google: base account credential support

google/google.go

@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"golang.org/x/oauth2/google/internal/externalaccount"
 	"net/url"
 	"strings"
 	"time"
@@ -93,6 +94,7 @@ func JWTConfigFromJSON(jsonKey []byte, scope ...string) (*jwt.Config, error) {
 const (
 	serviceAccountKey  = "service_account"
 	userCredentialsKey = "authorized_user"
+	externalAccountKey = "external_account"
 )
 
 // credentialsFile is the unmarshalled representation of a credentials file.
@@ -111,6 +113,16 @@ type credentialsFile struct {
 	ClientSecret string `json:"client_secret"`
 	ClientID     string `json:"client_id"`
 	RefreshToken string `json:"refresh_token"`
+
+	// External Account fields
+	Audience string `json:"audience"`
+	SubjectTokenType string `json:"subject_token_type"`
+	TokenURLExternal string `json:"token_url"`
+	TokenInfoURL string `json:"token_info_url"`
+	ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
+	CredentialSource externalaccount.CredentialSource `json:"credential_source"`
+	QuotaProjectID string `json:"quota_project_id"`
+
 }
 
 func (f *credentialsFile) jwtConfig(scopes []string) *jwt.Config {
@@ -141,6 +153,20 @@ func (f *credentialsFile) tokenSource(ctx context.Context, scopes []string) (oau
 		}
 		tok := &oauth2.Token{RefreshToken: f.RefreshToken}
 		return cfg.TokenSource(ctx, tok), nil
+	case externalAccountKey:
+		cfg := &externalaccount.Config{
+			Audience:	f.Audience,
+			SubjectTokenType: f.SubjectTokenType,
+			TokenURL: f.TokenURLExternal,
+			TokenInfoURL: f.TokenInfoURL,
+			ServiceAccountImpersonationURL: f.ServiceAccountImpersonationURL,
+			ClientSecret: f.ClientSecret,
+			ClientID: f.ClientID,
+			CredentialSource: f.CredentialSource,
+			QuotaProjectID: f.QuotaProjectID,
+			Scopes: scopes,
+		}
+		return cfg.TokenSource(ctx), nil
 	case "":
 		return nil, errors.New("missing 'type' field in credentials")
 	default: