chore: Add warnings to all fromStream() calls

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -127,6 +127,13 @@ private ExternalAccountAuthorizedUserCredentials(Builder builder) {
   /**
    * Returns external account authorized user credentials defined by a JSON file stream.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @return the credential defined by the credentialsStream
    * @throws IOException if the credential cannot be created from the stream
@@ -140,6 +147,13 @@ public static ExternalAccountAuthorizedUserCredentials fromStream(InputStream cr
   /**
    * Returns external account authorized user credentials defined by a JSON file stream.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @param transportFactory the HTTP transport factory used to create the transport to get access
    *     tokens

oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java

@@ -349,6 +349,13 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
    *
    * <p>Returns {@link IdentityPoolCredentials} or {@link AwsCredentials}.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @return the credential defined by the credentialsStream
    * @throws IOException if the credential cannot be created from the stream
@@ -363,6 +370,13 @@ public static ExternalAccountCredentials fromStream(InputStream credentialsStrea
    *
    * <p>Returns a {@link IdentityPoolCredentials} or {@link AwsCredentials}.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition
    * @param transportFactory the HTTP transport factory used to create the transport to get access
    *     tokens

oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java

@@ -179,6 +179,13 @@ public static GoogleCredentials fromStream(InputStream credentialsStream) throws
    * <p>The stream can contain a Service Account key file in JSON format from the Google Developers
    * Console or a stored user credential using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java

@@ -154,13 +154,6 @@ public class ServiceAccountCredentials extends GoogleCredentials
    * Returns service account credentials defined by JSON using the format supported by the Google
    * Developers Console.
    *
-   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
-   * external source for authentication to Google Cloud Platform, you must validate it before
-   * providing it to any Google API or library. Providing an unvalidated credential configuration to
-   * Google APIs can compromise the security of your systems and data. For more information, refer
-   * to {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
-   *
    * @param json a map from the JSON representing the credentials.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
@@ -453,6 +446,13 @@ static ServiceAccountCredentials fromPkcs8(
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -466,6 +466,13 @@ public static ServiceAccountCredentials fromStream(InputStream credentialsStream
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.

oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java

@@ -227,6 +227,13 @@ static ServiceAccountJwtAccessCredentials fromPkcs8(
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -240,6 +247,13 @@ public static ServiceAccountJwtAccessCredentials fromStream(InputStream credenti
    * Returns credentials defined by a Service Account key file in JSON format from the Google
    * Developers Console.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param defaultAudience Audience to use if not provided by transport. May be null.
    * @return the credential defined by the credentialsStream.

oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

@@ -138,6 +138,13 @@ static UserCredentials fromJson(Map<String, Object> json, HttpTransportFactory t
   /**
    * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
@@ -149,6 +156,13 @@ public static UserCredentials fromStream(InputStream credentialsStream) throws I
   /**
    * Returns credentials defined by a JSON file stream using the format supported by the Cloud SDK.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param credentialsStream the stream with the credential definition.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.