From 475bc742d2302d6d2abcc2d7d14d9c636a6657b9 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Tue, 5 Nov 2024 10:54:16 -0800
Subject: [PATCH] add token endpoint metric

---
 src/Credentials/ServiceAccountCredentials.php       | 3 ++-
 src/Iam.php                                         | 6 ++++--
 tests/Credentials/ServiceAccountCredentialsTest.php | 4 ++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Credentials/ServiceAccountCredentials.php b/src/Credentials/ServiceAccountCredentials.php
index 2b88b1e75..5c651bb71 100644
--- a/src/Credentials/ServiceAccountCredentials.php
+++ b/src/Credentials/ServiceAccountCredentials.php
@@ -236,7 +236,8 @@ public function fetchAuthToken(callable $httpHandler = null)
             $idToken = (new Iam($httpHandler, $this->getUniverseDomain()))->generateIdToken(
                 $this->auth->getIssuer(),
                 $this->auth->getAdditionalClaims()['target_audience'],
-                $jwt
+                $jwt,
+                $this->applyTokenEndpointMetrics([], 'it')
             );
             return ['id_token' => $idToken];
         }
diff --git a/src/Iam.php b/src/Iam.php
index a5eaaec65..46bee30d2 100644
--- a/src/Iam.php
+++ b/src/Iam.php
@@ -118,19 +118,21 @@ public function signBlob($email, $accessToken, $stringToSign, array $delegates =
      * @param string $clientEmail The service account email.
      * @param string $targetAudience The audience for the ID token.
      * @param string $bearerToken The token to authenticate the IAM request.
+     * @param array<string, string> $headers [optional] Additional headers to send with the request.
      *
      * @return string The signed string, base64-encoded.
      */
     public function generateIdToken(
         string $clientEmail,
         string $targetAudience,
-        string $bearerToken
+        string $bearerToken,
+        array $headers = []
     ): string {
         $name = sprintf(self::SERVICE_ACCOUNT_NAME, $clientEmail);
         $apiRoot = str_replace('UNIVERSE_DOMAIN', $this->universeDomain, self::IAM_API_ROOT_TEMPLATE);
         $uri = $apiRoot . '/' . sprintf(self::GENERATE_ID_TOKEN_PATH, $name);
 
-        $headers = ['Authorization' => 'Bearer ' . $bearerToken];
+        $headers['Authorization'] = 'Bearer ' . $bearerToken;
 
         $body = [
             'audience' => $targetAudience,
diff --git a/tests/Credentials/ServiceAccountCredentialsTest.php b/tests/Credentials/ServiceAccountCredentialsTest.php
index 41d0b40e1..63110448e 100644
--- a/tests/Credentials/ServiceAccountCredentialsTest.php
+++ b/tests/Credentials/ServiceAccountCredentialsTest.php
@@ -330,6 +330,10 @@ public function testShouldUseIamWhenTargetAudienceAndUniverseDomainIsSet()
             $this->assertArrayHasKey('iss', $jwtParams);
             $this->assertEquals('test@example.com', $jwtParams['iss']);
 
+            // Verify header contains the auth headers
+            $parts = explode(' ', $request->getHeaderLine('x-goog-api-client'));
+            $this->assertContains('auth-request-type/it', $parts);
+
             // return expected IAM ID token response
             return new Psr7\Response(200, [], json_encode(['token' => 'idtoken12345']));
         };