Programmatic access from a service account to a Google IAP protected resource denied with invalid signature error

I tried your code, and I found that it doesn't work with v0.23.0, but it does work with v0.24.0 (latest one at the time of writing).

It is indeed a bug, the release notes mention the following:

When provided, use the TokenSource from options for NewTransport. This fixes a bug in idtoken.NewClient where the wrong TokenSource was being used for authentication.

Interestingly, 0.23.0 is sending a token signed with the service account's private key with the following claims:

  "iss":"[email protected]",
  "sub":"[email protected]"

and 0.24.0 sends a token signed with google's private key. (internally the previous token is exchanged for a google-signed token)

    "azp":"[email protected]",
    "email":"[email protected]",