Refactor IAM endpoint calls to ensure consistent header application #1784
Description
We are in the process of adding support for Trust Boundaries (PR #1778), which requires adding the x-allowed-locations header to various IAM API calls (generateIdToken, generateAccessToken, lookup_trust_boundary, etc.).
The current implementation correctly adds this header by ensuring that credentials.apply() is called on a headers dictionary before the HTTP request is made. While this works, it's a manual process that relies on developers remembering to add this step for every IAM call.
This pattern is error-prone and could lead to future inconsistencies. For example, if a new IAM endpoint is used, a developer might forget to call apply(), resulting in the Authorization and/or x-allowed-locations headers being omitted.
We should refactor the way we call IAM endpoints to centralize the request logic and guarantee that all necessary headers are always applied.
I propose creating dedicated helper functions within google/auth/iam.py for each of the main IAM API calls. These functions would encapsulate the logic for preparing headers and the request body. This would likely involve changes in google/auth/iam.py, google/oauth2/_client.py, google/auth/impersonated_credentials.py, and google/oauth2/service_account.py.