Restructured service account impersonation flow.

Change-Id: I17c0283f053711f44abaf5620f2642eea08aca62

google/internal/externalaccount/basecredentials.go

@@ -31,11 +31,26 @@ type Config struct {
 
 // TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.
 func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
+	if c.ServiceAccountImpersonationURL == "" {
+		ts := tokenSource{
+			ctx:  ctx,
+			conf: c,
+		}
+		return oauth2.ReuseTokenSource(nil, ts)
+	}
+	imp := impersonateTokenSource{
+		ctx:    ctx,
+		url:    c.ServiceAccountImpersonationURL,
+		scopes: c.Scopes,
+	}
 	ts := tokenSource{
 		ctx:  ctx,
 		conf: c,
 	}
-	return oauth2.ReuseTokenSource(nil, ts)
+	ts.conf.ServiceAccountImpersonationURL = ""
+	ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
+	imp.ts = oauth2.ReuseTokenSource(nil, ts)
+	return oauth2.ReuseTokenSource(nil, imp)
 }
 
 // Subject token file types.
@@ -89,14 +104,6 @@ type tokenSource struct {
 func (ts tokenSource) Token() (*oauth2.Token, error) {
 	conf := ts.conf
 
-	if conf.ServiceAccountImpersonationURL != "" {
-		token, err := ts.impersonate()
-		if err != nil {
-			return nil, err
-		}
-		return token, err
-	}
-
 	credSource := conf.parse(ts.ctx)
 	if credSource == nil {
 		return nil, fmt.Errorf("oauth2/google: unable to parse credential source")