From 55f262c3a4e8d287ceeeee844b0d174299acc439 Mon Sep 17 00:00:00 2001
From: Cody Oss <6331106+codyoss@users.noreply.github.com>
Date: Fri, 29 Jan 2021 13:49:44 -0700
Subject: [PATCH] fix(internal): don't self-sign JWT when an endpoint provided
 (#847)

---
 internal/creds.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/internal/creds.go b/internal/creds.go
index 87b2f474d00..1f635e430cc 100644
--- a/internal/creds.go
+++ b/internal/creds.go
@@ -65,8 +65,9 @@ const (
 // credentialsFromJSON returns a google.Credentials based on the input.
 //
 // - A self-signed JWT auth flow will be executed if: the data file is a service
-//   account, no user are scopes provided, an audience is provided, and
-//   credentials will not be impersonated.
+//   account, no user are scopes provided, an audience is provided, a user
+//   specified endpoint is not provided, and credentials will not be
+//   impersonated.
 //
 // - Otherwise, executes a stanard OAuth 2.0 flow.
 func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*google.Credentials, error) {
@@ -78,7 +79,8 @@ func credentialsFromJSON(ctx context.Context, data []byte, ds *DialSettings) (*g
 	if len(data) == 0 ||
 		len(ds.Scopes) > 0 ||
 		(ds.DefaultAudience == "" && len(ds.Audiences) == 0) ||
-		ds.ImpersonationConfig != nil {
+		ds.ImpersonationConfig != nil ||
+		ds.Endpoint != "" {
 		return cred, nil
 	}