass
     assertTrue(
         thrownByClientCreds
             .getMessage()
-            .contains("Audience are not configured for GDCH service account"));
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // But the credentials prepared in ClientContext should be able to refresh since the audience
     // would be internally

@@ -18,10 +18,9 @@
 
 import com.google.api.client.http.LowLevelHttpRequest;
 import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.JsonParser;
 import com.google.api.client.json.gson.GsonFactory;
-import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
-import com.google.auth.TestUtils;
 import com.google.auth.oauth2.MockTokenServerTransport;
 import java.io.IOException;
 import java.util.Map;
@@ -39,10 +38,8 @@ public LowLevelHttpRequest buildRequest(String method, String url) throws IOExce
 
   public String getLastAudienceSent() throws IOException {
     String contentString = lastRequest.getContentAsString();
-    Map<String, String> query = TestUtils.parseQuery(contentString);
-    String assertion = query.get("assertion");
-    JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion);
-    String foundTargetAudience = (String) signature.getPayload().get("api_audience");
-    return foundTargetAudience;
+    JsonParser jsonParser = JSON_FACTORY.createJsonParser(contentString);
+    Map<String, Object> json = jsonParser.parseAndClose(Map.class);
+    return (String) json.get("audience");
   }
 }
@@ -3,7 +3,7 @@
   "format_version": "1",
   "project": "project-id",
   "private_key_id": "d84a4fefcf50791d4a90f2d7af17469d6282df9d",
-  "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALX0PQoe1igW12i\nkv1bN/r9lN749y2ijmbc/mFHPyS3hNTyOCjDvBbXYbDhQJzWVUikh4mvGBA07qTj79Xc3yBDfKP2IeyYQIFe0t0\nzkd7R9Zdn98Y2rIQC47aAbDfubtkU1U72t4zL11kHvoa0/RuFZjncvlr42X7be7lYh4p3NAgMBAAECgYASk5wDw\n4Az2ZkmeuN6Fk/y9H+Lcb2pskJIXjrL533vrDWGOC48LrsThMQPv8cxBky8HFSEklPpkfTF95tpD43iVwJRB/Gr\nCtGTw65IfJ4/tI09h6zGc4yqvIo1cHX/LQ+SxKLGyir/dQM925rGt/VojxY5ryJR7GLbCzxPnJm/oQJBANwOCO6\nD2hy1LQYJhXh7O+RLtA/tSnT1xyMQsGT+uUCMiKS2bSKx2wxo9k7h3OegNJIu1q6nZ6AbxDK8H3+d0dUCQQDTrP\nSXagBxzp8PecbaCHjzNRSQE2in81qYnrAFNB4o3DpHyMMY6s5ALLeHKscEWnqP8Ur6X4PvzZecCWU9BKAZAkAut\nLPknAuxSCsUOvUfS1i87ex77Ot+w6POp34pEX+UWb+u5iFn2cQacDTHLV1LtE80L8jVLSbrbrlH43H0DjU5AkEA\ngidhycxS86dxpEljnOMCw8CKoUBd5I880IUahEiUltk7OLJYS/Ts1wbn3kPOVX3wyJs8WBDtBkFrDHW2ezth2QJ\nADj3e1YhMVdjJW5jqwlD/VNddGjgzyunmiZg0uOXsHXbytYmsA545S8KRQFaJKFXYYFo2kOjqOiC1T2cAzMDjCQ\n==\n-----END PRIVATE KEY-----\n",
+  "private_key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIK+G0KyJyJPDK/tyYsF0RyFW+X1GMsWbrlWn8TbLAI0doAoGCCqGSM49\nAwEHoUQDQgAEmGMJNcYyb9IfS4ngfvSf+c0sxOdcRfPNnZajry4bLgs++2VpQn8e\nl27zuFvF8jrM2/XyG5y9heE8YSjfLMy0Rw==\n-----END EC PRIVATE KEY-----\n",
   "name": "service-identity-name",
   "ca_cert_path": "fake-cert-path",
   "token_uri": "https://service-identity.fake-domain/authenticate"

@@ -156,7 +156,9 @@ void testCreateClient_withGdchCredentialAndNoAudience_defaultsToEndpointBasedAud
     NullPointerException expectedEx =
         assertThrows(NullPointerException.class, () -> initialCredentials.refresh());
     assertTrue(
-        expectedEx.getMessage().contains("Audience are not configured for GDCH service account"));
+        expectedEx
+            .getMessage()
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // However, the credentials prepared in ClientContext should be able to refresh since the
     // audience would be
@@ -201,7 +203,7 @@ void testCreateClient_withGdchCredentialWithValidAudience_usesCredentialWithPass
     assertTrue(
         thrownByClientCreds
             .getMessage()
-            .contains("Audience are not configured for GDCH service account"));
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // But the credentials prepared in ClientContext should be able to refresh since the audience
     // would be internally

@@ -18,6 +18,7 @@
 
 import com.google.api.client.http.LowLevelHttpRequest;
 import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.JsonParser;
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
@@ -39,10 +40,8 @@ public LowLevelHttpRequest buildRequest(String method, String url) throws IOExce
 
   public String getLastAudienceSent() throws IOException {
     String contentString = lastRequest.getContentAsString();
-    Map<String, String> query = TestUtils.parseQuery(contentString);
-    String assertion = query.get("assertion");
-    JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion);
-    String foundTargetAudience = (String) signature.getPayload().get("api_audience");
-    return foundTargetAudience;
+    JsonParser jsonParser = JSON_FACTORY.createJsonParser(contentString);
+    Map<String, Object> json = jsonParser.parseAndClose(Map.class);
+    return (String) json.get("audience");
   }
 }
@@ -3,7 +3,7 @@
   "format_version": "1",
   "project": "project-id",
   "private_key_id": "d84a4fefcf50791d4a90f2d7af17469d6282df9d",
-  "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALX0PQoe1igW12i\nkv1bN/r9lN749y2ijmbc/mFHPyS3hNTyOCjDvBbXYbDhQJzWVUikh4mvGBA07qTj79Xc3yBDfKP2IeyYQIFe0t0\nzkd7R9Zdn98Y2rIQC47aAbDfubtkU1U72t4zL11kHvoa0/RuFZjncvlr42X7be7lYh4p3NAgMBAAECgYASk5wDw\n4Az2ZkmeuN6Fk/y9H+Lcb2pskJIXjrL533vrDWGOC48LrsThMQPv8cxBky8HFSEklPpkfTF95tpD43iVwJRB/Gr\nCtGTw65IfJ4/tI09h6zGc4yqvIo1cHX/LQ+SxKLGyir/dQM925rGt/VojxY5ryJR7GLbCzxPnJm/oQJBANwOCO6\nD2hy1LQYJhXh7O+RLtA/tSnT1xyMQsGT+uUCMiKS2bSKx2wxo9k7h3OegNJIu1q6nZ6AbxDK8H3+d0dUCQQDTrP\nSXagBxzp8PecbaCHjzNRSQE2in81qYnrAFNB4o3DpHyMMY6s5ALLeHKscEWnqP8Ur6X4PvzZecCWU9BKAZAkAut\nLPknAuxSCsUOvUfS1i87ex77Ot+w6POp34pEX+UWb+u5iFn2cQacDTHLV1LtE80L8jVLSbrbrlH43H0DjU5AkEA\ngidhycxS86dxpEljnOMCw8CKoUBd5I880IUahEiUltk7OLJYS/Ts1wbn3kPOVX3wyJs8WBDtBkFrDHW2ezth2QJ\nADj3e1YhMVdjJW5jqwlD/VNddGjgzyunmiZg0uOXsHXbytYmsA545S8KRQFaJKFXYYFo2kOjqOiC1T2cAzMDjCQ\n==\n-----END PRIVATE KEY-----\n",
+  "private_key": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIK+G0KyJyJPDK/tyYsF0RyFW+X1GMsWbrlWn8TbLAI0doAoGCCqGSM49\nAwEHoUQDQgAEmGMJNcYyb9IfS4ngfvSf+c0sxOdcRfPNnZajry4bLgs++2VpQn8e\nl27zuFvF8jrM2/XyG5y9heE8YSjfLMy0Rw==\n-----END EC PRIVATE KEY-----\n",
   "name": "service-identity-name",
   "ca_cert_path": "fake-cert-path",
   "token_uri": "https://service-identity.fake-domain/authenticate"

@@ -33,8 +33,8 @@
 import static com.google.common.truth.Truth.assertThat;
 
 import com.google.api.gax.tracing.CompositeTracerFactory;
-import com.google.api.gax.tracing.OpenTelemetryMetricsFactory;
 import com.google.api.gax.tracing.ObservabilityAttributes;
+import com.google.api.gax.tracing.OpenTelemetryMetricsFactory;
 import com.google.api.gax.tracing.OpenTelemetryTracingFactory;
 import com.google.showcase.v1beta1.EchoClient;
 import com.google.showcase.v1beta1.EchoRequest;
@@ -92,11 +92,13 @@ void tearDown() {
   }
 
   private CompositeTracerFactory createCompositeTracerFactory() {
-    OpenTelemetryTracingFactory openTelemetryTracingFactory = new OpenTelemetryTracingFactory(openTelemetrySdk);
+    OpenTelemetryTracingFactory openTelemetryTracingFactory =
+        new OpenTelemetryTracingFactory(openTelemetrySdk);
     OpenTelemetryMetricsFactory metricsTracerFactory =
         new OpenTelemetryMetricsFactory(openTelemetrySdk);
 
-    return new CompositeTracerFactory(Arrays.asList(openTelemetryTracingFactory, metricsTracerFactory));
+    return new CompositeTracerFactory(
+        Arrays.asList(openTelemetryTracingFactory, metricsTracerFactory));
   }
 
   @Test

@@ -156,7 +156,9 @@ void testCreateClient_withGdchCredentialAndNoAudience_defaultsToEndpointBasedAud
     NullPointerException expectedEx =
         assertThrows(NullPointerException.class, () -> initialCredentials.refresh());
     assertTrue(
-        expectedEx.getMessage().contains("Audience are not configured for GDCH service account"));
+        expectedEx
+            .getMessage()
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // However, the credentials prepared in ClientContext should be able to refresh since the
     // audience would be
@@ -201,7 +203,7 @@ void testCreateClient_withGdchCredentialWithValidAudience_usesCredentialWithPass
     assertTrue(
         thrownByClientCreds
             .getMessage()
-            .contains("Audience are not configured for GDCH service account"));
+            .contains("Audience cannot be null or empty for GDCH service account credentials"));
 
     // But the credentials prepared in ClientContext should be able to refresh since the audience
     // would be internally