Hi @patkasper - apologies for it taking a long time to comment on this.

I brought up credentials storage in a weekly meeting and it looks like folks are generally opposed to the idea of this library handling credentials storage. It may be convenient to store credentials in memory or in a file, but it isn't great from a security perspective.

There was interest in adding a method like to_json to make it easier to convert a credentials object back into JSON. Could you perhaps rework this PR to add just that method?

I've removed the storage interface and I've kept the to_json method in google.oauth2's Credentials. Please let me know what you think.

I'm happy to add the storage interface + automated loading/storing to google-auth-oauthlib, should I go ahead with that?

Thanks.

👋 Hi @patkasper. Would you mind resolving the merge conflicts here?

@patkasper Would you be able to run the code formatter?

pip install nox
nox -s blacken

If nox gives you trouble for any reason you can also do:

pip install black
black google tests

@michaelawyu If you're around next week could you help see this PR over the finish line? Since Patrick is an external contributor the CI does not trigger automatically. You'll have to add the label kokoro:force-run. Thank you!

@patkasper @busunkim96 I noticed this evening that I cannot round-trip a credential using "to_json" to serialize the object, and then reload.

I hit this when deserializing my credential and attempting to use it with a Dialogflow client; in that case, I received:

google.api_core.exceptions.PermissionDenied: 403 Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the dialogflow.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.

The hint here was the "billing quota"; when I compared the dict representations of the original and serialized-then-serialized clone of the original object, I saw that the "_quota_project_id" attribute was missing on the clone. Sure enough, after I added this in manually, my credential works.

Was the "quota_project_id" attribute intentionally excluded from the contents of the json blob, on serialization? If not, I am happy to work up a PR to include that attribute in the serialization (it is a kwarg of the initializaer of the Credentials class, so very easy to round-trip).

One other minor note; the serialized-then-serialized clone of the original credential cannot itself be serialized with to_json if the expiry kwarg is naively set to the expiry string from the serialization dict. This happened to me when I tried to naively deserialize by just "**" unpackinging the dictionary contents into the kwargs of the initializer. Then this line fails because self.expiry is a string, not a datetime. This should be pretty easy to fix with a isinstance or try-catch, and I am happy to provide a PR here as well.

What are your thoughts on these issues?