Merge branch 'main' into add-universe-domain-phase2

.github/workflows/docs.yml

@@ -13,7 +13,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
         - name: Checkout
-          uses: actions/checkout@v3
+          uses: actions/checkout@v4
         - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
         - name: Setup PHP
           uses: shivammathur/setup-php@v2

.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: Release Pre-Check
+on:
+  pull_request:
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  release-suite:
+    runs-on: ubuntu-latest
+    name: Run googleapis/google-cloud-php tests against latest version
+    if: github.event.pull_request.user.login == 'release-please[bot]'
+    steps:
+    - uses: actions/checkout@v4
+    - name: Clone googleapis/google-cloud-php
+      uses: actions/checkout@master
+      with:
+        repository: googleapis/google-cloud-php
+        path: google-cloud-php
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.1'
+        extensions: grpc
+    - name: Configure google/auth to dev-main
+      run: |
+        cd google-cloud-php
+        composer install -q -d dev
+        dev/google-cloud update-deps google/auth 'dev-main as 1.200.0' --add=dev
+    - name: Run google/cloud package tests
+      run: |
+        cd google-cloud-php
+        bash .github/run-package-tests.sh
+

.github/workflows/tests.yml

@@ -14,7 +14,7 @@ jobs:
                 php: [ "7.4", "8.0", "8.1", "8.2" ]
         name: PHP ${{matrix.php }} Unit Test
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: Setup PHP
               uses: shivammathur/setup-php@v2
               with:
@@ -31,7 +31,7 @@ jobs:
         runs-on: ubuntu-latest
         name: Test Prefer Lowest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: Setup PHP
               uses: shivammathur/setup-php@v2
               with:
@@ -49,7 +49,7 @@ jobs:
       runs-on: ubuntu-latest
       name: PHP Style Check
       steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
@@ -64,7 +64,7 @@ jobs:
       runs-on: ubuntu-latest
       name: PHPStan Static Analysis
       steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:

CHANGELOG.md

@@ -2,6 +2,17 @@
 
  * [feat]: add support for Firebase v6.0 (#391)
 
+## [1.33.0](https://github.com/googleapis/google-auth-library-php/compare/v1.32.1...v1.33.0) (2023-11-29)
+
+
+### Features
+
+* Add and implement universe domain interface ([#477](https://github.com/googleapis/google-auth-library-php/issues/477)) ([35781ed](https://github.com/googleapis/google-auth-library-php/commit/35781ed573aa9d831d38452eefbac790559dfb97))
+
+### Miscellaneous
+
+* Refactor `AuthTokenMiddleware` ([#492](https://github.com/googleapis/google-auth-library-php/pull/492))
+
 ## [1.32.1](https://github.com/googleapis/google-auth-library-php/compare/v1.32.0...v1.32.1) (2023-10-17)
 
 

README.md

@@ -257,6 +257,18 @@ print_r((string) $response->getBody());
 
 [iap-proxy-header]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
 
+#### External credentials (Workload identity federation)
+
+Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS),
+Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).
+
+Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud
+resources. Using identity federation, you can allow your workload to impersonate a service account. This lets you access
+Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.
+
+Follow the detailed instructions on how to
+[Configure Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds).
+
 #### Verifying JWTs
 
 If you are [using Google ID tokens to authenticate users][google-id-tokens], use

VERSION

@@ -0,0 +1 @@
+1.33.0

tests/Credentials/ServiceAccountCredentialsTest.php

@@ -307,6 +307,29 @@ public function testShouldBeIdTokenWhenTargetAudienceIsSet()
         $this->assertEquals(1, $timesCalled);
     }
 
+    public function testShouldBeOAuthRequestWhenSubIsSet()
+    {
+        $testJson = $this->createTestJson();
+        $sub = 'sub12345';
+        $timesCalled = 0;
+        $httpHandler = function ($request) use (&$timesCalled, $sub) {
+            $timesCalled++;
+            parse_str($request->getBody(), $post);
+            $this->assertArrayHasKey('assertion', $post);
+            list($header, $payload, $sig) = explode('.', $post['assertion']);
+            $jwtParams = json_decode(base64_decode($payload), true);
+            $this->assertArrayHasKey('sub', $jwtParams);
+            $this->assertEquals($sub, $jwtParams['sub']);
+
+            return new Psr7\Response(200, [], Utils::streamFor(json_encode([
+                'access_token' => 'token123'
+            ])));
+        };
+        $sa = new ServiceAccountCredentials(null, $testJson, $sub);
+        $this->assertEquals('token123', $sa->fetchAuthToken($httpHandler)['access_token']);
+        $this->assertEquals(1, $timesCalled);
+    }
+
     public function testSettingBothScopeAndTargetAudienceThrowsException()
     {
         $this->expectException(InvalidArgumentException::class);