From 76e5c981a50fd139f1e0437e9d9f37ed848e8adc Mon Sep 17 00:00:00 2001
From: Senthil Kumar Karuppiah <senthilkumark@google.com>
Date: Wed, 8 Mar 2023 13:31:12 -0800
Subject: [PATCH] Add support for external_account.

* Also fix a bug for impersonated_service_account
    * When creds are passed with WithCredentialsFile(), it doesn't work.
    * Pass the option when creating the token source.
---
 idtoken/idtoken.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/idtoken/idtoken.go b/idtoken/idtoken.go
index b7a82e92bf0..46fa6894741 100644
--- a/idtoken/idtoken.go
+++ b/idtoken/idtoken.go
@@ -34,6 +34,7 @@ const (
 	unknownCredType credentialsType = iota
 	serviceAccount
 	impersonatedServiceAccount
+	external_account
 )
 
 // NewClient creates a HTTP Client that automatically adds an ID token to each
@@ -139,7 +140,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			return nil, err
 		}
 		return oauth2.ReuseTokenSource(tok, ts), nil
-	case impersonatedServiceAccount:
+	case impersonatedServiceAccount, external_account:
 		type url struct {
 			ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
 		}
@@ -155,7 +156,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			TargetPrincipal: account,
 			IncludeEmail:    true,
 		}
-		ts, err := impersonate.IDTokenSource(ctx, config)
+		ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))
 		if err != nil {
 			return nil, err
 		}
@@ -188,6 +189,8 @@ func parseCredType(typeString string) credentialsType {
 		return serviceAccount
 	case "impersonated_service_account":
 		return impersonatedServiceAccount
+	case "external_account":
+		return external_account
 	default:
 		return unknownCredType
 	}