Replace deprecated GoogleCredential with new auth lib (#129)

Replace deprecated GoogleCredential with new lib This PR also introduced a CredentialsBundle class to carry HttpTransport and JsonFactory object which are needed by most of the GCP library to instantiate client.
2025-07-04 02:03:24 +02:00 · 2019-07-02 10:29:51 -04:00 · 2019-07-02 10:29:51 -04:00 · 34a28e871e
commit 34a28e871e
parent dae8923bd1
29 changed files with 822 additions and 684 deletions
--- a/core/src/main/java/google/registry/beam/invoicing/InvoicingPipeline.java
+++ b/core/src/main/java/google/registry/beam/invoicing/InvoicingPipeline.java
@ -14,13 +14,13 @@
 package google.registry.beam.invoicing;
 import com.google.auth.oauth2.GoogleCredentials;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.reporting.billing.BillingModule;
 import google.registry.reporting.billing.GenerateInvoicesAction;
-import google.registry.tools.AuthModule.LocalOAuth2Credentials;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.Serializable;
 import javax.inject.Inject;
 import org.apache.beam.runners.dataflow.DataflowRunner;
@ -81,8 +81,8 @@ public class InvoicingPipeline implements Serializable {
  @Config("invoiceFilePrefix")
  String invoiceFilePrefix;
-  @Inject @LocalOAuth2Credentials
+  @Inject @LocalCredential
-  GoogleCredentials credentials;
+  GoogleCredentialsBundle credentialsBundle;
  @Inject
  InvoicingPipeline() {}
@ -105,7 +105,7 @@ public class InvoicingPipeline implements Serializable {
  public void deploy() {
    // We can't store options as a member variable due to serialization concerns.
    InvoicingPipelineOptions options = PipelineOptionsFactory.as(InvoicingPipelineOptions.class);
-    options.setGcpCredential(credentials);
+    options.setGcpCredential(credentialsBundle.getGoogleCredentials());
    options.setProject(projectId);
    options.setRunner(DataflowRunner.class);
    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
--- a/core/src/main/java/google/registry/bigquery/BigqueryModule.java
+++ b/core/src/main/java/google/registry/bigquery/BigqueryModule.java
@ -14,7 +14,6 @@
 package google.registry.bigquery;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.bigquery.Bigquery;
 import com.google.api.services.bigquery.model.TableFieldSchema;
 import com.google.common.collect.ImmutableList;
@ -23,24 +22,29 @@ import dagger.Provides;
 import dagger.multibindings.Multibinds;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import java.util.Map;
 /** Dagger module for Google {@link Bigquery} connection objects. */
@Module
 public abstract class BigqueryModule {
-  /** Provides a map of BigQuery table names to field names. */
+  // No subclasses.
-  @Multibinds
+  private BigqueryModule() {}
  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
  @Provides
  static Bigquery provideBigquery(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
-    return new Bigquery.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @Config("projectId") String projectId) {
    return new Bigquery.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
-  // No subclasses.
+  /** Provides a map of BigQuery table names to field names. */
-  private BigqueryModule() {}
+  @Multibinds
  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
 }
--- a/core/src/main/java/google/registry/config/CredentialModule.java
+++ b/core/src/main/java/google/registry/config/CredentialModule.java
@ -16,32 +16,28 @@ package google.registry.config;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
 import com.google.api.client.googleapis.util.Utils;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.KeyModule.Key;
 import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.security.GeneralSecurityException;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
-/**
+/** Dagger module that provides all {@link GoogleCredentials} used in the application. */
 * Dagger module that provides all {@link GoogleCredential GoogleCredentials} used in the
 * application.
 */
@Module
 public abstract class CredentialModule {
  /**
-   * Provides the default {@link GoogleCredential} from the Google Cloud runtime.
+   * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
   *
   * <p>The credential returned depends on the runtime environment:
   *
@ -58,22 +54,22 @@ public abstract class CredentialModule {
  @DefaultCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDefaultCredential(
+  public static GoogleCredentialsBundle provideDefaultCredential(
      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
-    GoogleCredential credential;
+    GoogleCredentials credential;
    try {
-      credential = GoogleCredential.getApplicationDefault();
+      credential = GoogleCredentials.getApplicationDefault();
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
    if (credential.createScopedRequired()) {
-      return credential.createScoped(requiredScopes);
+      credential = credential.createScoped(requiredScopes);
    }
-    return credential;
+    return GoogleCredentialsBundle.create(credential);
  }
  /**
-   * Provides a {@link GoogleCredential} from the service account's JSON key file.
+   * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
   *
   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
   * calls App Engine API. The Google Sheets API also needs this credential.
@ -81,28 +77,24 @@ public abstract class CredentialModule {
  @JsonCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideJsonCredential(
+  public static GoogleCredentialsBundle provideJsonCredential(
      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
      @Key("jsonCredential") String jsonCredential) {
-    GoogleCredential credential;
+    GoogleCredentials credential;
    try {
      credential =
-          GoogleCredential.fromStream(
+          GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
-              new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)),
+    } catch (IOException e) {
-              // We cannot use UrlFetchTransport as that uses App Engine API.
+      throw new UncheckedIOException(e);
              GoogleNetHttpTransport.newTrustedTransport(),
              Utils.getDefaultJsonFactory());
    } catch (IOException | GeneralSecurityException e) {
      throw new RuntimeException(e);
    }
    if (credential.createScopedRequired()) {
      credential = credential.createScoped(requiredScopes);
    }
-    return credential;
+    return GoogleCredentialsBundle.create(credential);
  }
  /**
-   * Provides a {@link GoogleCredential} with delegated admin access for a G Suite domain.
+   * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
   *
   * <p>The G Suite domain must grant delegated admin access to the registry service account with
   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
@ -110,18 +102,14 @@ public abstract class CredentialModule {
  @DelegatedCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDelegatedCredential(
+  public static GoogleCredentialsBundle provideDelegatedCredential(
      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @JsonCredential GoogleCredential googleCredential,
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
-    return new GoogleCredential.Builder()
+    return GoogleCredentialsBundle.create(credentialsBundle
-        .setTransport(Utils.getDefaultTransport())
+        .getGoogleCredentials()
-        .setJsonFactory(Utils.getDefaultJsonFactory())
+        .createDelegated(gSuiteAdminAccountEmailAddress)
-        .setServiceAccountId(googleCredential.getServiceAccountId())
+        .createScoped(requiredScopes));
        .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
        .setServiceAccountScopes(requiredScopes)
        .setServiceAccountUser(gSuiteAdminAccountEmailAddress)
        .build();
  }
  /** Dagger qualifier for the Application Default Credential. */
--- a/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
+++ b/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
@ -14,7 +14,6 @@
 package google.registry.dns.writer.clouddns;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.dns.Dns;
 import com.google.common.util.concurrent.RateLimiter;
 import dagger.Binds;
@ -26,6 +25,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.dns.writer.DnsWriter;
 import google.registry.util.GoogleCredentialsBundle;
 import java.util.Optional;
 import javax.inject.Named;
@ -35,12 +35,15 @@ public abstract class CloudDnsWriterModule {
  @Provides
  static Dns provideDns(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId,
      @Config("cloudDnsRootUrl") Optional<String> rootUrl,
      @Config("cloudDnsServicePath") Optional<String> servicePath) {
    Dns.Builder builder =
-        new Dns.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+        new Dns.Builder(
                credentialsBundle.getHttpTransport(),
                credentialsBundle.getJsonFactory(),
                credentialsBundle.getHttpRequestInitializer())
            .setApplicationName(projectId);
    rootUrl.ifPresent(builder::setRootUrl);
--- a/core/src/main/java/google/registry/export/DriveModule.java
+++ b/core/src/main/java/google/registry/export/DriveModule.java
@ -14,7 +14,6 @@
 package google.registry.export;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.drive.Drive;
 import dagger.Component;
 import dagger.Module;
@ -24,6 +23,7 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.storage.drive.DriveConnection;
 import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;
 /** Dagger module for Google {@link Drive} service connection objects. */
@ -32,8 +32,13 @@ public final class DriveModule {
  @Provides
  static Drive provideDrive(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
-    return new Drive.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @Config("projectId") String projectId) {
    return new Drive.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/export/datastore/DatastoreAdminModule.java
+++ b/core/src/main/java/google/registry/export/datastore/DatastoreAdminModule.java
@ -14,11 +14,11 @@
 package google.registry.export.datastore;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig;
 import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;
 /** Dagger module that configures provision of {@link DatastoreAdmin}. */
@ -28,10 +28,12 @@ public abstract class DatastoreAdminModule {
  @Singleton
  @Provides
  static DatastoreAdmin provideDatastoreAdmin(
-      @CredentialModule.DefaultCredential GoogleCredential credential,
+      @CredentialModule.DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @RegistryConfig.Config("projectId") String projectId) {
    return new DatastoreAdmin.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .setProjectId(projectId)
        .build();
--- a/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
+++ b/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
@ -14,12 +14,12 @@
 package google.registry.export.sheet;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.sheets.v4.Sheets;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.JsonCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 /** Dagger module for {@link Sheets}. */
@Module
@ -27,8 +27,12 @@ public final class SheetsServiceModule {
  @Provides
  static Sheets provideSheets(
-      @JsonCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
-    return new Sheets.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @Config("projectId") String projectId) {
    return new Sheets.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/groups/DirectoryModule.java
+++ b/core/src/main/java/google/registry/groups/DirectoryModule.java
@ -14,12 +14,12 @@
 package google.registry.groups;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.admin.directory.Directory;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 /** Dagger module for the Google {@link Directory} service. */
@Module
@ -27,8 +27,12 @@ public final class DirectoryModule {
  @Provides
  static Directory provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
-    return new Directory.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @Config("projectId") String projectId) {
    return new Directory.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/groups/GroupssettingsModule.java
+++ b/core/src/main/java/google/registry/groups/GroupssettingsModule.java
@ -14,12 +14,12 @@
 package google.registry.groups;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.groupssettings.Groupssettings;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 /** Dagger module for the Google {@link Groupssettings} service. */
@Module
@ -27,9 +27,12 @@ public final class GroupssettingsModule {
  @Provides
  static Groupssettings provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Groupssettings.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/keyring/kms/KmsModule.java
+++ b/core/src/main/java/google/registry/keyring/kms/KmsModule.java
@ -14,7 +14,6 @@
 package google.registry.keyring.kms;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import dagger.Binds;
 import dagger.Module;
@ -24,6 +23,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
 import google.registry.util.GoogleCredentialsBundle;
 /** Dagger module for Cloud KMS. */
@Module
@ -31,20 +31,23 @@ public abstract class KmsModule {
  public static final String NAME = "KMS";
  @Binds
  @IntoMap
  @StringKey(NAME)
  abstract Keyring provideKeyring(KmsKeyring keyring);
  @Provides
  static CloudKMS provideKms(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("cloudKmsProjectId") String projectId) {
-    return new CloudKMS.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+    return new CloudKMS.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
  @Binds
  @IntoMap
  @StringKey(NAME)
  abstract Keyring provideKeyring(KmsKeyring keyring);
  @Binds
  abstract KmsConnection provideKmsConnection(KmsConnectionImpl kmsConnectionImpl);
 }
--- a/core/src/main/java/google/registry/monitoring/whitebox/StackdriverModule.java
+++ b/core/src/main/java/google/registry/monitoring/whitebox/StackdriverModule.java
@ -14,7 +14,6 @@
 package google.registry.monitoring.whitebox;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.model.MonitoredResource;
 import com.google.appengine.api.modules.ModulesService;
@ -27,6 +26,7 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.JsonCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import org.joda.time.Duration;
 /** Dagger module for Google Stackdriver service connection objects. */
@ -39,9 +39,12 @@ public final class StackdriverModule {
  @Provides
  static Monitoring provideMonitoring(
-      @JsonCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Monitoring.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/reporting/ReportingModule.java
+++ b/core/src/main/java/google/registry/reporting/ReportingModule.java
@ -17,7 +17,6 @@ package google.registry.reporting;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.dataflow.Dataflow;
 import dagger.Module;
 import dagger.Provides;
@ -25,6 +24,7 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
 import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Clock;
 import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
@ -118,8 +118,12 @@ public class ReportingModule {
  /** Constructs a {@link Dataflow} API client with default settings. */
  @Provides
  static Dataflow provideDataflow(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
-    return new Dataflow.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @Config("projectId") String projectId) {
    return new Dataflow.Builder(
            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(String.format("%s billing", projectId))
        .build();
  }
--- a/core/src/main/java/google/registry/tools/AppEngineAdminApiModule.java
+++ b/core/src/main/java/google/registry/tools/AppEngineAdminApiModule.java
@ -14,13 +14,12 @@
 package google.registry.tools;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.appengine.v1.Appengine;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;
 /** Module providing the instance of {@link Appengine} to access App Engine Admin Api. */
@ -30,9 +29,12 @@ public abstract class AppEngineAdminApiModule {
  @Provides
  @Singleton
  public static Appengine provideAppengine(
-      @LocalCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @LocalCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId) {
    return new Appengine.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@ -20,7 +20,6 @@ import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets.Details;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.store.AbstractDataStoreFactory;
@ -39,10 +38,10 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.CredentialModule.LocalCredentialJson;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@ -60,14 +59,6 @@ public class AuthModule {
  private static final File DATA_STORE_DIR =
      new File(System.getProperty("user.home"), ".config/nomulus/credentials");
  @Module
  abstract static class LocalCredentialModule {
    @Binds
    @DefaultCredential
    abstract GoogleCredential provideLocalCredentialAsDefaultCredential(
        @LocalCredential GoogleCredential credential);
  }
  @Provides
  @StoredCredential
  static Credential provideCredential(
@ -86,38 +77,21 @@ public class AuthModule {
  @Provides
  @LocalCredential
-  public static GoogleCredential provideLocalCredential(
+  public static GoogleCredentialsBundle provideLocalCredential(
      @LocalCredentialJson String credentialJson,
      @Config("localCredentialOauthScopes") ImmutableList<String> scopes) {
    try {
-      GoogleCredential credential =
+      GoogleCredentials credential =
-          GoogleCredential.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
+          GoogleCredentials.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
      if (credential.createScopedRequired()) {
        credential = credential.createScoped(scopes);
      }
-      return credential;
+      return GoogleCredentialsBundle.create(credential);
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
  @Provides
  @LocalOAuth2Credentials
  public static GoogleCredentials provideLocalOAuth2Credentials(
      @LocalCredentialJson String credentialJson,
      @Config("localCredentialOauthScopes") ImmutableList<String> scopes) {
    try {
      GoogleCredentials credentials =
          GoogleCredentials.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
      if (credentials.createScopedRequired()) {
        credentials = credentials.createScoped(scopes);
      }
      return credentials;
    } catch (IOException e) {
      throw new UncheckedIOException(e);
    }
  }
  @Provides
  public static GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
      JsonFactory jsonFactory,
@ -198,16 +172,11 @@ public class AuthModule {
    }
  }
  /** Raised when we need a user login. */
  static class LoginRequiredException extends RuntimeException {
    LoginRequiredException() {}
  }
  /**
   * Dagger qualifier for the {@link Credential} constructed from the data stored on disk.
   *
   * <p>This {@link Credential} should not be used in another module, hence the private qualifier.
-   * It's only use is to build a {@link GoogleCredential}, which is used in injection sites
+   * It's only use is to build a {@link GoogleCredentials}, which is used in injection sites
   * elsewhere.
   */
  @Qualifier
@ -227,9 +196,16 @@ public class AuthModule {
  @Retention(RetentionPolicy.RUNTIME)
  @interface OAuthClientId {}
-  /** Dagger qualifier for the local OAuth2 Credentials. */
+  @Module
-  @Qualifier
+  abstract static class LocalCredentialModule {
-  @Documented
+    @Binds
-  @Retention(RetentionPolicy.RUNTIME)
+    @DefaultCredential
-  public @interface LocalOAuth2Credentials {}
+    abstract GoogleCredentialsBundle provideLocalCredentialAsDefaultCredential(
        @LocalCredential GoogleCredentialsBundle credential);
  }
  /** Raised when we need a user login. */
  static class LoginRequiredException extends RuntimeException {
    LoginRequiredException() {}
  }
 }
--- a/core/src/main/java/google/registry/tools/RequestFactoryModule.java
+++ b/core/src/main/java/google/registry/tools/RequestFactoryModule.java
@ -14,13 +14,13 @@
 package google.registry.tools;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig;
 import google.registry.util.GoogleCredentialsBundle;
 /**
 * Module for providing the HttpRequestFactory.
@ -35,7 +35,7 @@ class RequestFactoryModule {
  @Provides
  static HttpRequestFactory provideHttpRequestFactory(
-      @DefaultCredential GoogleCredential credential) {
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle) {
    if (RegistryConfig.areServersLocal()) {
      return new NetHttpTransport()
          .createRequestFactory(
@ -47,11 +47,12 @@ class RequestFactoryModule {
      return new NetHttpTransport()
          .createRequestFactory(
              request -> {
-                credential.initialize(request);
+                credentialsBundle.getHttpRequestInitializer().initialize(request);
                // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                // needed to support some nomulus commands like updating premium lists that take
                // a lot of time to complete.
-                // See https://developers.google.com/api-client-library/java/google-api-java-client/errors
+                // See
                // https://developers.google.com/api-client-library/java/google-api-java-client/errors
                request.setConnectTimeout(REQUEST_TIMEOUT_MS);
                request.setReadTimeout(REQUEST_TIMEOUT_MS);
              });
--- a/core/src/test/java/google/registry/export/datastore/DatastoreAdminTest.java
+++ b/core/src/test/java/google/registry/export/datastore/DatastoreAdminTest.java
@ -17,17 +17,17 @@ package google.registry.export.datastore;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpTransport;
+import com.google.auth.oauth2.AccessToken;
-import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.common.collect.ImmutableList;
 import google.registry.testing.TestDataHelper;
 import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.Optional;
 import org.junit.Before;
 import org.junit.Rule;
@ -48,27 +48,44 @@ public class DatastoreAdminTest {
  @Rule public final MockitoRule mocks = MockitoJUnit.rule();
  private HttpTransport httpTransport;
  private GoogleCredential googleCredential;
  private DatastoreAdmin datastoreAdmin;
  private static HttpRequest simulateSendRequest(HttpRequest httpRequest) {
    try {
      httpRequest.setUrl(new GenericUrl("https://localhost:65537")).execute();
    } catch (Exception expected) {
    }
    return httpRequest;
  }
  private static Optional<String> getAccessToken(HttpRequest httpRequest) {
    return httpRequest.getHeaders().getAuthorizationAsList().stream()
        .filter(header -> header.startsWith(AUTH_HEADER_PREFIX))
        .map(header -> header.substring(AUTH_HEADER_PREFIX.length()))
        .findAny();
  }
  private static Optional<String> getRequestContent(HttpRequest httpRequest) throws IOException {
    if (httpRequest.getContent() == null) {
      return Optional.empty();
    }
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    httpRequest.getContent().writeTo(outputStream);
    outputStream.close();
    return Optional.of(outputStream.toString(StandardCharsets.UTF_8.name()));
  }
  @Before
  public void setup() {
-    httpTransport = new NetHttpTransport();
+    Date oneHourLater = new Date(System.currentTimeMillis() + 3_600_000);
-    googleCredential =
+    GoogleCredentials googleCredentials = GoogleCredentials
-        new GoogleCredential.Builder()
+        .create(new AccessToken(ACCESS_TOKEN, oneHourLater));
-            .setTransport(httpTransport)
+    GoogleCredentialsBundle credentialsBundle = GoogleCredentialsBundle.create(googleCredentials);
            .setJsonFactory(JacksonFactory.getDefaultInstance())
            .setClock(() -> 0)
            .build();
    googleCredential.setAccessToken(ACCESS_TOKEN);
    googleCredential.setExpiresInSeconds(1_000L);
    datastoreAdmin =
        new DatastoreAdmin.Builder(
-                googleCredential.getTransport(),
+                credentialsBundle.getHttpTransport(),
-                googleCredential.getJsonFactory(),
+                credentialsBundle.getJsonFactory(),
-                googleCredential)
+                credentialsBundle.getHttpRequestInitializer())
            .setApplicationName("MyApplication")
            .setProjectId("MyCloudProject")
            .build();
@ -151,29 +168,4 @@ public class DatastoreAdminTest {
    simulateSendRequest(httpRequest);
    assertThat(getAccessToken(httpRequest)).hasValue(ACCESS_TOKEN);
  }
  private static HttpRequest simulateSendRequest(HttpRequest httpRequest) {
    try {
      httpRequest.setUrl(new GenericUrl("https://localhost:65537")).execute();
    } catch (Exception expected) {
    }
    return httpRequest;
  }
  private static Optional<String> getAccessToken(HttpRequest httpRequest) {
    return httpRequest.getHeaders().getAuthorizationAsList().stream()
        .filter(header -> header.startsWith(AUTH_HEADER_PREFIX))
        .map(header -> header.substring(AUTH_HEADER_PREFIX.length()))
        .findAny();
  }
  private static Optional<String> getRequestContent(HttpRequest httpRequest) throws IOException {
    if (httpRequest.getContent() == null) {
      return Optional.empty();
    }
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    httpRequest.getContent().writeTo(outputStream);
    outputStream.close();
    return Optional.of(outputStream.toString(StandardCharsets.UTF_8.name()));
  }
 }
--- a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
+++ b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
@ -16,34 +16,40 @@ package google.registry.tools;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.tools.RequestFactoryModule.REQUEST_TIMEOUT_MS;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.verifyZeroInteractions;
 import static org.mockito.Mockito.when;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpRequestInitializer;
 import google.registry.config.RegistryConfig;
 import google.registry.testing.SystemPropertyRule;
 import google.registry.util.GoogleCredentialsBundle;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnit;
 import org.mockito.junit.MockitoRule;
@RunWith(JUnit4.class)
 public class RequestFactoryModuleTest {
-  private final GoogleCredential googleCredential = mock(GoogleCredential.class);
+  @Rule public final MockitoRule mockitoRule = MockitoJUnit.rule();
  @Rule public final SystemPropertyRule systemPropertyRule = new SystemPropertyRule();
  @Mock public GoogleCredentialsBundle credentialsBundle;
  @Mock public HttpRequestInitializer httpRequestInitializer;
  @Before
  public void setUp() {
    RegistryToolEnvironment.UNITTEST.setup(systemPropertyRule);
    when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
  }
  @Test
@ -52,12 +58,13 @@ public class RequestFactoryModuleTest {
    boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal;
    RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = true;
    try {
-      HttpRequestFactory factory = RequestFactoryModule.provideHttpRequestFactory(googleCredential);
+      HttpRequestFactory factory =
          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
      initializer.initialize(request);
-      verifyZeroInteractions(googleCredential);
+      verifyZeroInteractions(httpRequestInitializer);
    } finally {
      RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = origIsLocal;
    }
@ -69,15 +76,16 @@ public class RequestFactoryModuleTest {
    boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal;
    RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = false;
    try {
-      HttpRequestFactory factory = RequestFactoryModule.provideHttpRequestFactory(googleCredential);
+      HttpRequestFactory factory =
          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      // HttpRequestFactory#buildGetRequest() calls initialize() once.
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
-      verify(googleCredential).initialize(request);
+      verify(httpRequestInitializer).initialize(request);
      assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
      assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
-      verifyNoMoreInteractions(googleCredential);
+      verifyNoMoreInteractions(httpRequestInitializer);
    } finally {
      RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = origIsLocal;
    }
--- a/package-lock.json
+++ b/package-lock.json
--- a/proxy/build.gradle
+++ b/proxy/build.gradle
@ -12,6 +12,8 @@ dependencies {
  compile deps['com.google.apis:google-api-services-cloudkms']
  compile deps['com.google.apis:google-api-services-monitoring']
  compile deps['com.google.apis:google-api-services-storage']
  compile deps['com.google.auth:google-auth-library-credentials']
  compile deps['com.google.auth:google-auth-library-oauth2-http']
  compile deps['com.google.auto.value:auto-value-annotations']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.code.gson:gson']
--- a/proxy/gradle/dependency-locks/compile.lockfile
+++ b/proxy/gradle/dependency-locks/compile.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
-com.google.http-client:google-http-client:1.29.2
+com.google.http-client:google-http-client:1.30.1
-com.google.j2objc:j2objc-annotations:1.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
+io.opencensus:opencensus-api:0.21.0
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
+org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/compileClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/compileClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
-com.google.http-client:google-http-client:1.29.2
+com.google.http-client:google-http-client:1.30.1
-com.google.j2objc:j2objc-annotations:1.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
+io.opencensus:opencensus-api:0.21.0
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
+org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -20,17 +22,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
+com.google.http-client:google-http-client-jackson2:1.30.1
-com.google.http-client:google-http-client:1.29.2
+com.google.http-client:google-http-client:1.30.1
-com.google.j2objc:j2objc-annotations:1.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -39,15 +41,15 @@ io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-tcnative-boringssl-static:2.0.22.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
+io.opencensus:opencensus-api:0.21.0
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
+org.apache.httpcomponents:httpclient:4.5.8
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/src/main/java/google/registry/proxy/MetricsModule.java
+++ b/proxy/src/main/java/google/registry/proxy/MetricsModule.java
@ -14,8 +14,6 @@
 package google.registry.proxy;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.model.MonitoredResource;
 import com.google.common.collect.ImmutableMap;
@ -29,6 +27,7 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.proxy.ProxyConfig.Environment;
 import google.registry.proxy.metric.MetricParameters;
 import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;
 /** Module that provides necessary bindings to instantiate a {@link MetricReporter} */
@ -39,9 +38,12 @@ public class MetricsModule {
  @Singleton
  @Provides
-  static Monitoring provideMonitoring(GoogleCredential credential, ProxyConfig config) {
+  static Monitoring provideMonitoring(GoogleCredentialsBundle credentialsBundle,
      ProxyConfig config) {
    return new Monitoring.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
--- a/proxy/src/main/java/google/registry/proxy/ProxyModule.java
+++ b/proxy/src/main/java/google/registry/proxy/ProxyModule.java
@ -20,11 +20,11 @@ import static google.registry.proxy.ProxyConfig.getProxyConfig;
 import com.beust.jcommander.JCommander;
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParameterException;
 import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import com.google.api.services.cloudkms.v1.model.DecryptRequest;
 import com.google.api.services.storage.Storage;
 import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
 import com.google.common.flogger.LoggerConfig;
@ -41,6 +41,7 @@ import google.registry.proxy.WebWhoisProtocolsModule.HttpsWhoisProtocol;
 import google.registry.proxy.WhoisProtocolModule.WhoisProtocol;
 import google.registry.proxy.handler.ProxyProtocolHandler;
 import google.registry.util.Clock;
 import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.SystemClock;
 import io.netty.handler.logging.LogLevel;
 import io.netty.handler.logging.LoggingHandler;
@ -50,6 +51,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Date;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
@ -209,13 +211,13 @@ public class ProxyModule {
  @Singleton
  @Provides
-  static GoogleCredential provideCredential(ProxyConfig config) {
+  static GoogleCredentialsBundle provideCredential(ProxyConfig config) {
    try {
-      GoogleCredential credential = GoogleCredential.getApplicationDefault();
+      GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
-      if (credential.createScopedRequired()) {
+      if (credentials.createScopedRequired()) {
-        credential = credential.createScoped(config.gcpScopes);
+        credentials = credentials.createScoped(config.gcpScopes);
      }
-      return credential;
+      return GoogleCredentialsBundle.create(credentials);
    } catch (IOException e) {
      throw new RuntimeException("Unable to obtain OAuth2 credential.", e);
    }
@ -226,36 +228,45 @@ public class ProxyModule {
  @Provides
  @Named("accessToken")
  static Supplier<String> provideAccessTokenSupplier(
-      GoogleCredential credential, ProxyConfig config) {
+      GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return () -> {
      GoogleCredentials credentials = credentialsBundle.getGoogleCredentials();
      AccessToken accessToken = credentials.getAccessToken();
      Date nextExpirationTime =
          new Date(
              System.currentTimeMillis() + config.accessTokenRefreshBeforeExpirationSeconds * 1000);
      // If we never obtained an access token, the expiration time is null.
-      if (credential.getExpiresInSeconds() == null
+      if (accessToken == null
          // If we have an access token, make sure to refresh it ahead of time.
-          || credential.getExpiresInSeconds() < config.accessTokenRefreshBeforeExpirationSeconds) {
+          || accessToken.getExpirationTime().before(nextExpirationTime)) {
        try {
-          credential.refreshToken();
+          credentials.refresh();
        } catch (IOException e) {
          throw new RuntimeException("Cannot refresh access token.", e);
        }
      }
-      return credential.getAccessToken();
+      return credentials.getAccessToken().getTokenValue();
    };
  }
  @Singleton
  @Provides
-  static CloudKMS provideCloudKms(GoogleCredential credential, ProxyConfig config) {
+  static CloudKMS provideCloudKms(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new CloudKMS.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
  @Singleton
  @Provides
-  static Storage provideStorage(GoogleCredential credential, ProxyConfig config) {
+  static Storage provideStorage(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new Storage.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
            credentialsBundle.getJsonFactory(),
            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
@ -337,14 +348,14 @@ public class ProxyModule {
  @Singleton
  @Component(
      modules = {
-        ProxyModule.class,
+          ProxyModule.class,
-        CertificateModule.class,
+          CertificateModule.class,
-        HttpsRelayProtocolModule.class,
+          HttpsRelayProtocolModule.class,
-        WhoisProtocolModule.class,
+          WhoisProtocolModule.class,
-        WebWhoisProtocolsModule.class,
+          WebWhoisProtocolsModule.class,
-        EppProtocolModule.class,
+          EppProtocolModule.class,
-        HealthCheckProtocolModule.class,
+          HealthCheckProtocolModule.class,
-        MetricsModule.class
+          MetricsModule.class
      })
  interface ProxyComponent {
--- a/util/build.gradle
+++ b/util/build.gradle
@ -2,8 +2,11 @@ apply plugin: 'java'
 dependencies {
  def deps = rootProject.dependencyMap
  compile deps['com.google.api-client:google-api-client']
  compile deps['com.google.appengine:appengine-api-1.0-sdk']
  compile deps['com.google.appengine:appengine-testing']
  compile deps['com.google.auth:google-auth-library-credentials']
  compile deps['com.google.auth:google-auth-library-oauth2-http']
  compile deps['com.google.auto.value:auto-value-annotations']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.dagger:dagger']
--- a/util/gradle/dependency-locks/compile.lockfile
+++ b/util/gradle/dependency-locks/compile.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
 com.google.dagger:dagger:2.21
@ -11,14 +15,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client:1.30.1
 com.google.j2objc:j2objc-annotations:1.3
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
 io.grpc:grpc-context:1.19.0
 io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.8
 org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/gradle/dependency-locks/compileClasspath.lockfile
+++ b/util/gradle/dependency-locks/compileClasspath.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
 com.google.dagger:dagger:2.21
@ -11,14 +15,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client:1.30.1
 com.google.j2objc:j2objc-annotations:1.3
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
 io.grpc:grpc-context:1.19.0
 io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.8
 org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/util/gradle/dependency-locks/runtimeClasspath.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
 com.google.auth:google-auth-library-credentials:0.16.1
 com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -12,14 +16,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
 com.google.http-client:google-http-client:1.30.1
 com.google.j2objc:j2objc-annotations:1.3
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
 io.grpc:grpc-context:1.19.0
 io.opencensus:opencensus-api:0.21.0
 io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
 org.apache.httpcomponents:httpclient:4.5.8
 org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/src/main/java/google/registry/util/GoogleCredentialsBundle.java
+++ b/util/src/main/java/google/registry/util/GoogleCredentialsBundle.java
@ -0,0 +1,70 @@
 // Copyright 2019 The Nomulus Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package google.registry.util;
 import static com.google.common.base.Preconditions.checkNotNull;
 import com.google.api.client.googleapis.util.Utils;
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.auth.http.HttpCredentialsAdapter;
 import com.google.auth.oauth2.GoogleCredentials;
 /**
 * Helper class to provide {@link HttpTransport}, {@link JsonFactory} and {@link
 * HttpRequestInitializer} for a given {@link GoogleCredentials}. These classes are normally needed
 * for creating the instance of a GCP client.
 */
 public class GoogleCredentialsBundle {
  private GoogleCredentials googleCredentials;
  private HttpTransport httpTransport;
  private JsonFactory jsonFactory;
  private HttpRequestInitializer httpRequestInitializer;
  private GoogleCredentialsBundle(GoogleCredentials googleCredentials) {
    checkNotNull(googleCredentials);
    this.googleCredentials = googleCredentials;
    this.httpTransport = Utils.getDefaultTransport();
    this.jsonFactory = Utils.getDefaultJsonFactory();
    this.httpRequestInitializer = new HttpCredentialsAdapter(googleCredentials);
  }
  /** Creates a {@link GoogleCredentialsBundle} instance from given {@link GoogleCredentials}. */
  public static GoogleCredentialsBundle create(GoogleCredentials credentials) {
    return new GoogleCredentialsBundle(credentials);
  }
  /** Returns the same {@link GoogleCredentials} used to create this object. */
  public GoogleCredentials getGoogleCredentials() {
    return googleCredentials;
  }
  /** Returns the instance of {@link HttpTransport}. */
  public HttpTransport getHttpTransport() {
    return httpTransport;
  }
  /** Returns the instance of {@link JsonFactory}. */
  public JsonFactory getJsonFactory() {
    return jsonFactory;
  }
  /** Returns the instance of {@link HttpRequestInitializer}. */
  public HttpRequestInitializer getHttpRequestInitializer() {
    return httpRequestInitializer;
  }
 }