Revert changes to idtoken

Author: nbayati

google/auth/impersonated_credentials.py

@@ -602,7 +602,6 @@ def refresh(self, request):
             "Content-Type": "application/json",
             metrics.API_CLIENT_HEADER: metrics.token_request_id_token_impersonate(),
         }
-        headers.update(self._target_credentials._get_trust_boundary_header())
 
         authed_session = AuthorizedSession(
             self._target_credentials._source_credentials, auth_request=request

google/oauth2/_client.py

@@ -327,7 +327,6 @@ def call_iam_generate_id_token_endpoint(
     signer_email,
     audience,
     access_token,
-    headers=None,
     universe_domain=credentials.DEFAULT_UNIVERSE_DOMAIN,
 ):
     """Call iam.generateIdToken endpoint to get ID token.
@@ -340,7 +339,6 @@ def call_iam_generate_id_token_endpoint(
             generateIdToken endpoint.
         audience (str): The audience for the ID token.
         access_token (str): The access token used to call the IAM endpoint.
-        headers (Optional[Mapping[str, str]]): The headers for the request.
         universe_domain (str): The universe domain for the request. The
             default is ``googleapis.com``.
 
@@ -357,7 +355,6 @@ def call_iam_generate_id_token_endpoint(
         body,
         access_token=access_token,
         use_json=True,
-        headers=headers,
     )
 
     try:

google/oauth2/service_account.py

@@ -921,16 +921,13 @@ def _refresh_with_iam_endpoint(self, request):
         )
         jwt_credentials.refresh(request)
 
-        headers = self._get_trust_boundary_header()
-
         self.token, self.expiry = _client.call_iam_generate_id_token_endpoint(
             request,
             self._iam_id_token_endpoint,
             self.signer_email,
             self._target_audience,
             jwt_credentials.token.decode(),
-            headers=headers,
-            universe_domain=self._universe_domain,
+            self._universe_domain,
         )
 
     @_helpers.copy_docstring(credentials.Credentials)

tests/oauth2/test__client.py

@@ -347,26 +347,6 @@ def test_call_iam_generate_id_token_endpoint():
     assert expiry == now
 
 
-def test_call_iam_generate_id_token_endpoint_with_headers():
-    now = _helpers.utcnow()
-    id_token_expiry = _helpers.datetime_to_secs(now)
-    id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8")
-    request = make_request({"token": id_token})
-    headers = {"x-test-header": "test-value"}
-
-    _client.call_iam_generate_id_token_endpoint(
-        request,
-        iam._IAM_IDTOKEN_ENDPOINT,
-        "fake_email",
-        "fake_audience",
-        "fake_access_token",
-        headers=headers,
-        universe_domain="googleapis.com",
-    )
-
-    assert request.call_args[1]["headers"]["x-test-header"] == "test-value"
-
-
 def test_call_iam_generate_id_token_endpoint_no_id_token():
     request = make_request(
         {
@@ -382,7 +362,7 @@ def test_call_iam_generate_id_token_endpoint_no_id_token():
             "fake_email",
             "fake_audience",
             "fake_access_token",
-            universe_domain="googleapis.com",
+            "googleapis.com",
         )
     assert excinfo.match("No ID token in response")