Replace deprecated GoogleCredential with new auth lib (#129)

Replace deprecated GoogleCredential with new lib This PR also introduced a CredentialsBundle class to carry HttpTransport and JsonFactory object which are needed by most of the GCP library to instantiate client.
2025-07-03 09:43:30 +02:00 · 2019-07-02 10:29:51 -04:00 · 2019-07-02 10:29:51 -04:00 · 34a28e871e
commit 34a28e871e
parent dae8923bd1
29 changed files with 822 additions and 684 deletions
--- a/core/src/main/java/google/registry/beam/invoicing/InvoicingPipeline.java
+++ b/core/src/main/java/google/registry/beam/invoicing/InvoicingPipeline.java
@ -14,13 +14,13 @@

 package google.registry.beam.invoicing;

-import com.google.auth.oauth2.GoogleCredentials;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey;
 import google.registry.beam.invoicing.BillingEvent.InvoiceGroupingKey.InvoiceGroupingKeyCoder;
+import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.reporting.billing.BillingModule;
 import google.registry.reporting.billing.GenerateInvoicesAction;
-import google.registry.tools.AuthModule.LocalOAuth2Credentials;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.Serializable;
 import javax.inject.Inject;
 import org.apache.beam.runners.dataflow.DataflowRunner;
@ -81,8 +81,8 @@ public class InvoicingPipeline implements Serializable {
  @Config("invoiceFilePrefix")
  String invoiceFilePrefix;

-  @Inject @LocalOAuth2Credentials
-  GoogleCredentials credentials;
+  @Inject @LocalCredential
+  GoogleCredentialsBundle credentialsBundle;

  @Inject
  InvoicingPipeline() {}
@ -105,7 +105,7 @@ public class InvoicingPipeline implements Serializable {
  public void deploy() {
    // We can't store options as a member variable due to serialization concerns.
    InvoicingPipelineOptions options = PipelineOptionsFactory.as(InvoicingPipelineOptions.class);
-    options.setGcpCredential(credentials);
+    options.setGcpCredential(credentialsBundle.getGoogleCredentials());
    options.setProject(projectId);
    options.setRunner(DataflowRunner.class);
    // This causes p.run() to stage the pipeline as a template on GCS, as opposed to running it.
--- a/core/src/main/java/google/registry/bigquery/BigqueryModule.java
+++ b/core/src/main/java/google/registry/bigquery/BigqueryModule.java
@ -14,7 +14,6 @@

 package google.registry.bigquery;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.bigquery.Bigquery;
 import com.google.api.services.bigquery.model.TableFieldSchema;
 import com.google.common.collect.ImmutableList;
@ -23,24 +22,29 @@ import dagger.Provides;
 import dagger.multibindings.Multibinds;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import java.util.Map;

 /** Dagger module for Google {@link Bigquery} connection objects. */
@Module
 public abstract class BigqueryModule {

-  /** Provides a map of BigQuery table names to field names. */
-  @Multibinds
-  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
+  // No subclasses.
+  private BigqueryModule() {}

  @Provides
  static Bigquery provideBigquery(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Bigquery.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Bigquery.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }

-  // No subclasses.
-  private BigqueryModule() {}
+  /** Provides a map of BigQuery table names to field names. */
+  @Multibinds
+  abstract Map<String, ImmutableList<TableFieldSchema>> bigquerySchemas();
 }
--- a/core/src/main/java/google/registry/config/CredentialModule.java
+++ b/core/src/main/java/google/registry/config/CredentialModule.java
@ -16,32 +16,28 @@ package google.registry.config;

 import static java.nio.charset.StandardCharsets.UTF_8;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
-import com.google.api.client.googleapis.util.Utils;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableList;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.KeyModule.Key;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
-import java.security.GeneralSecurityException;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;

-/**
- * Dagger module that provides all {@link GoogleCredential GoogleCredentials} used in the
- * application.
- */
+/** Dagger module that provides all {@link GoogleCredentials} used in the application. */
@Module
 public abstract class CredentialModule {

  /**
-   * Provides the default {@link GoogleCredential} from the Google Cloud runtime.
+   * Provides the default {@link GoogleCredentialsBundle} from the Google Cloud runtime.
   *
   * <p>The credential returned depends on the runtime environment:
   *
@ -58,22 +54,22 @@ public abstract class CredentialModule {
  @DefaultCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDefaultCredential(
+  public static GoogleCredentialsBundle provideDefaultCredential(
      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
-    GoogleCredential credential;
+    GoogleCredentials credential;
    try {
-      credential = GoogleCredential.getApplicationDefault();
+      credential = GoogleCredentials.getApplicationDefault();
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
    if (credential.createScopedRequired()) {
-      return credential.createScoped(requiredScopes);
+      credential = credential.createScoped(requiredScopes);
    }
-    return credential;
+    return GoogleCredentialsBundle.create(credential);
  }

  /**
-   * Provides a {@link GoogleCredential} from the service account's JSON key file.
+   * Provides a {@link GoogleCredentialsBundle} from the service account's JSON key file.
   *
   * <p>On App Engine, a thread created using Java's built-in API needs this credential when it
   * calls App Engine API. The Google Sheets API also needs this credential.
@ -81,28 +77,24 @@ public abstract class CredentialModule {
  @JsonCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideJsonCredential(
+  public static GoogleCredentialsBundle provideJsonCredential(
      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
      @Key("jsonCredential") String jsonCredential) {
-    GoogleCredential credential;
+    GoogleCredentials credential;
    try {
      credential =
-          GoogleCredential.fromStream(
-              new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)),
-              // We cannot use UrlFetchTransport as that uses App Engine API.
-              GoogleNetHttpTransport.newTrustedTransport(),
-              Utils.getDefaultJsonFactory());
-    } catch (IOException | GeneralSecurityException e) {
-      throw new RuntimeException(e);
+          GoogleCredentials.fromStream(new ByteArrayInputStream(jsonCredential.getBytes(UTF_8)));
+    } catch (IOException e) {
+      throw new UncheckedIOException(e);
    }
    if (credential.createScopedRequired()) {
      credential = credential.createScoped(requiredScopes);
    }
-    return credential;
+    return GoogleCredentialsBundle.create(credential);
  }

  /**
-   * Provides a {@link GoogleCredential} with delegated admin access for a G Suite domain.
+   * Provides a {@link GoogleCredentialsBundle} with delegated admin access for a G Suite domain.
   *
   * <p>The G Suite domain must grant delegated admin access to the registry service account with
   * all scopes in {@code requiredScopes}, including ones not related to G Suite.
@ -110,18 +102,14 @@ public abstract class CredentialModule {
  @DelegatedCredential
  @Provides
  @Singleton
-  public static GoogleCredential provideDelegatedCredential(
+  public static GoogleCredentialsBundle provideDelegatedCredential(
      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
-      @JsonCredential GoogleCredential googleCredential,
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
      @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
-    return new GoogleCredential.Builder()
-        .setTransport(Utils.getDefaultTransport())
-        .setJsonFactory(Utils.getDefaultJsonFactory())
-        .setServiceAccountId(googleCredential.getServiceAccountId())
-        .setServiceAccountPrivateKey(googleCredential.getServiceAccountPrivateKey())
-        .setServiceAccountScopes(requiredScopes)
-        .setServiceAccountUser(gSuiteAdminAccountEmailAddress)
-        .build();
+    return GoogleCredentialsBundle.create(credentialsBundle
+        .getGoogleCredentials()
+        .createDelegated(gSuiteAdminAccountEmailAddress)
+        .createScoped(requiredScopes));
  }

  /** Dagger qualifier for the Application Default Credential. */
--- a/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
+++ b/core/src/main/java/google/registry/dns/writer/clouddns/CloudDnsWriterModule.java
@ -14,7 +14,6 @@

 package google.registry.dns.writer.clouddns;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.dns.Dns;
 import com.google.common.util.concurrent.RateLimiter;
 import dagger.Binds;
@ -26,6 +25,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.dns.writer.DnsWriter;
+import google.registry.util.GoogleCredentialsBundle;
 import java.util.Optional;
 import javax.inject.Named;

@ -35,12 +35,15 @@ public abstract class CloudDnsWriterModule {

  @Provides
  static Dns provideDns(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("projectId") String projectId,
      @Config("cloudDnsRootUrl") Optional<String> rootUrl,
      @Config("cloudDnsServicePath") Optional<String> servicePath) {
    Dns.Builder builder =
-        new Dns.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+        new Dns.Builder(
+                credentialsBundle.getHttpTransport(),
+                credentialsBundle.getJsonFactory(),
+                credentialsBundle.getHttpRequestInitializer())
            .setApplicationName(projectId);

    rootUrl.ifPresent(builder::setRootUrl);
--- a/core/src/main/java/google/registry/export/DriveModule.java
+++ b/core/src/main/java/google/registry/export/DriveModule.java
@ -14,7 +14,6 @@

 package google.registry.export;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.drive.Drive;
 import dagger.Component;
 import dagger.Module;
@ -24,6 +23,7 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.config.RegistryConfig.ConfigModule;
 import google.registry.storage.drive.DriveConnection;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Dagger module for Google {@link Drive} service connection objects. */
@ -32,8 +32,13 @@ public final class DriveModule {

  @Provides
  static Drive provideDrive(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Drive.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+
+    return new Drive.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/export/datastore/DatastoreAdminModule.java
+++ b/core/src/main/java/google/registry/export/datastore/DatastoreAdminModule.java
@ -14,11 +14,11 @@

 package google.registry.export.datastore;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule;
 import google.registry.config.RegistryConfig;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Dagger module that configures provision of {@link DatastoreAdmin}. */
@ -28,10 +28,12 @@ public abstract class DatastoreAdminModule {
  @Singleton
  @Provides
  static DatastoreAdmin provideDatastoreAdmin(
-      @CredentialModule.DefaultCredential GoogleCredential credential,
+      @CredentialModule.DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @RegistryConfig.Config("projectId") String projectId) {
    return new DatastoreAdmin.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .setProjectId(projectId)
        .build();
--- a/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
+++ b/core/src/main/java/google/registry/export/sheet/SheetsServiceModule.java
@ -14,12 +14,12 @@

 package google.registry.export.sheet;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.sheets.v4.Sheets;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.JsonCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for {@link Sheets}. */
@Module
@ -27,8 +27,12 @@ public final class SheetsServiceModule {

  @Provides
  static Sheets provideSheets(
-      @JsonCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Sheets.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Sheets.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/groups/DirectoryModule.java
+++ b/core/src/main/java/google/registry/groups/DirectoryModule.java
@ -14,12 +14,12 @@

 package google.registry.groups;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.admin.directory.Directory;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for the Google {@link Directory} service. */
@Module
@ -27,8 +27,12 @@ public final class DirectoryModule {

  @Provides
  static Directory provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Directory.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Directory.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/groups/GroupssettingsModule.java
+++ b/core/src/main/java/google/registry/groups/GroupssettingsModule.java
@ -14,12 +14,12 @@

 package google.registry.groups;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.groupssettings.Groupssettings;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DelegatedCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for the Google {@link Groupssettings} service. */
@Module
@ -27,9 +27,12 @@ public final class GroupssettingsModule {

  @Provides
  static Groupssettings provideDirectory(
-      @DelegatedCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @DelegatedCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
    return new Groupssettings.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/keyring/kms/KmsModule.java
+++ b/core/src/main/java/google/registry/keyring/kms/KmsModule.java
@ -14,7 +14,6 @@

 package google.registry.keyring.kms;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import dagger.Binds;
 import dagger.Module;
@ -24,6 +23,7 @@ import dagger.multibindings.StringKey;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
+import google.registry.util.GoogleCredentialsBundle;

 /** Dagger module for Cloud KMS. */
@Module
@ -31,20 +31,23 @@ public abstract class KmsModule {

  public static final String NAME = "KMS";

-  @Binds
-  @IntoMap
-  @StringKey(NAME)
-  abstract Keyring provideKeyring(KmsKeyring keyring);
-
  @Provides
  static CloudKMS provideKms(
-      @DefaultCredential GoogleCredential credential,
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
      @Config("cloudKmsProjectId") String projectId) {
-    return new CloudKMS.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+    return new CloudKMS.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }

+  @Binds
+  @IntoMap
+  @StringKey(NAME)
+  abstract Keyring provideKeyring(KmsKeyring keyring);
+
  @Binds
  abstract KmsConnection provideKmsConnection(KmsConnectionImpl kmsConnectionImpl);
 }
--- a/core/src/main/java/google/registry/monitoring/whitebox/StackdriverModule.java
+++ b/core/src/main/java/google/registry/monitoring/whitebox/StackdriverModule.java
@ -14,7 +14,6 @@

 package google.registry.monitoring.whitebox;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.model.MonitoredResource;
 import com.google.appengine.api.modules.ModulesService;
@ -27,6 +26,7 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.JsonCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import org.joda.time.Duration;

 /** Dagger module for Google Stackdriver service connection objects. */
@ -39,9 +39,12 @@ public final class StackdriverModule {

  @Provides
  static Monitoring provideMonitoring(
-      @JsonCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @JsonCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
    return new Monitoring.Builder(
-            credential.getTransport(), credential.getJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/reporting/ReportingModule.java
+++ b/core/src/main/java/google/registry/reporting/ReportingModule.java
@ -17,7 +17,6 @@ package google.registry.reporting;
 import static google.registry.request.RequestParameters.extractOptionalParameter;
 import static google.registry.request.RequestParameters.extractRequiredParameter;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.services.dataflow.Dataflow;
 import dagger.Module;
 import dagger.Provides;
@ -25,6 +24,7 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.request.HttpException.BadRequestException;
 import google.registry.request.Parameter;
+import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.Clock;
 import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
@ -118,8 +118,12 @@ public class ReportingModule {
  /** Constructs a {@link Dataflow} API client with default settings. */
  @Provides
  static Dataflow provideDataflow(
-      @DefaultCredential GoogleCredential credential, @Config("projectId") String projectId) {
-    return new Dataflow.Builder(credential.getTransport(), credential.getJsonFactory(), credential)
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
+    return new Dataflow.Builder(
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(String.format("%s billing", projectId))
        .build();
  }
--- a/core/src/main/java/google/registry/tools/AppEngineAdminApiModule.java
+++ b/core/src/main/java/google/registry/tools/AppEngineAdminApiModule.java
@ -14,13 +14,12 @@

 package google.registry.tools;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.appengine.v1.Appengine;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Module providing the instance of {@link Appengine} to access App Engine Admin Api. */
@ -30,9 +29,12 @@ public abstract class AppEngineAdminApiModule {
  @Provides
  @Singleton
  public static Appengine provideAppengine(
-      @LocalCredential GoogleCredential credential, @Config("projectId") String projectId) {
+      @LocalCredential GoogleCredentialsBundle credentialsBundle,
+      @Config("projectId") String projectId) {
    return new Appengine.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(projectId)
        .build();
  }
--- a/core/src/main/java/google/registry/tools/AuthModule.java
+++ b/core/src/main/java/google/registry/tools/AuthModule.java
@ -20,7 +20,6 @@ import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
 import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets.Details;
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.util.store.AbstractDataStoreFactory;
@ -39,10 +38,10 @@ import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.CredentialModule.LocalCredential;
 import google.registry.config.CredentialModule.LocalCredentialJson;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
-import java.io.UncheckedIOException;
 import java.lang.annotation.Documented;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@ -60,14 +59,6 @@ public class AuthModule {
  private static final File DATA_STORE_DIR =
      new File(System.getProperty("user.home"), ".config/nomulus/credentials");

-  @Module
-  abstract static class LocalCredentialModule {
-    @Binds
-    @DefaultCredential
-    abstract GoogleCredential provideLocalCredentialAsDefaultCredential(
-        @LocalCredential GoogleCredential credential);
-  }
-
  @Provides
  @StoredCredential
  static Credential provideCredential(
@ -86,38 +77,21 @@ public class AuthModule {

  @Provides
  @LocalCredential
-  public static GoogleCredential provideLocalCredential(
+  public static GoogleCredentialsBundle provideLocalCredential(
      @LocalCredentialJson String credentialJson,
      @Config("localCredentialOauthScopes") ImmutableList<String> scopes) {
    try {
-      GoogleCredential credential =
-          GoogleCredential.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
+      GoogleCredentials credential =
+          GoogleCredentials.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
      if (credential.createScopedRequired()) {
        credential = credential.createScoped(scopes);
      }
-      return credential;
+      return GoogleCredentialsBundle.create(credential);
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }

-  @Provides
-  @LocalOAuth2Credentials
-  public static GoogleCredentials provideLocalOAuth2Credentials(
-      @LocalCredentialJson String credentialJson,
-      @Config("localCredentialOauthScopes") ImmutableList<String> scopes) {
-    try {
-      GoogleCredentials credentials =
-          GoogleCredentials.fromStream(new ByteArrayInputStream(credentialJson.getBytes(UTF_8)));
-      if (credentials.createScopedRequired()) {
-        credentials = credentials.createScoped(scopes);
-      }
-      return credentials;
-    } catch (IOException e) {
-      throw new UncheckedIOException(e);
-    }
-  }
-
  @Provides
  public static GoogleAuthorizationCodeFlow provideAuthorizationCodeFlow(
      JsonFactory jsonFactory,
@ -198,16 +172,11 @@ public class AuthModule {
    }
  }

-  /** Raised when we need a user login. */
-  static class LoginRequiredException extends RuntimeException {
-    LoginRequiredException() {}
-  }
-
  /**
   * Dagger qualifier for the {@link Credential} constructed from the data stored on disk.
   *
   * <p>This {@link Credential} should not be used in another module, hence the private qualifier.
-   * It's only use is to build a {@link GoogleCredential}, which is used in injection sites
+   * It's only use is to build a {@link GoogleCredentials}, which is used in injection sites
   * elsewhere.
   */
  @Qualifier
@ -227,9 +196,16 @@ public class AuthModule {
  @Retention(RetentionPolicy.RUNTIME)
  @interface OAuthClientId {}

-  /** Dagger qualifier for the local OAuth2 Credentials. */
-  @Qualifier
-  @Documented
-  @Retention(RetentionPolicy.RUNTIME)
-  public @interface LocalOAuth2Credentials {}
+  @Module
+  abstract static class LocalCredentialModule {
+    @Binds
+    @DefaultCredential
+    abstract GoogleCredentialsBundle provideLocalCredentialAsDefaultCredential(
+        @LocalCredential GoogleCredentialsBundle credential);
+  }
+
+  /** Raised when we need a user login. */
+  static class LoginRequiredException extends RuntimeException {
+    LoginRequiredException() {}
+  }
 }
--- a/core/src/main/java/google/registry/tools/RequestFactoryModule.java
+++ b/core/src/main/java/google/registry/tools/RequestFactoryModule.java
@ -14,13 +14,13 @@

 package google.registry.tools;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import dagger.Module;
 import dagger.Provides;
 import google.registry.config.CredentialModule.DefaultCredential;
 import google.registry.config.RegistryConfig;
+import google.registry.util.GoogleCredentialsBundle;

 /**
 * Module for providing the HttpRequestFactory.
@ -35,7 +35,7 @@ class RequestFactoryModule {

  @Provides
  static HttpRequestFactory provideHttpRequestFactory(
-      @DefaultCredential GoogleCredential credential) {
+      @DefaultCredential GoogleCredentialsBundle credentialsBundle) {
    if (RegistryConfig.areServersLocal()) {
      return new NetHttpTransport()
          .createRequestFactory(
@ -47,11 +47,12 @@ class RequestFactoryModule {
      return new NetHttpTransport()
          .createRequestFactory(
              request -> {
-                credential.initialize(request);
+                credentialsBundle.getHttpRequestInitializer().initialize(request);
                // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                // needed to support some nomulus commands like updating premium lists that take
                // a lot of time to complete.
-                // See https://developers.google.com/api-client-library/java/google-api-java-client/errors
+                // See
+                // https://developers.google.com/api-client-library/java/google-api-java-client/errors
                request.setConnectTimeout(REQUEST_TIMEOUT_MS);
                request.setReadTimeout(REQUEST_TIMEOUT_MS);
              });
--- a/core/src/test/java/google/registry/export/datastore/DatastoreAdminTest.java
+++ b/core/src/test/java/google/registry/export/datastore/DatastoreAdminTest.java
@ -17,17 +17,17 @@ package google.registry.export.datastore;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
-import com.google.api.client.http.HttpTransport;
-import com.google.api.client.http.javanet.NetHttpTransport;
-import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableList;
 import google.registry.testing.TestDataHelper;
+import google.registry.util.GoogleCredentialsBundle;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.util.Date;
 import java.util.Optional;
 import org.junit.Before;
 import org.junit.Rule;
@ -48,27 +48,44 @@ public class DatastoreAdminTest {

  @Rule public final MockitoRule mocks = MockitoJUnit.rule();

-  private HttpTransport httpTransport;
-  private GoogleCredential googleCredential;
  private DatastoreAdmin datastoreAdmin;

+  private static HttpRequest simulateSendRequest(HttpRequest httpRequest) {
+    try {
+      httpRequest.setUrl(new GenericUrl("https://localhost:65537")).execute();
+    } catch (Exception expected) {
+    }
+    return httpRequest;
+  }
+
+  private static Optional<String> getAccessToken(HttpRequest httpRequest) {
+    return httpRequest.getHeaders().getAuthorizationAsList().stream()
+        .filter(header -> header.startsWith(AUTH_HEADER_PREFIX))
+        .map(header -> header.substring(AUTH_HEADER_PREFIX.length()))
+        .findAny();
+  }
+
+  private static Optional<String> getRequestContent(HttpRequest httpRequest) throws IOException {
+    if (httpRequest.getContent() == null) {
+      return Optional.empty();
+    }
+    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+    httpRequest.getContent().writeTo(outputStream);
+    outputStream.close();
+    return Optional.of(outputStream.toString(StandardCharsets.UTF_8.name()));
+  }
+
  @Before
  public void setup() {
-    httpTransport = new NetHttpTransport();
-    googleCredential =
-        new GoogleCredential.Builder()
-            .setTransport(httpTransport)
-            .setJsonFactory(JacksonFactory.getDefaultInstance())
-            .setClock(() -> 0)
-            .build();
-    googleCredential.setAccessToken(ACCESS_TOKEN);
-    googleCredential.setExpiresInSeconds(1_000L);
-
+    Date oneHourLater = new Date(System.currentTimeMillis() + 3_600_000);
+    GoogleCredentials googleCredentials = GoogleCredentials
+        .create(new AccessToken(ACCESS_TOKEN, oneHourLater));
+    GoogleCredentialsBundle credentialsBundle = GoogleCredentialsBundle.create(googleCredentials);
    datastoreAdmin =
        new DatastoreAdmin.Builder(
-                googleCredential.getTransport(),
-                googleCredential.getJsonFactory(),
-                googleCredential)
+                credentialsBundle.getHttpTransport(),
+                credentialsBundle.getJsonFactory(),
+                credentialsBundle.getHttpRequestInitializer())
            .setApplicationName("MyApplication")
            .setProjectId("MyCloudProject")
            .build();
@ -151,29 +168,4 @@ public class DatastoreAdminTest {
    simulateSendRequest(httpRequest);
    assertThat(getAccessToken(httpRequest)).hasValue(ACCESS_TOKEN);
  }
-
-  private static HttpRequest simulateSendRequest(HttpRequest httpRequest) {
-    try {
-      httpRequest.setUrl(new GenericUrl("https://localhost:65537")).execute();
-    } catch (Exception expected) {
-    }
-    return httpRequest;
-  }
-
-  private static Optional<String> getAccessToken(HttpRequest httpRequest) {
-    return httpRequest.getHeaders().getAuthorizationAsList().stream()
-        .filter(header -> header.startsWith(AUTH_HEADER_PREFIX))
-        .map(header -> header.substring(AUTH_HEADER_PREFIX.length()))
-        .findAny();
-  }
-
-  private static Optional<String> getRequestContent(HttpRequest httpRequest) throws IOException {
-    if (httpRequest.getContent() == null) {
-      return Optional.empty();
-    }
-    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-    httpRequest.getContent().writeTo(outputStream);
-    outputStream.close();
-    return Optional.of(outputStream.toString(StandardCharsets.UTF_8.name()));
-  }
 }
--- a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
+++ b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
@ -16,34 +16,40 @@ package google.registry.tools;

 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.tools.RequestFactoryModule.REQUEST_TIMEOUT_MS;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpRequestInitializer;
 import google.registry.config.RegistryConfig;
 import google.registry.testing.SystemPropertyRule;
+import google.registry.util.GoogleCredentialsBundle;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;

@RunWith(JUnit4.class)
 public class RequestFactoryModuleTest {

-  private final GoogleCredential googleCredential = mock(GoogleCredential.class);
-
+  @Rule public final MockitoRule mockitoRule = MockitoJUnit.rule();
  @Rule public final SystemPropertyRule systemPropertyRule = new SystemPropertyRule();

+  @Mock public GoogleCredentialsBundle credentialsBundle;
+  @Mock public HttpRequestInitializer httpRequestInitializer;
+
  @Before
  public void setUp() {
    RegistryToolEnvironment.UNITTEST.setup(systemPropertyRule);
+    when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
  }

  @Test
@ -52,12 +58,13 @@ public class RequestFactoryModuleTest {
    boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal;
    RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = true;
    try {
-      HttpRequestFactory factory = RequestFactoryModule.provideHttpRequestFactory(googleCredential);
+      HttpRequestFactory factory =
+          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
      initializer.initialize(request);
-      verifyZeroInteractions(googleCredential);
+      verifyZeroInteractions(httpRequestInitializer);
    } finally {
      RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = origIsLocal;
    }
@ -69,15 +76,16 @@ public class RequestFactoryModuleTest {
    boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal;
    RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = false;
    try {
-      HttpRequestFactory factory = RequestFactoryModule.provideHttpRequestFactory(googleCredential);
+      HttpRequestFactory factory =
+          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      // HttpRequestFactory#buildGetRequest() calls initialize() once.
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
-      verify(googleCredential).initialize(request);
+      verify(httpRequestInitializer).initialize(request);
      assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
      assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
-      verifyNoMoreInteractions(googleCredential);
+      verifyNoMoreInteractions(httpRequestInitializer);
    } finally {
      RegistryConfig.CONFIG_SETTINGS.get().appEngine.isLocal = origIsLocal;
    }
--- a/package-lock.json
+++ b/package-lock.json
--- a/proxy/build.gradle
+++ b/proxy/build.gradle
@ -12,6 +12,8 @@ dependencies {
  compile deps['com.google.apis:google-api-services-cloudkms']
  compile deps['com.google.apis:google-api-services-monitoring']
  compile deps['com.google.apis:google-api-services-storage']
+  compile deps['com.google.auth:google-auth-library-credentials']
+  compile deps['com.google.auth:google-auth-library-oauth2-http']
  compile deps['com.google.auto.value:auto-value-annotations']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.code.gson:gson']
--- a/proxy/gradle/dependency-locks/compile.lockfile
+++ b/proxy/gradle/dependency-locks/compile.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/compileClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/compileClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -19,17 +21,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -37,15 +39,15 @@ io.netty:netty-common:4.1.31.Final
 io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/proxy/gradle/dependency-locks/runtimeClasspath.lockfile
@ -2,13 +2,15 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 com.beust:jcommander:1.60
-com.fasterxml.jackson.core:jackson-core:2.9.6
+com.fasterxml.jackson.core:jackson-core:2.9.9
 com.google.api-client:google-api-client:1.29.2
 com.google.apis:google-api-services-cloudkms:v1-rev12-1.22.0
 com.google.apis:google-api-services-monitoring:v3-rev426-1.23.0
 com.google.apis:google-api-services-storage:v1-rev150-1.22.0
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -20,17 +22,17 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.http-client:google-http-client-jackson2:1.29.2
-com.google.http-client:google-http-client:1.29.2
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
 com.google.monitoring-client:metrics:1.0.4
 com.google.monitoring-client:stackdriver:1.0.4
 com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
-commons-codec:commons-codec:1.10
+commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.grpc:grpc-context:1.18.0
+io.grpc:grpc-context:1.19.0
 io.netty:netty-buffer:4.1.31.Final
 io.netty:netty-codec-http:4.1.31.Final
 io.netty:netty-codec:4.1.31.Final
@ -39,15 +41,15 @@ io.netty:netty-handler:4.1.31.Final
 io.netty:netty-resolver:4.1.31.Final
 io.netty:netty-tcnative-boringssl-static:2.0.22.Final
 io.netty:netty-transport:4.1.31.Final
-io.opencensus:opencensus-api:0.19.2
-io.opencensus:opencensus-contrib-http-util:0.19.2
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
-org.apache.httpcomponents:httpclient:4.5.5
-org.apache.httpcomponents:httpcore:4.4.9
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.bouncycastle:bcpkix-jdk15on:1.61
 org.bouncycastle:bcprov-jdk15on:1.61
 org.checkerframework:checker-qual:2.5.2
--- a/proxy/src/main/java/google/registry/proxy/MetricsModule.java
+++ b/proxy/src/main/java/google/registry/proxy/MetricsModule.java
@ -14,8 +14,6 @@

 package google.registry.proxy;

-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.monitoring.v3.Monitoring;
 import com.google.api.services.monitoring.v3.model.MonitoredResource;
 import com.google.common.collect.ImmutableMap;
@ -29,6 +27,7 @@ import dagger.Module;
 import dagger.Provides;
 import google.registry.proxy.ProxyConfig.Environment;
 import google.registry.proxy.metric.MetricParameters;
+import google.registry.util.GoogleCredentialsBundle;
 import javax.inject.Singleton;

 /** Module that provides necessary bindings to instantiate a {@link MetricReporter} */
@ -39,9 +38,12 @@ public class MetricsModule {

  @Singleton
  @Provides
-  static Monitoring provideMonitoring(GoogleCredential credential, ProxyConfig config) {
+  static Monitoring provideMonitoring(GoogleCredentialsBundle credentialsBundle,
+      ProxyConfig config) {
    return new Monitoring.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
--- a/proxy/src/main/java/google/registry/proxy/ProxyModule.java
+++ b/proxy/src/main/java/google/registry/proxy/ProxyModule.java
@ -20,11 +20,11 @@ import static google.registry.proxy.ProxyConfig.getProxyConfig;
 import com.beust.jcommander.JCommander;
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParameterException;
-import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
-import com.google.api.client.googleapis.util.Utils;
 import com.google.api.services.cloudkms.v1.CloudKMS;
 import com.google.api.services.cloudkms.v1.model.DecryptRequest;
 import com.google.api.services.storage.Storage;
+import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
 import com.google.common.flogger.LoggerConfig;
@ -41,6 +41,7 @@ import google.registry.proxy.WebWhoisProtocolsModule.HttpsWhoisProtocol;
 import google.registry.proxy.WhoisProtocolModule.WhoisProtocol;
 import google.registry.proxy.handler.ProxyProtocolHandler;
 import google.registry.util.Clock;
+import google.registry.util.GoogleCredentialsBundle;
 import google.registry.util.SystemClock;
 import io.netty.handler.logging.LogLevel;
 import io.netty.handler.logging.LoggingHandler;
@ -50,6 +51,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.Date;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
@ -209,13 +211,13 @@ public class ProxyModule {

  @Singleton
  @Provides
-  static GoogleCredential provideCredential(ProxyConfig config) {
+  static GoogleCredentialsBundle provideCredential(ProxyConfig config) {
    try {
-      GoogleCredential credential = GoogleCredential.getApplicationDefault();
-      if (credential.createScopedRequired()) {
-        credential = credential.createScoped(config.gcpScopes);
+      GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
+      if (credentials.createScopedRequired()) {
+        credentials = credentials.createScoped(config.gcpScopes);
      }
-      return credential;
+      return GoogleCredentialsBundle.create(credentials);
    } catch (IOException e) {
      throw new RuntimeException("Unable to obtain OAuth2 credential.", e);
    }
@ -226,36 +228,45 @@ public class ProxyModule {
  @Provides
  @Named("accessToken")
  static Supplier<String> provideAccessTokenSupplier(
-      GoogleCredential credential, ProxyConfig config) {
+      GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return () -> {
+      GoogleCredentials credentials = credentialsBundle.getGoogleCredentials();
+      AccessToken accessToken = credentials.getAccessToken();
+      Date nextExpirationTime =
+          new Date(
+              System.currentTimeMillis() + config.accessTokenRefreshBeforeExpirationSeconds * 1000);
      // If we never obtained an access token, the expiration time is null.
-      if (credential.getExpiresInSeconds() == null
+      if (accessToken == null
          // If we have an access token, make sure to refresh it ahead of time.
-          || credential.getExpiresInSeconds() < config.accessTokenRefreshBeforeExpirationSeconds) {
+          || accessToken.getExpirationTime().before(nextExpirationTime)) {
        try {
-          credential.refreshToken();
+          credentials.refresh();
        } catch (IOException e) {
          throw new RuntimeException("Cannot refresh access token.", e);
        }
      }
-      return credential.getAccessToken();
+      return credentials.getAccessToken().getTokenValue();
    };
  }

  @Singleton
  @Provides
-  static CloudKMS provideCloudKms(GoogleCredential credential, ProxyConfig config) {
+  static CloudKMS provideCloudKms(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new CloudKMS.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }

  @Singleton
  @Provides
-  static Storage provideStorage(GoogleCredential credential, ProxyConfig config) {
+  static Storage provideStorage(GoogleCredentialsBundle credentialsBundle, ProxyConfig config) {
    return new Storage.Builder(
-            Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), credential)
+            credentialsBundle.getHttpTransport(),
+            credentialsBundle.getJsonFactory(),
+            credentialsBundle.getHttpRequestInitializer())
        .setApplicationName(config.projectId)
        .build();
  }
--- a/util/build.gradle
+++ b/util/build.gradle
@ -2,8 +2,11 @@ apply plugin: 'java'

 dependencies {
  def deps = rootProject.dependencyMap
+  compile deps['com.google.api-client:google-api-client']
  compile deps['com.google.appengine:appengine-api-1.0-sdk']
  compile deps['com.google.appengine:appengine-testing']
+  compile deps['com.google.auth:google-auth-library-credentials']
+  compile deps['com.google.auth:google-auth-library-oauth2-http']
  compile deps['com.google.auto.value:auto-value-annotations']
  compile deps['com.google.code.findbugs:jsr305']
  compile deps['com.google.dagger:dagger']
--- a/util/gradle/dependency-locks/compile.lockfile
+++ b/util/gradle/dependency-locks/compile.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+com.fasterxml.jackson.core:jackson-core:2.9.9
+com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
 com.google.dagger:dagger:2.21
@ -11,14 +15,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
+commons-codec:commons-codec:1.11
+commons-logging:commons-logging:1.2
+io.grpc:grpc-context:1.19.0
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/gradle/dependency-locks/compileClasspath.lockfile
+++ b/util/gradle/dependency-locks/compileClasspath.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+com.fasterxml.jackson.core:jackson-core:2.9.9
+com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
 com.google.dagger:dagger:2.21
@ -11,14 +15,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
+commons-codec:commons-codec:1.11
+commons-logging:commons-logging:1.2
+io.grpc:grpc-context:1.19.0
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/gradle/dependency-locks/runtimeClasspath.lockfile
+++ b/util/gradle/dependency-locks/runtimeClasspath.lockfile
@ -1,8 +1,12 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+com.fasterxml.jackson.core:jackson-core:2.9.9
+com.google.api-client:google-api-client:1.29.2
 com.google.appengine:appengine-api-1.0-sdk:1.9.48
 com.google.appengine:appengine-testing:1.9.58
+com.google.auth:google-auth-library-credentials:0.16.1
+com.google.auth:google-auth-library-oauth2-http:0.16.1
 com.google.auto.value:auto-value-annotations:1.6.3
 com.google.auto.value:auto-value:1.6.3
 com.google.code.findbugs:jsr305:3.0.2
@ -12,14 +16,24 @@ com.google.flogger:flogger:0.1
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:27.1-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.1
+com.google.http-client:google-http-client-jackson2:1.30.1
+com.google.http-client:google-http-client:1.30.1
+com.google.j2objc:j2objc-annotations:1.3
+com.google.oauth-client:google-oauth-client:1.29.2
 com.google.re2j:re2j:1.1
 com.ibm.icu:icu4j:57.1
+commons-codec:commons-codec:1.11
+commons-logging:commons-logging:1.2
+io.grpc:grpc-context:1.19.0
+io.opencensus:opencensus-api:0.21.0
+io.opencensus:opencensus-contrib-http-util:0.21.0
 javax.activation:activation:1.1
 javax.inject:javax.inject:1
 javax.mail:mail:1.4
 javax.xml.bind:jaxb-api:2.3.0
 joda-time:joda-time:2.9.2
+org.apache.httpcomponents:httpclient:4.5.8
+org.apache.httpcomponents:httpcore:4.4.11
 org.checkerframework:checker-qual:2.5.2
 org.codehaus.mojo:animal-sniffer-annotations:1.17
 org.yaml:snakeyaml:1.17
--- a/util/src/main/java/google/registry/util/GoogleCredentialsBundle.java
+++ b/util/src/main/java/google/registry/util/GoogleCredentialsBundle.java
@ -0,0 +1,70 @@
+// Copyright 2019 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import com.google.api.client.googleapis.util.Utils;
+import com.google.api.client.http.HttpRequestInitializer;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.auth.http.HttpCredentialsAdapter;
+import com.google.auth.oauth2.GoogleCredentials;
+
+/**
+ * Helper class to provide {@link HttpTransport}, {@link JsonFactory} and {@link
+ * HttpRequestInitializer} for a given {@link GoogleCredentials}. These classes are normally needed
+ * for creating the instance of a GCP client.
+ */
+public class GoogleCredentialsBundle {
+
+  private GoogleCredentials googleCredentials;
+  private HttpTransport httpTransport;
+  private JsonFactory jsonFactory;
+  private HttpRequestInitializer httpRequestInitializer;
+
+  private GoogleCredentialsBundle(GoogleCredentials googleCredentials) {
+    checkNotNull(googleCredentials);
+    this.googleCredentials = googleCredentials;
+    this.httpTransport = Utils.getDefaultTransport();
+    this.jsonFactory = Utils.getDefaultJsonFactory();
+    this.httpRequestInitializer = new HttpCredentialsAdapter(googleCredentials);
+  }
+
+  /** Creates a {@link GoogleCredentialsBundle} instance from given {@link GoogleCredentials}. */
+  public static GoogleCredentialsBundle create(GoogleCredentials credentials) {
+    return new GoogleCredentialsBundle(credentials);
+  }
+
+  /** Returns the same {@link GoogleCredentials} used to create this object. */
+  public GoogleCredentials getGoogleCredentials() {
+    return googleCredentials;
+  }
+
+  /** Returns the instance of {@link HttpTransport}. */
+  public HttpTransport getHttpTransport() {
+    return httpTransport;
+  }
+
+  /** Returns the instance of {@link JsonFactory}. */
+  public JsonFactory getJsonFactory() {
+    return jsonFactory;
+  }
+
+  /** Returns the instance of {@link HttpRequestInitializer}. */
+  public HttpRequestInitializer getHttpRequestInitializer() {
+    return httpRequestInitializer;
+  }
+}