google/externalaccount: add support for workforce pool credentials

Workforce pools (external account credentials for non-Google users) are
organization-level resources which means that issued workforce pool tokens
will not have any client project ID on token exchange as currently designed.

"To use a Google API, the client must identify the application to the server.
If the API requires authentication, the client must also identify the principal
running the application."

The application here is the client project. The token will identify the user
principal but not the application. This will result in APIs rejecting requests
authenticated with these tokens.

Note that passing a x-goog-user-project override header on API request is
still not sufficient. The token is still expected to have a client project.

As a result, we have extended the spec to support an additional
workforce_pool_user_project for these credentials (workforce pools) which will
be passed when exchanging an external token for a Google Access token. After the
exchange, the issued access token will use the supplied project as the client
project. The underlying principal must still have
IAM permission to use the project for billing/quota.

This field is not needed for flows with basic client authentication (e.g. client
ID is supplied). The client ID is sufficient to determine the client project and
any additionally supplied workforce_pool_user_project value will be ignored.

Note that this feature is not usable yet publicly.

Change-Id: I8311d7783e4048c260cbb68e90d3565df864d7e0
GitHub-Last-Rev: a6dc5ebc95207b4cf04a0f3df45e745b24cd76c4
GitHub-Pull-Request: golang/oauth2#520
Reviewed-by: Cody Oss <>
Reviewed-by: Bassam Ojeil <>
Trust: Cody Oss <>
Trust: Tyler Bui-Palsulich <>
Run-TryBot: Cody Oss <>
TryBot-Result: Go Bot <>
3 files changed
tree: 10ade54caa048207311d70bc498e29faca3f4d0b
  1. amazon/
  2. authhandler/
  3. bitbucket/
  4. cern/
  5. clientcredentials/
  6. endpoints/
  7. facebook/
  8. fitbit/
  9. foursquare/
  10. github/
  11. gitlab/
  12. google/
  13. heroku/
  14. hipchat/
  15. instagram/
  16. internal/
  17. jira/
  18. jws/
  19. jwt/
  20. kakao/
  21. linkedin/
  22. mailchimp/
  23. mailru/
  24. mediamath/
  25. microsoft/
  26. nokiahealth/
  27. odnoklassniki/
  28. paypal/
  29. slack/
  30. spotify/
  31. stackoverflow/
  32. twitch/
  33. uber/
  34. vk/
  35. yahoo/
  36. yandex/
  37. .travis.yml
  41. example_test.go
  42. go.mod
  43. go.sum
  45. oauth2.go
  46. oauth2_test.go
  48. token.go
  49. token_test.go
  50. transport.go
  51. transport_test.go

OAuth2 for Go

Go Reference Build Status

oauth2 package contains a client implementation for OAuth 2.0 spec.


go get

Or you can manually git clone the repository to $(go env GOPATH)/src/

See for further documentation and examples.

Policy for new packages

We no longer accept new provider-specific packages in this repo if all they do is add a single endpoint variable. If you just want to add a single endpoint, add it to the package.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the oauth2 repository is located at