I've not given much attention to application default credentials for this first release. I've used it successfully now (with a service account token), but I've got a few lingering questions and ideas for future refinement/extended support.

Also, parking notes and links here.

Google Cloud Application Default Credentials (ADC) are not credentials. ADC is a strategy to locate Google Cloud Service Account credentials. If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC will use the filename that the variable points to for service account credentials.

from https://www.jhanley.com/google-cloud-application-default-credentials

That does not fully capture all the locations checked by gargle::credentials_app_default(), but that is the first place it checks.

Official ADC docs: https://cloud.google.com/docs/authentication/production and https://cloud.google.com/sdk/docs/

I put in some minimal docs for gargle::credentials_app_default() via 4256749.

credentials_app_default() looks for a file at a path encapsulated by credentials_app_default_path(). Here's where it looks, in order, where ALL_CAPS indicates env var:

GOOGLE_APPLICATION_CREDENTIALS
CLOUDSDK_CONFIG/application_default_credentials.json
(APPDATA %||% SystemDrive %||% C:)/gcloud/application_default_credentials.json (Windows)
~/.config/gcloud/application_default_credentials.json (not Windows)

If a file exists at the path returned by credentials_app_default_path(), we parse it as JSON.

It is assumed that it (via info$type) declares itself to be an OAuth or service account token.

If it's OAuth, there's a bit of fiddling with scopes, then a new httr::Token2.0 is instantiated "by hand".

• Question: how does one even end up with an OAuth2 token stored as this sort of JSON? I'm thinking maybe via the gcloud cli?
• If I knew exactly how to do this, gargle could offer a way to write existing user tokens this way, as a means of moving a project over to a server. For people who resist service account tokens and insist on user tokens, this would be a nice accommodation.

Question: should I just leave credentials_app_default() as is? Possible tweaks:

• Use init_oauth2.0 () instead of httr::Token2.0$new()? This seems to be a preferred workflow and yet I don't think it's possible, because we want to shove an existing refresh token in there.
• Is the new gargle::Gargle2.0 subclass of httr::Token2.0 relevant?

If this is a service account token, we call credentials_service_account() and then we're done.