googleapis
diff --git a/‎oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java‎
Lines changed: 25 additions & 5 deletions b/‎oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java‎
Lines changed: 25 additions & 5 deletions
diff --git a/‎oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java‎
Lines changed: 19 additions & 4 deletions b/‎oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java‎
Lines changed: 19 additions & 4 deletions
diff --git a/‎oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java‎
Lines changed: 2 additions & 1 deletion b/‎oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java‎
Lines changed: 14 additions & 0 deletions b/‎oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java‎
Lines changed: 14 additions & 0 deletions
@@ -79,18 +79,32 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
   private transient Method getSignature;
   private transient String account;
 
-  AppEngineCredentials(Collection<String> scopes) throws IOException {
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
+  AppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
+      throws IOException {
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableList.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
     this.scopesRequired = this.scopes.isEmpty();
     init();
   }
 
-  AppEngineCredentials(Collection<String> scopes, AppEngineCredentials unscoped) {
+  AppEngineCredentials(
+      Collection<String> scopes, Collection<String> defaultScopes, AppEngineCredentials unscoped) {
     this.appIdentityService = unscoped.appIdentityService;
     this.getAccessToken = unscoped.getAccessToken;
     this.getAccessTokenResult = unscoped.getAccessTokenResult;
     this.getExpirationTime = unscoped.getExpirationTime;
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
     this.scopesRequired = this.scopes.isEmpty();
   }
 
@@ -145,7 +159,13 @@ public boolean createScopedRequired() {
 
   @Override
   public GoogleCredentials createScoped(Collection<String> scopes) {
-    return new AppEngineCredentials(scopes, this);
+    return new AppEngineCredentials(scopes, null, this);
+  }
+
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return new AppEngineCredentials(scopes, defaultScopes, this);
   }
 
   @Override
 
@@ -109,14 +109,22 @@ public class ComputeEngineCredentials extends GoogleCredentials
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
+   *     collection. Default scopes are ignored if scopes are provided.
    */
   private ComputeEngineCredentials(
-      HttpTransportFactory transportFactory, Collection<String> scopes) {
+      HttpTransportFactory transportFactory,
+      Collection<String> scopes,
+      Collection<String> defaultScopes) {
     this.transportFactory =
         firstNonNull(
             transportFactory,
             getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      scopes = defaultScopes;
+    }
     if (scopes == null) {
       this.scopes = ImmutableSet.<String>of();
     } else {
@@ -129,7 +137,14 @@ private ComputeEngineCredentials(
   /** Clones the compute engine account with the specified scopes. */
   @Override
   public GoogleCredentials createScoped(Collection<String> newScopes) {
-    return new ComputeEngineCredentials(this.transportFactory, newScopes);
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, null);
+  }
+
+  /** Clones the compute engine account with the specified scopes. */
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> newScopes, Collection<String> newDefaultScopes) {
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, newDefaultScopes);
   }
 
   /**
@@ -138,7 +153,7 @@ public GoogleCredentials createScoped(Collection<String> newScopes) {
    * @return new ComputeEngineCredentials
    */
   public static ComputeEngineCredentials create() {
-    return new ComputeEngineCredentials(null, null);
+    return new ComputeEngineCredentials(null, null, null);
   }
 
   public final Collection<String> getScopes() {
@@ -465,7 +480,7 @@ public Collection<String> getScopes() {
     }
 
     public ComputeEngineCredentials build() {
-      return new ComputeEngineCredentials(transportFactory, scopes);
+      return new ComputeEngineCredentials(transportFactory, scopes, null);
     }
   }
 }
@@ -301,7 +301,8 @@ private GoogleCredentials tryGetAppEngineCredential() throws IOException {
     if (!onAppEngine) {
       return null;
     }
-    return new AppEngineCredentials(Collections.<String>emptyList());
+    return new AppEngineCredentials(
+        Collections.<String>emptyList(), Collections.<String>emptyList());
   }
 
   private final GoogleCredentials tryGetComputeCredentials(HttpTransportFactory transportFactory) {
 
@@ -235,6 +235,20 @@ public GoogleCredentials createScoped(Collection<String> scopes) {
     return this;
   }
 
+  /**
+   * If the credentials support scopes, creates a copy of the the identity with the specified scopes
+   * and default scopes; otherwise, returns the same instance. This is mainly used by client
+   * libraries.
+   *
+   * @param scopes Collection of scopes to request.
+   * @param defaultScopes Collection of default scopes to request.
+   * @return GoogleCredentials with requested scopes.
+   */
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return this;
+  }
+
   /**
    * If the credentials support scopes, creates a copy of the the identity with the specified
    * scopes; otherwise, returns the same instance.
Original file line number	Diff line number	Diff line change
`@@ -301,7 +301,8 @@ private GoogleCredentials tryGetAppEngineCredential() throws IOException {`
`301`	`301`	`if (!onAppEngine) {`
`302`	`302`	`return null;`
`303`	`303`	`}`
`304`		`- return new AppEngineCredentials(Collections.<String>emptyList());`
	`304`	`+ return new AppEngineCredentials(`
	`305`	`+ Collections.<String>emptyList(), Collections.<String>emptyList());`
`305`	`306`	`}`
`306`	`307`
`307`	`308`	`private final GoogleCredentials tryGetComputeCredentials(HttpTransportFactory transportFactory) {`