IssueTracker

This will create a feature request which anybody can view and comment on.

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

What you would like to accomplish:
I would to be able to call Cloud run/function with the resulting token from WIF directly without workarounds and have the original token properties within the resulting token.

How this might work:
WIF would need to have the capability to issue a ID Token that would have the information of the original token.
We could use the Attributes mapping from WIF to have these mapped and have the resulting IT token with the mapped information.

If applicable, reasons why alternative solutions are not sufficient:
Workaround1: The alternative right now is to call the WIF, get the access token and then exchange it for a ID token by calling the serviceAcount:generateIdToken. This does not allow the specification of any attributes as the generateIdToken only supports two fields to be passed. We are missing the original token properties.

Workaround 2: Another possibility as suggested by Google would be to add the original token an addition header before the call to Cloud run / function, although this has not been tested as of now by us. But requires a coded workaround.

Workaround 3: Configure the WIF attribute mapping and then use the conditions to assign a service account per calling application and role. This workaround, although feasible, is not scalable. A cloud run service that can be invoked by 10 application and if each application has 5 roles, that would mean 50 service accounts to cover all calling apps and roles.

Other information (workarounds you have tried, documentation consulted, etc):