feat(idtoken): add support for external_account.

Senthil Kumar Karuppiah · Senthil Kumar Karuppiah · commit cff29b91a3ba · 2023-03-13T12:42:14.000-07:00
* Also fix a bug for impersonated_service_account * When creds are passed with WithCredentialsFile(), it doesn't work. * Pass the option when creating the token source. * Fixes PR googleapis#1879
diff --git a/idtoken/idtoken.go b/idtoken/idtoken.go
@@ -34,6 +34,7 @@ const (
 	unknownCredType credentialsType = iota
 	serviceAccount
 	impersonatedServiceAccount
+	external_account
 )
 
 // NewClient creates a HTTP Client that automatically adds an ID token to each
@@ -139,7 +140,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			return nil, err
 		}
 		return oauth2.ReuseTokenSource(tok, ts), nil
-	case impersonatedServiceAccount:
+	case impersonatedServiceAccount, external_account:
 		type url struct {
 			ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
 		}
@@ -155,7 +156,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			TargetPrincipal: account,
 			IncludeEmail:    true,
 		}
-		ts, err := impersonate.IDTokenSource(ctx, config)
+		ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))
 		if err != nil {
 			return nil, err
 		}
@@ -188,6 +189,8 @@ func parseCredType(typeString string) credentialsType {
 		return serviceAccount
 	case "impersonated_service_account":
 		return impersonatedServiceAccount
+	case "external_account":
+		return external_account
 	default:
 		return unknownCredType
 	}

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ const (`
`34`	`34`	`unknownCredType credentialsType = iota`
`35`	`35`	`serviceAccount`
`36`	`36`	`impersonatedServiceAccount`
	`37`	`+ external_account`
`37`	`38`	`)`
`38`	`39`
`39`	`40`	`// NewClient creates a HTTP Client that automatically adds an ID token to each`
`@@ -139,7 +140,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds`
`139`	`140`	`return nil, err`
`140`	`141`	`}`
`141`	`142`	`return oauth2.ReuseTokenSource(tok, ts), nil`
`142`		`- case impersonatedServiceAccount:`
	`143`	`+ case impersonatedServiceAccount, external_account:`
`143`	`144`	`type url struct {`
`144`	`145`	ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
`145`	`146`	`}`
`@@ -155,7 +156,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds`
`155`	`156`	`TargetPrincipal: account,`
`156`	`157`	`IncludeEmail: true,`
`157`	`158`	`}`
`158`		`- ts, err := impersonate.IDTokenSource(ctx, config)`
	`159`	`+ ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))`
`159`	`160`	`if err != nil {`
`160`	`161`	`return nil, err`
`161`	`162`	`}`
`@@ -188,6 +189,8 @@ func parseCredType(typeString string) credentialsType {`
`188`	`189`	`return serviceAccount`
`189`	`190`	`case "impersonated_service_account":`
`190`	`191`	`return impersonatedServiceAccount`
	`192`	`+ case "external_account":`
	`193`	`+ return external_account`
`191`	`194`	`default:`
`192`	`195`	`return unknownCredType`
`193`	`196`	`}`