google/google: update documentation for workload identity federation

Including information on executable-sourced credentials

Change-Id: I39bcf20ffd1f5a9026d3d18e127411c03021977d
GitHub-Last-Rev: d61f2e71d26d9111f0fecd481ee1615ac60ad49b
GitHub-Pull-Request: golang/oauth2#592
TryBot-Result: Gopher Robot <>
Reviewed-by: Leo Siracusa <>
Run-TryBot: Cody Oss <>
Reviewed-by: Cody Oss <>
Auto-Submit: Cody Oss <>
diff --git a/google/doc.go b/google/doc.go
index dddf651..b3e7bc8 100644
--- a/google/doc.go
+++ b/google/doc.go
@@ -40,9 +40,10 @@
 //	Microsoft Azure:
 //	OIDC identity provider:
-// For OIDC providers, the library can retrieve OIDC tokens either from a
-// local file location (file-sourced credentials) or from a local server
-// (URL-sourced credentials).
+// For OIDC and SAML providers, the library can retrieve tokens in three ways:
+// from a local file location (file-sourced credentials), from a server
+// (URL-sourced credentials), or from a local executable (executable-sourced
+// credentials).
 // For file-sourced credentials, a background process needs to be continuously
 // refreshing the file location with a new OIDC token prior to expiration.
 // For tokens with one hour lifetimes, the token needs to be updated in the file
@@ -50,6 +51,11 @@
 // For URL-sourced credentials, a local server needs to host a GET endpoint to
 // return the OIDC token. The response can be in plain text or JSON.
 // Additional required request headers can also be specified.
+// For executable-sourced credentials, an application needs to be available to
+// output the OIDC token and other information in a JSON format.
+// For more information on how these work (and how to implement
+// executable-sourced credentials), please check out:
 // # Credentials