diff --git a/lib/googleauth.rb b/lib/googleauth.rb
index d82b2ac..65ea0f4 100644
--- a/lib/googleauth.rb
+++ b/lib/googleauth.rb
@@ -61,9 +61,10 @@ END
       def self.determine_creds_class(json_key_io)
         json_key = MultiJson.load(json_key_io.read)
         fail "the json is missing the #{key} field" unless json_key.key?('type')
-        svc_account = json_key['type'] == 'service_account'
-        return json_key, ServiceAccountCredentials if svc_account
-        [json_key, UserRefreshCredentials]
+        type = json_key['type']
+        return json_key, ServiceAccountCredentials if type == 'service_account'
+        return [json_key, UserRefreshCredentials] if type == 'authorized_user'
+        fail "credentials type '#{type}' is not supported"
       end
     end
 
diff --git a/spec/googleauth/get_application_default_spec.rb b/spec/googleauth/get_application_default_spec.rb
index d6522fa..28ec6cd 100644
--- a/spec/googleauth/get_application_default_spec.rb
+++ b/spec/googleauth/get_application_default_spec.rb
@@ -49,7 +49,7 @@ describe '#get_application_default' do
     ENV['HOME'] = @home unless @home == ENV['HOME']
   end
 
-  shared_examples 'it loads them correctly' do
+  shared_examples 'it cannot load misconfigured credentials' do
     it 'fails if the GOOGLE_APPLICATION_CREDENTIALS path does not exist' do
       Dir.mktmpdir do |dir|
         key_path = File.join(dir, 'does-not-exist')
@@ -58,28 +58,6 @@ describe '#get_application_default' do
       end
     end
 
-    it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
-      Dir.mktmpdir do |dir|
-        key_path = File.join(dir, 'my_cert_file')
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
-        ENV[@var_name] = key_path
-        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
-      end
-    end
-
-    it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
-      ENV.delete(@var_name) unless ENV[@var_name].nil?
-      Dir.mktmpdir do |dir|
-        key_path = File.join(dir, '.config',
-                             CredentialsLoader::WELL_KNOWN_PATH)
-        FileUtils.mkdir_p(File.dirname(key_path))
-        File.write(key_path, cred_json_text)
-        ENV['HOME'] = dir
-        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
-      end
-    end
-
     it 'fails without default file or env if not on compute engine' do
       stubs = Faraday::Adapter::Test::Stubs.new do |stub|
         stub.get('/') do |_env|
@@ -101,6 +79,30 @@ describe '#get_application_default' do
       end
       stubs.verify_stubbed_calls
     end
+  end
+
+  shared_examples 'it can successfully load credentials' do
+    it 'succeeds if the GOOGLE_APPLICATION_CREDENTIALS file is valid' do
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, 'my_cert_file')
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV[@var_name] = key_path
+        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+      end
+    end
+
+    it 'succeeds with default file without GOOGLE_APPLICATION_CREDENTIALS' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil?
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, '.config',
+                             CredentialsLoader::WELL_KNOWN_PATH)
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV['HOME'] = dir
+        expect(Google::Auth.get_application_default(@scope)).to_not be_nil
+      end
+    end
 
     it 'succeeds without default file or env if on compute engine' do
       stubs = Faraday::Adapter::Test::Stubs.new do |stub|
@@ -137,7 +139,8 @@ describe '#get_application_default' do
       MultiJson.dump(cred_json)
     end
 
-    it_behaves_like 'it loads them correctly'
+    it_behaves_like 'it can successfully load credentials'
+    it_behaves_like 'it cannot load misconfigured credentials'
   end
 
   describe 'when credential type is authorized_user' do
@@ -151,6 +154,47 @@ describe '#get_application_default' do
       MultiJson.dump(cred_json)
     end
 
-    it_behaves_like 'it loads them correctly'
+    it_behaves_like 'it can successfully load credentials'
+    it_behaves_like 'it cannot load misconfigured credentials'
+  end
+
+  describe 'when credential type is unknown' do
+    def cred_json_text
+      cred_json = {
+        client_secret: 'privatekey',
+        refresh_token: 'refreshtoken',
+        client_id: 'app.apps.googleusercontent.com',
+        type: 'not_known_type'
+      }
+      MultiJson.dump(cred_json)
+    end
+
+    it 'fails if the GOOGLE_APPLICATION_CREDENTIALS file contains the creds' do
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, 'my_cert_file')
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV[@var_name] = key_path
+        blk = proc do
+          Google::Auth.get_application_default(@scope)
+        end
+        expect(&blk).to raise_error RuntimeError
+      end
+    end
+
+    it 'fails if the well known file contains the creds' do
+      ENV.delete(@var_name) unless ENV[@var_name].nil?
+      Dir.mktmpdir do |dir|
+        key_path = File.join(dir, '.config',
+                             CredentialsLoader::WELL_KNOWN_PATH)
+        FileUtils.mkdir_p(File.dirname(key_path))
+        File.write(key_path, cred_json_text)
+        ENV['HOME'] = dir
+        blk = proc do
+          Google::Auth.get_application_default(@scope)
+        end
+        expect(&blk).to raise_error RuntimeError
+      end
+    end
   end
 end