fix: add useEmailAzp claim for id token iam flow (#1270)

Author: arithmetic1728

packages/google-auth/google/oauth2/_client.py

@@ -331,7 +331,7 @@ def call_iam_generate_id_token_endpoint(request, signer_email, audience, access_
     Returns:
         Tuple[str, datetime]: The ID token and expiration.
     """
-    body = {"audience": audience, "includeEmail": "true"}
+    body = {"audience": audience, "includeEmail": "true", "useEmailAzp": "true"}
 
     response_data = _token_endpoint_request(
         request,

packages/google-auth/google/oauth2/service_account.py

@@ -743,10 +743,9 @@ def _refresh_with_iam_endpoint(self, request):
         request to IAM generateIdToken endpoint. The request body is:
             {
                 "audience": self._target_audience,
-                "includeEmail": "true"
+                "includeEmail": "true",
+                "useEmailAzp": "true",
             }
-        TODO: add "set_azp_to_email": "true" once it's ready from server side.
-        https://github.com/googleapis/google-auth-library-python/issues/1263
 
         If the request is succesfully, it will return {"token":"the ID token"},
         and we can extract the ID token and compute its expiry.

packages/google-auth/system_tests/secrets.tar.enc

@@ -326,6 +326,7 @@ def test_call_iam_generate_id_token_endpoint():
     response_body = json.loads(request.call_args[1]["body"])
     assert response_body["audience"] == "fake_audience"
     assert response_body["includeEmail"] == "true"
+    assert response_body["useEmailAzp"] == "true"
 
     # Check result
     assert token == id_token