feat: Missing full payload in identity token from GCECredentials

[Januznl]

Is your feature request related to a problem? Please describe.
We are missing the email of the authorized party when we decode the identity token on Cloud Run in PHP.

At this moment the PHP implementation of the GCECredential class is missing the full payload param on the identity token metadata server request. This is already in place in other SDK's like the python SDK:

https://github.com/googleapis/google-auth-library-python/blob/9cd67425e95faab15e57b258a70506b02bccb799/google/auth/compute_engine/credentials.py#L391

Describe the solution you'd like
My suggestion would be to add the param format=full for requests going to v1/instance/service-accounts/default/identity

[bshaffer]

Hello! Thank you for your suggestion.

We can add format=full to the GCECredentials request to get the ID Token, but I am not sure how the extra payload would be used / consumed by our customers. Also, which claim specifically are you looking for?

[Januznl]

We are missing the field "email" which holds the service account which generated the token. This allows us to identify which service is calling our cloud run app. The cloud-run app uses this service account email to apply in app permissions.