5 files changed, 95 insertions, 2 deletions

diff --git a/include/grpc++/credentials.h b/include/grpc++/credentials.h
index 7a40cd199d..0eaaefcbca 100644
--- a/include/grpc++/credentials.h
+++ b/include/grpc++/credentials.h
@@ -120,6 +120,12 @@ std::shared_ptr<Credentials> JWTCredentials(const grpc::string& json_key,
 std::shared_ptr<Credentials> RefreshTokenCredentials(
     const grpc::string& json_refresh_token);
 
+// Builds access token credentials.
+// access_token is an oauth2 access token that was fetched using an out of band
+// mechanism.
+std::shared_ptr<Credentials> AccessTokenCredentials(
+    const grpc::string& access_token);
+
 // Builds IAM credentials.
 std::shared_ptr<Credentials> IAMCredentials(
     const grpc::string& authorization_token,
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index 7a6aa66670..1f91e65278 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -126,13 +126,18 @@ grpc_credentials *grpc_jwt_credentials_create(const char *json_key,
 grpc_credentials *grpc_refresh_token_credentials_create(
     const char *json_refresh_token);
 
-/* Creates a fake transport security credentials object for testing. */
-grpc_credentials *grpc_fake_transport_security_credentials_create(void);
+/* Creates an Oauth2 Access Token credentials with an access token that was
+   aquired by an out of band mechanism. */
+grpc_credentials *grpc_access_token_credentials_create(
+    const char *access_token);
 
 /* Creates an IAM credentials object. */
 grpc_credentials *grpc_iam_credentials_create(const char *authorization_token,
                                               const char *authority_selector);
 
+/* Creates a fake transport security credentials object for testing. */
+grpc_credentials *grpc_fake_transport_security_credentials_create(void);
+
 /* --- Secure channel creation. --- */
 
 /* The caller of the secure_channel_create functions may override the target
diff --git a/src/core/security/credentials.c b/src/core/security/credentials.c
index cf663faf2d..2f2f17c315 100644
--- a/src/core/security/credentials.c
+++ b/src/core/security/credentials.c
@@ -876,6 +876,59 @@ grpc_credentials *grpc_fake_oauth2_credentials_create(
   return &c->base;
 }
 
+/* -- Oauth2 Access Token credentials. -- */
+
+typedef struct {
+  grpc_credentials base;
+  grpc_credentials_md_store *access_token_md;
+} grpc_access_token_credentials;
+
+static void access_token_destroy(grpc_credentials *creds) {
+  grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds;
+  grpc_credentials_md_store_unref(c->access_token_md);
+  gpr_free(c);
+}
+
+static int access_token_has_request_metadata(const grpc_credentials *creds) {
+  return 1;
+}
+
+static int access_token_has_request_metadata_only(
+    const grpc_credentials *creds) {
+  return 1;
+}
+
+static void access_token_get_request_metadata(grpc_credentials *creds,
+                                             grpc_pollset *pollset,
+                                             const char *service_url,
+                                             grpc_credentials_metadata_cb cb,
+                                             void *user_data) {
+  grpc_access_token_credentials *c = (grpc_access_token_credentials *)creds;
+  cb(user_data, c->access_token_md->entries, 1, GRPC_CREDENTIALS_OK);
+}
+
+static grpc_credentials_vtable access_token_vtable = {
+    access_token_destroy, access_token_has_request_metadata,
+    access_token_has_request_metadata_only, access_token_get_request_metadata,
+    NULL};
+
+grpc_credentials *grpc_access_token_credentials_create(
+    const char *access_token) {
+  grpc_access_token_credentials *c =
+      gpr_malloc(sizeof(grpc_access_token_credentials));
+  char *token_md_value;
+  memset(c, 0, sizeof(grpc_access_token_credentials));
+  c->base.type = GRPC_CREDENTIALS_TYPE_OAUTH2;
+  c->base.vtable = &access_token_vtable;
+  gpr_ref_init(&c->base.refcount, 1);
+  c->access_token_md = grpc_credentials_md_store_create(1);
+  gpr_asprintf(&token_md_value, "Bearer %s", access_token);
+  grpc_credentials_md_store_add_cstrings(
+      c->access_token_md, GRPC_AUTHORIZATION_METADATA_KEY, token_md_value);
+  gpr_free(token_md_value);
+  return &c->base;
+}
+
 /* -- Fake transport security credentials. -- */
 
 static void fake_transport_security_credentials_destroy(
diff --git a/src/cpp/client/secure_credentials.cc b/src/cpp/client/secure_credentials.cc
index b5134b3140..4d200908fb 100644
--- a/src/cpp/client/secure_credentials.cc
+++ b/src/cpp/client/secure_credentials.cc
@@ -117,6 +117,13 @@ std::shared_ptr<Credentials> RefreshTokenCredentials(
       grpc_refresh_token_credentials_create(json_refresh_token.c_str()));
 }
 
+// Builds access token credentials.
+std::shared_ptr<Credentials> AccessTokenCredentials(
+    const grpc::string& access_token) {
+  return WrapCredentials(
+      grpc_access_token_credentials_create(access_token.c_str()));
+}
+
 // Builds IAM credentials.
 std::shared_ptr<Credentials> IAMCredentials(
     const grpc::string& authorization_token,
diff --git a/test/core/security/credentials_test.c b/test/core/security/credentials_test.c
index 4253be6b07..e8bb730849 100644
--- a/test/core/security/credentials_test.c
+++ b/test/core/security/credentials_test.c
@@ -331,6 +331,27 @@ static void test_iam_creds(void) {
                                         check_iam_metadata, creds);
 }
 
+static void check_access_token_metadata(void *user_data,
+                                        grpc_credentials_md *md_elems,
+                                        size_t num_md,
+                                        grpc_credentials_status status) {
+  grpc_credentials *c = (grpc_credentials *)user_data;
+  expected_md emd[] = {{GRPC_AUTHORIZATION_METADATA_KEY, "Bearer blah"}};
+  GPR_ASSERT(status == GRPC_CREDENTIALS_OK);
+  GPR_ASSERT(num_md == 1);
+  check_metadata(emd, md_elems, num_md);
+  grpc_credentials_unref(c);
+}
+
+static void test_access_token_creds(void) {
+  grpc_credentials *creds = grpc_access_token_credentials_create("blah");
+  GPR_ASSERT(grpc_credentials_has_request_metadata(creds));
+  GPR_ASSERT(grpc_credentials_has_request_metadata_only(creds));
+  GPR_ASSERT(strcmp(creds->type, GRPC_CREDENTIALS_TYPE_OAUTH2) == 0);
+  grpc_credentials_get_request_metadata(creds, NULL, test_service_url,
+                                        check_access_token_metadata, creds);
+}
+
 static void check_ssl_oauth2_composite_metadata(
     void *user_data, grpc_credentials_md *md_elems, size_t num_md,
     grpc_credentials_status status) {
@@ -863,6 +884,7 @@ int main(int argc, char **argv) {
   test_oauth2_token_fetcher_creds_parsing_missing_token_type();
   test_oauth2_token_fetcher_creds_parsing_missing_token_lifetime();
   test_iam_creds();
+  test_access_token_creds();
   test_ssl_oauth2_composite_creds();
   test_ssl_oauth2_iam_composite_creds();
   test_compute_engine_creds_success();