Cannot get id_token when using impersonated service account:

[liufuyang]

func main() {
	ctx := context.Background()
	defaultTokenSource, _ := google.DefaultTokenSource(
		ctx,
		"https://www.googleapis.com/auth/cloud-platform",
	)
	token, err := defaultTokenSource.Token()
	idToken, ok := token.Extra("id_token").(string)
	if !ok {
		fmt.Println("No id_token")
	}
	fmt.Println(err)
	fmt.Println(idToken)
}

With a simple piece of code above, if a normal google user authentication is used, one could get
refresh token and also the id_token, seem from the debug screenshot:

But when an impersonated service account is used (by setting the key.json via setting GOOGLE_APPLICATION_CREDENTIALS, and the json key is got by running gcloud --impersonate-service-account xxxsa@xxx.iam.gserviceaccount.com auth application-default login), there is no refresh token got and also no raw and no id_token (a JWT token) on it

Resulting in the code above prints no id_token and no JWT token can be retrieved.

Is this expected behaviour? Thanks.

[seankhliao]

I believe the appropriate place is with googleapis/google-api-go-client#873

[liufuyang]

@seankhliao May I ask how is this package related to the googleapis/google-api-go-client#1792 change?