diff --git a/src/Credentials/ServiceAccountCredentials.php b/src/Credentials/ServiceAccountCredentials.php index 2b88b1e75..5c651bb71 100644 --- a/src/Credentials/ServiceAccountCredentials.php +++ b/src/Credentials/ServiceAccountCredentials.php @@ -236,7 +236,8 @@ public function fetchAuthToken(callable $httpHandler = null) $idToken = (new Iam($httpHandler, $this->getUniverseDomain()))->generateIdToken( $this->auth->getIssuer(), $this->auth->getAdditionalClaims()['target_audience'], - $jwt + $jwt, + $this->applyTokenEndpointMetrics([], 'it') ); return ['id_token' => $idToken]; } diff --git a/src/Iam.php b/src/Iam.php index a5eaaec65..46bee30d2 100644 --- a/src/Iam.php +++ b/src/Iam.php @@ -118,19 +118,21 @@ public function signBlob($email, $accessToken, $stringToSign, array $delegates = * @param string $clientEmail The service account email. * @param string $targetAudience The audience for the ID token. * @param string $bearerToken The token to authenticate the IAM request. + * @param array $headers [optional] Additional headers to send with the request. * * @return string The signed string, base64-encoded. */ public function generateIdToken( string $clientEmail, string $targetAudience, - string $bearerToken + string $bearerToken, + array $headers = [] ): string { $name = sprintf(self::SERVICE_ACCOUNT_NAME, $clientEmail); $apiRoot = str_replace('UNIVERSE_DOMAIN', $this->universeDomain, self::IAM_API_ROOT_TEMPLATE); $uri = $apiRoot . '/' . sprintf(self::GENERATE_ID_TOKEN_PATH, $name); - $headers = ['Authorization' => 'Bearer ' . $bearerToken]; + $headers['Authorization'] = 'Bearer ' . $bearerToken; $body = [ 'audience' => $targetAudience, diff --git a/tests/Credentials/ServiceAccountCredentialsTest.php b/tests/Credentials/ServiceAccountCredentialsTest.php index 41d0b40e1..63110448e 100644 --- a/tests/Credentials/ServiceAccountCredentialsTest.php +++ b/tests/Credentials/ServiceAccountCredentialsTest.php @@ -330,6 +330,10 @@ public function testShouldUseIamWhenTargetAudienceAndUniverseDomainIsSet() $this->assertArrayHasKey('iss', $jwtParams); $this->assertEquals('test@example.com', $jwtParams['iss']); + // Verify header contains the auth headers + $parts = explode(' ', $request->getHeaderLine('x-goog-api-client')); + $this->assertContains('auth-request-type/it', $parts); + // return expected IAM ID token response return new Psr7\Response(200, [], json_encode(['token' => 'idtoken12345'])); };