diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index 6e79f9f43..4fa7d8cc4 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -42,6 +42,7 @@
 import com.google.api.client.util.GenericData;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.common.annotations.Beta;
 import com.google.common.base.MoreObjects;
 import java.io.IOException;
 import java.io.InputStream;
@@ -50,6 +51,7 @@
 import java.net.UnknownHostException;
 import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.logging.Level;
@@ -62,7 +64,8 @@
  *
  * <p>These credentials use the IAM API to sign data. See {@link #sign(byte[])} for more details.
  */
-public class ComputeEngineCredentials extends GoogleCredentials implements ServiceAccountSigner {
+public class ComputeEngineCredentials extends GoogleCredentials
+    implements ServiceAccountSigner, IdTokenProvider {
 
   private static final Logger LOGGER = Logger.getLogger(ComputeEngineCredentials.class.getName());
 
@@ -157,6 +160,45 @@ public AccessToken refreshAccessToken() throws IOException {
     return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
+  /**
+   * Returns a Google ID Token from the metadata server on ComputeEngine
+   *
+   * @param targetAudience the aud: field the IdToken should include
+   * @param options list of Credential specific options for the token. For example, an IDToken for a
+   *     ComputeEngineCredential could have the full formatted claims returned if
+   *     IdTokenProvider.Option.FORMAT_FULL) is provided as a list option. Valid option values are:
+   *     <br>
+   *     IdTokenProvider.Option.FORMAT_FULL<br>
+   *     IdTokenProvider.Option.LICENSES_TRUE<br>
+   *     If no options are set, the defaults are "&amp;format=standard&amp;licenses=false"
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, JsonWebSignature
+   */
+  @Beta
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
+      throws IOException {
+    GenericUrl documentUrl = new GenericUrl(getIdentityDocumentUrl());
+    if (options != null) {
+      if (options.contains(IdTokenProvider.Option.FORMAT_FULL)) {
+        documentUrl.set("format", "full");
+      }
+      if (options.contains(IdTokenProvider.Option.LICENSES_TRUE)) {
+        // license will only get returned if format is also full
+        documentUrl.set("format", "full");
+        documentUrl.set("license", "TRUE");
+      }
+    }
+    documentUrl.set("audience", targetAudience);
+    HttpResponse response = getMetadataResponse(documentUrl.toString());
+    InputStream content = response.getContent();
+    if (content == null) {
+      throw new IOException("Empty content from metadata token server request.");
+    }
+    String rawToken = response.parseAsString();
+    return IdToken.create(rawToken);
+  }
+
   private HttpResponse getMetadataResponse(String url) throws IOException {
     GenericUrl genericUrl = new GenericUrl(url);
     HttpRequest request =
@@ -243,6 +285,11 @@ public static String getServiceAccountsUrl() {
         + "/computeMetadata/v1/instance/service-accounts/?recursive=true";
   }
 
+  public static String getIdentityDocumentUrl() {
+    return getMetadataServerUrl(DefaultCredentialsProvider.DEFAULT)
+        + "/computeMetadata/v1/instance/service-accounts/default/identity";
+  }
+
   @Override
   public int hashCode() {
     return Objects.hash(transportFactoryClassName);
diff --git a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
index d4675c963..58ba91f97 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
@@ -37,6 +37,7 @@
 import com.google.api.client.http.HttpStatusCodes;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.json.JsonHttpContent;
+import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.GenericData;
 import com.google.auth.Credentials;
@@ -54,6 +55,8 @@
 class IamUtils {
   private static final String SIGN_BLOB_URL_FORMAT =
       "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
+  private static final String ID_TOKEN_URL_FORMAT =
+      "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateIdToken";
   private static final String PARSE_ERROR_MESSAGE = "Error parsing error message response. ";
   private static final String PARSE_ERROR_SIGNATURE = "Error parsing signature response. ";
 
@@ -138,4 +141,74 @@ private static String getSignature(
     GenericData responseData = response.parseAs(GenericData.class);
     return OAuth2Utils.validateString(responseData, "signedBlob", PARSE_ERROR_SIGNATURE);
   }
+
+  /**
+   * Returns an IdToken issued to the serviceAccount with a specified targetAudience
+   *
+   * @param serviceAccountEmail the email address for the service account to get an ID Token for
+   * @param credentials credentials required for making the IAM call
+   * @param transport transport used for building the HTTP request
+   * @param targetAudience the audience the issued ID token should include
+   * @param additionalFields additional fields to send in the IAM call
+   * @return IdToken issed to the serviceAccount
+   * @throws IOException if the IdToken cannot be issued.
+   * @see
+   *     https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateIdToken
+   */
+  static IdToken getIdToken(
+      String serviceAccountEmail,
+      Credentials credentials,
+      HttpTransport transport,
+      String targetAudience,
+      boolean includeEmail,
+      Map<String, ?> additionalFields)
+      throws IOException {
+
+    String idTokenUrl = String.format(ID_TOKEN_URL_FORMAT, serviceAccountEmail);
+    GenericUrl genericUrl = new GenericUrl(idTokenUrl);
+
+    GenericData idTokenRequest = new GenericData();
+    idTokenRequest.set("audience", targetAudience);
+    idTokenRequest.set("includeEmail", includeEmail);
+    for (Map.Entry<String, ?> entry : additionalFields.entrySet()) {
+      idTokenRequest.set(entry.getKey(), entry.getValue());
+    }
+    JsonHttpContent idTokenContent = new JsonHttpContent(OAuth2Utils.JSON_FACTORY, idTokenRequest);
+
+    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(credentials);
+    HttpRequest request =
+        transport.createRequestFactory(adapter).buildPostRequest(genericUrl, idTokenContent);
+
+    JsonObjectParser parser = new JsonObjectParser(OAuth2Utils.JSON_FACTORY);
+    request.setParser(parser);
+    request.setThrowExceptionOnExecuteError(false);
+
+    HttpResponse response = request.execute();
+    int statusCode = response.getStatusCode();
+    if (statusCode >= 400 && statusCode < HttpStatusCodes.STATUS_CODE_SERVER_ERROR) {
+      GenericData responseError = response.parseAs(GenericData.class);
+      Map<String, Object> error =
+          OAuth2Utils.validateMap(responseError, "error", PARSE_ERROR_MESSAGE);
+      String errorMessage = OAuth2Utils.validateString(error, "message", PARSE_ERROR_MESSAGE);
+      throw new IOException(
+          String.format("Error code %s trying to getIDToken: %s", statusCode, errorMessage));
+    }
+    if (statusCode != HttpStatusCodes.STATUS_CODE_OK) {
+      throw new IOException(
+          String.format(
+              "Unexpected Error code %s trying to getIDToken: %s",
+              statusCode, response.parseAsString()));
+    }
+    InputStream content = response.getContent();
+    if (content == null) {
+      // Throw explicitly here on empty content to avoid NullPointerException from
+      // parseAs call.
+      // Mock transports will have success code with empty content by default.
+      throw new IOException("Empty content from generateIDToken server request.");
+    }
+
+    GenericJson responseData = response.parseAs(GenericJson.class);
+    String rawToken = OAuth2Utils.validateString(responseData, "token", PARSE_ERROR_MESSAGE);
+    return IdToken.create(rawToken);
+  }
 }
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdToken.java b/oauth2_http/java/com/google/auth/oauth2/IdToken.java
new file mode 100644
index 000000000..4d7e88eea
--- /dev/null
+++ b/oauth2_http/java/com/google/auth/oauth2/IdToken.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright 2019, Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.common.annotations.Beta;
+import com.google.common.base.MoreObjects;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.util.Date;
+import java.util.Objects;
+
+/** Represents a temporary IdToken and its JsonWebSignature object */
+@Beta
+public class IdToken extends AccessToken implements Serializable {
+
+  private static final long serialVersionUID = -8514239465808977353L;
+
+  private transient JsonWebSignature jsonWebSignature;
+
+  /**
+   * @param tokenValue String representation of the ID token.
+   * @param jsonWebSignature JsonWebSignature as object
+   */
+  private IdToken(String tokenValue, JsonWebSignature jsonWebSignature) {
+    super(tokenValue, new Date(jsonWebSignature.getPayload().getExpirationTimeSeconds() * 1000));
+    this.jsonWebSignature = jsonWebSignature;
+  }
+
+  /**
+   * Creates an IdToken given the encoded Json Web Signature.
+   *
+   * @param tokenValue String representation of the ID token.
+   * @return returns com.google.auth.oauth2.IdToken
+   */
+  public static IdToken create(String tokenValue) throws IOException {
+    return create(tokenValue, OAuth2Utils.JSON_FACTORY);
+  }
+
+  /**
+   * Creates an IdToken given the encoded Json Web Signature and JSON Factory
+   *
+   * @param jsonFactory JsonFactory to use for parsing the provided token.
+   * @param tokenValue String representation of the ID token.
+   * @return returns com.google.auth.oauth2.IdToken
+   */
+  public static IdToken create(String tokenValue, JsonFactory jsonFactory) throws IOException {
+    return new IdToken(tokenValue, JsonWebSignature.parse(jsonFactory, tokenValue));
+  }
+
+  /**
+   * The JsonWebSignature as object
+   *
+   * @return returns com.google.api.client.json.webtoken.JsonWebSignature
+   */
+  public JsonWebSignature getJsonWebSignature() {
+    return jsonWebSignature;
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(
+        super.getTokenValue(), jsonWebSignature.getHeader(), jsonWebSignature.getPayload());
+  }
+
+  @Override
+  public String toString() {
+    return MoreObjects.toStringHelper(this)
+        .add("tokenValue", super.getTokenValue())
+        .add("JsonWebSignature", jsonWebSignature)
+        .toString();
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (!(obj instanceof IdToken)) {
+      return false;
+    }
+    IdToken other = (IdToken) obj;
+    return Objects.equals(super.getTokenValue(), other.getTokenValue())
+        && Objects.equals(this.jsonWebSignature.getHeader(), other.jsonWebSignature.getHeader())
+        && Objects.equals(this.jsonWebSignature.getPayload(), other.jsonWebSignature.getPayload());
+  }
+
+  private void writeObject(ObjectOutputStream oos) throws IOException {
+    oos.writeObject(this.getTokenValue());
+  }
+
+  private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IOException {
+    String signature = (String) ois.readObject();
+    this.jsonWebSignature = JsonWebSignature.parse(OAuth2Utils.JSON_FACTORY, signature);
+  }
+}
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
new file mode 100644
index 000000000..6b827c5f9
--- /dev/null
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenCredentials.java
@@ -0,0 +1,198 @@
+/*
+ * Copyright 2019, Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import com.google.api.client.util.Preconditions;
+import com.google.common.annotations.Beta;
+import com.google.common.base.MoreObjects;
+import java.io.IOException;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * IdTokenCredentials provides a Google Issued OpenIdConnect token. <br>
+ * Use an ID token to access services that require presenting an ID token for authentication such as
+ * Cloud Functions or Cloud Run.<br>
+ * The following Credential subclasses support IDTokens: ServiceAccountCredentials,
+ * ComputeEngineCredentials, ImpersonatedCredentials.
+ *
+ * <p>For more information see <br>
+ * Usage:<br>
+ *
+ * <pre>
+ * String credPath = "/path/to/svc_account.json";
+ * String targetAudience = "https://example.com";
+ *
+ * // For Application Default Credentials (as ServiceAccountCredentials)
+ * // export GOOGLE_APPLICATION_CREDENTIALS=/path/to/svc.json
+ * GoogleCredentials adcCreds = GoogleCredentials.getApplicationDefault();
+ * if (!adcCreds instanceof IdTokenProvider) {
+ *   // handle error message
+ * }
+ *
+ * IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
+ *     .setIdTokenProvider(adcCreds)
+ *     .setTargetAudience(targetAudience).build();
+ *
+ * // for ServiceAccountCredentials
+ * ServiceAccountCredentials saCreds = ServiceAccountCredentials.fromStream(new FileInputStream(credPath));
+ * saCreds = (ServiceAccountCredentials) saCreds.createScoped(Arrays.asList("https://www.googleapis.com/auth/iam"));
+ * IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
+ *     .setIdTokenProvider(saCreds)
+ *     .setTargetAudience(targetAudience).build();
+ *
+ * // for ComputeEngineCredentials
+ * ComputeEngineCredentials caCreds = ComputeEngineCredentials.create();
+ * IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
+ *     .setIdTokenProvider(caCreds)
+ *     .setTargetAudience(targetAudience)
+ *     .setOptions(Arrays.asList(ComputeEngineCredentials.ID_TOKEN_FORMAT_FULL))
+ *     .build();
+ *
+ * // for ImpersonatedCredentials
+ * ImpersonatedCredentials imCreds = ImpersonatedCredentials.create(saCreds,
+ *     "impersonated-account@project.iam.gserviceaccount.com", null,
+ *     Arrays.asList("https://www.googleapis.com/auth/cloud-platform"), 300);
+ * IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder()
+ *     .setIdTokenProvider(imCreds)
+ *     .setTargetAudience(targetAudience)
+ *     .setOptions(Arrays.asList(ImpersonatedCredentials.INCLUDE_EMAIL))
+ *     .build();
+ *
+ * // Use the IdTokenCredential in an authorized transport
+ * GenericUrl genericUrl = new GenericUrl("https://example.com");
+ * HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
+ * HttpTransport transport = new NetHttpTransport();
+ * HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
+ * HttpResponse response = request.execute();
+ *
+ * // Print the token, expiration and the audience
+ * System.out.println(tokenCredential.getIdToken().getTokenValue());
+ * System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudienceAsList());
+ * System.out.println(tokenCredential.getIdToken().getJsonWebSignature().getPayload().getExpirationTimeSeconds());
+ * </pre>
+ */
+@Beta
+public class IdTokenCredentials extends OAuth2Credentials {
+
+  private static final long serialVersionUID = -2133257318957588431L;
+
+  private IdTokenProvider idTokenProvider;
+  private String targetAudience;
+  private List<IdTokenProvider.Option> options;
+
+  private IdTokenCredentials(Builder builder) {
+    this.idTokenProvider = Preconditions.checkNotNull(builder.getIdTokenProvider());
+    this.targetAudience = Preconditions.checkNotNull(builder.getTargetAudience());
+    this.options = builder.getOptions();
+  }
+
+  @Override
+  public AccessToken refreshAccessToken() throws IOException {
+    return this.idTokenProvider.idTokenWithAudience(targetAudience, options);
+  }
+
+  public IdToken getIdToken() {
+    return (IdToken) getAccessToken();
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(options, targetAudience);
+  }
+
+  @Override
+  public String toString() {
+    return MoreObjects.toStringHelper(this).toString();
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (!(obj instanceof IdTokenCredentials)) {
+      return false;
+    }
+    IdTokenCredentials other = (IdTokenCredentials) obj;
+    return Objects.equals(this.idTokenProvider, other.idTokenProvider)
+        && Objects.equals(this.targetAudience, other.targetAudience);
+  }
+
+  public Builder toBuilder() {
+    return new Builder()
+        .setIdTokenProvider(this.idTokenProvider)
+        .setTargetAudience(this.targetAudience)
+        .setOptions(this.options);
+  }
+
+  public static Builder newBuilder() {
+    return new Builder();
+  }
+
+  public static class Builder extends OAuth2Credentials.Builder {
+
+    private IdTokenProvider idTokenProvider;
+    private String targetAudience;
+    private List<IdTokenProvider.Option> options;
+
+    protected Builder() {}
+
+    public Builder setIdTokenProvider(IdTokenProvider idTokenProvider) {
+      this.idTokenProvider = idTokenProvider;
+      return this;
+    }
+
+    public IdTokenProvider getIdTokenProvider() {
+      return this.idTokenProvider;
+    }
+
+    public Builder setTargetAudience(String targetAudience) {
+      this.targetAudience = targetAudience;
+      return this;
+    }
+
+    public String getTargetAudience() {
+      return this.targetAudience;
+    }
+
+    public Builder setOptions(List<IdTokenProvider.Option> options) {
+      this.options = options;
+      return this;
+    }
+
+    public List<IdTokenProvider.Option> getOptions() {
+      return this.options;
+    }
+
+    public IdTokenCredentials build() {
+      return new IdTokenCredentials(this);
+    }
+  }
+}
diff --git a/oauth2_http/java/com/google/auth/oauth2/IdTokenProvider.java b/oauth2_http/java/com/google/auth/oauth2/IdTokenProvider.java
new file mode 100644
index 000000000..fe3b0f667
--- /dev/null
+++ b/oauth2_http/java/com/google/auth/oauth2/IdTokenProvider.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2019, Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import com.google.common.annotations.Beta;
+import java.io.IOException;
+import java.util.List;
+
+/** Interface for an Google OIDC token provider. This type represents a google issued OIDC token. */
+@Beta
+public interface IdTokenProvider {
+
+  /**
+   * Enum of various credential-specific options to apply to the token.
+   *
+   * <p><b>ComputeEngineCredentials</b>
+   *
+   * <ul>
+   *   <li>FORMAT_FULL
+   *   <li>LICENSES_TRUE
+   * </ul>
+   *
+   * <br>
+   * <b>ImpersonatedCredential</b>
+   *
+   * <ul>
+   *   <li>INCLUDE_EMAIL
+   * </ul>
+   */
+  public enum Option {
+    FORMAT_FULL("formatFull"),
+    LICENSES_TRUE("licensesTrue"),
+    INCLUDE_EMAIL("includeEmail");
+
+    private String option;
+
+    private Option(String option) {
+      this.option = option;
+    }
+
+    public String getOption() {
+      return option;
+    }
+  }
+
+  /**
+   * Returns a Google OpenID Token with the provided audience field.
+   *
+   * @param targetAudience List of audiences the issued ID Token should be valid for. targetAudience
+   *     accepts a single string value (multiple audiences are not supported)
+   * @param options List of Credential specific options for for the token. For example, an IDToken
+   *     for a ComputeEngineCredential can return platform specific claims if
+   *     "ComputeEngineCredentials.ID_TOKEN_FORMAT_FULL" is provided as a list option.
+   * @return IdToken object which includes the raw id_token, expiration and audience.
+   */
+  IdToken idTokenWithAudience(String targetAudience, List<Option> options) throws IOException;
+}
diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
index 016726d7c..d9fdcc5c4 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
@@ -45,6 +45,7 @@
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpCredentialsAdapter;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.common.annotations.Beta;
 import com.google.common.base.MoreObjects;
 import com.google.common.collect.ImmutableMap;
 import java.io.IOException;
@@ -84,7 +85,8 @@
  *     System.out.println(b);
  * </pre>
  */
-public class ImpersonatedCredentials extends GoogleCredentials implements ServiceAccountSigner {
+public class ImpersonatedCredentials extends GoogleCredentials
+    implements ServiceAccountSigner, IdTokenProvider {
 
   private static final long serialVersionUID = -2133257318957488431L;
   private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ss'Z'";
@@ -275,6 +277,33 @@ public AccessToken refreshAccessToken() throws IOException {
     return new AccessToken(accessToken, date);
   }
 
+  /**
+   * Returns an IdToken for the current Credential.
+   *
+   * @param targetAudience the audience field for the issued ID Token
+   * @param options List of Credential specific options for for the token. For example, an IDToken
+   *     for a ImpersonatedCredentials can return the email address within the token claims if
+   *     "ImpersonatedCredentials.INCLUDE_EMAIL" is provided as a list option.<br>
+   *     Only one option value is supported: "ImpersonatedCredentials.INCLUDE_EMAIL" If no options
+   *     are set, the default excludes the "includeEmail" attribute in the API request
+   * @return IdToken object which includes the raw id_token, expiration and audience.
+   * @throws IOException if the attempt to get an IdToken failed
+   */
+  @Beta
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
+      throws IOException {
+    boolean includeEmail =
+        options != null && options.contains(IdTokenProvider.Option.INCLUDE_EMAIL);
+    return IamUtils.getIdToken(
+        getAccount(),
+        sourceCredentials,
+        transportFactory.create(),
+        targetAudience,
+        includeEmail,
+        ImmutableMap.of("delegates", this.delegates));
+  }
+
   @Override
   public int hashCode() {
     return Objects.hash(sourceCredentials, targetPrincipal, delegates, scopes, lifetime);
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index e70af3a70..1aac83a60 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -55,6 +55,8 @@
 import com.google.api.client.util.SecurityUtils;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
+import com.google.common.annotations.Beta;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 import com.google.common.collect.ImmutableSet;
 import java.io.IOException;
@@ -73,8 +75,9 @@
 import java.security.SignatureException;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
-import java.sql.Date;
 import java.util.Collection;
+import java.util.Date;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -84,7 +87,7 @@
  * <p>By default uses a JSON Web Token (JWT) to fetch access tokens.
  */
 public class ServiceAccountCredentials extends GoogleCredentials
-    implements JwtProvider, ServiceAccountSigner {
+    implements ServiceAccountSigner, IdTokenProvider, JwtProvider {
 
   private static final long serialVersionUID = 7807543542681217978L;
   private static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
@@ -438,6 +441,42 @@ public boolean isRequired(HttpResponse response) {
     return new AccessToken(accessToken, new Date(expiresAtMilliseconds));
   }
 
+  /**
+   * Returns a Google ID Token from the metadata server on ComputeEngine.
+   *
+   * @param targetAudience the aud: field the IdToken should include.
+   * @param options list of Credential specific options for for the token. Currently unused for
+   *     ServiceAccountCredentials.
+   * @throws IOException if the attempt to get an IdToken failed
+   * @return IdToken object which includes the raw id_token, expiration and audience
+   */
+  @Beta
+  @Override
+  public IdToken idTokenWithAudience(String targetAudience, List<IdTokenProvider.Option> options)
+      throws IOException {
+
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+    long currentTime = clock.currentTimeMillis();
+    String assertion =
+        createAssertionForIdToken(
+            jsonFactory, currentTime, tokenServerUri.toString(), targetAudience);
+
+    GenericData tokenRequest = new GenericData();
+    tokenRequest.set("grant_type", GRANT_TYPE);
+    tokenRequest.set("assertion", assertion);
+    UrlEncodedContent content = new UrlEncodedContent(tokenRequest);
+
+    HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
+    HttpRequest request = requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), content);
+    request.setParser(new JsonObjectParser(jsonFactory));
+    HttpResponse response = request.execute();
+
+    GenericData responseData = response.parseAs(GenericData.class);
+    String rawToken = OAuth2Utils.validateString(responseData, "id_token", PARSE_ERROR_PREFIX);
+
+    return IdToken.create(rawToken);
+  }
+
   /** Returns whether the scopes are empty, meaning createScoped must be called before use. */
   @Override
   public boolean createScopedRequired() {
@@ -615,6 +654,39 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     return assertion;
   }
 
+  @VisibleForTesting
+  String createAssertionForIdToken(
+      JsonFactory jsonFactory, long currentTime, String audience, String targetAudience)
+      throws IOException {
+    JsonWebSignature.Header header = new JsonWebSignature.Header();
+    header.setAlgorithm("RS256");
+    header.setType("JWT");
+    header.setKeyId(privateKeyId);
+
+    JsonWebToken.Payload payload = new JsonWebToken.Payload();
+    payload.setIssuer(clientEmail);
+    payload.setIssuedAtTimeSeconds(currentTime / 1000);
+    payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
+    payload.setSubject(serviceAccountUser);
+
+    if (audience == null) {
+      payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString());
+    } else {
+      payload.setAudience(audience);
+    }
+
+    try {
+      payload.set("target_audience", targetAudience);
+
+      String assertion =
+          JsonWebSignature.signUsingRsaSha256(privateKey, jsonFactory, header, payload);
+      return assertion;
+    } catch (GeneralSecurityException e) {
+      throw new IOException(
+          "Error signing service account access token request with private key.", e);
+    }
+  }
+
   @SuppressWarnings("unused")
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
     // properly deserialize the transient transportFactory
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 442ff64d8..5eca95e38 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -35,6 +35,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -43,8 +44,10 @@
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.LowLevelHttpRequest;
 import com.google.api.client.http.LowLevelHttpResponse;
+import com.google.api.client.json.webtoken.JsonWebToken.Payload;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
 import com.google.api.client.testing.http.MockLowLevelHttpResponse;
+import com.google.api.client.util.ArrayMap;
 import com.google.api.client.util.Clock;
 import com.google.auth.ServiceAccountSigner.SigningException;
 import com.google.auth.TestUtils;
@@ -52,6 +55,7 @@
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 import java.io.IOException;
 import java.net.URI;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 import org.junit.Test;
@@ -64,6 +68,41 @@ public class ComputeEngineCredentialsTest extends BaseSerializationTest {
 
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
 
+  // Id Token which includes basic default claims
+  public static final String STANDARD_ID_TOKEN =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
+          + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
+          + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
+          + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+          + ".redacted";
+
+  // Id Token which includes GCE extended claims
+  public static final String FULL_ID_TOKEN =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyOTNh"
+          + "ZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiLCJhe"
+          + "nAiOiIxMTIxNzkwNjI3MjAzOTEzMDU4ODUiLCJlbWFpbCI6IjEwNzEyODQxODQ0MzYtY29tcHV0ZUBkZXZlbG9wZ"
+          + "XIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE1NjQ1MTk0OTYsImdvb"
+          + "2dsZSI6eyJjb21wdXRlX2VuZ2luZSI6eyJpbnN0YW5jZV9jcmVhdGlvbl90aW1lc3RhbXAiOjE1NjMyMzA5MDcsI"
+          + "mluc3RhbmNlX2lkIjoiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsImluc3RhbmNlX25hbWUiOiJpYW0iLCJwcm9qZWN0X"
+          + "2lkIjoibWluZXJhbC1taW51dGlhLTgyMCIsInByb2plY3RfbnVtYmVyIjoxMDcxMjg0MTg0NDM2LCJ6b25lIjoid"
+          + "XMtY2VudHJhbDEtYSJ9fSwiaWF0IjoxNTY0NTE1ODk2LCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb"
+          + "20iLCJzdWIiOiIxMTIxNzkwNjI3MjAzOTEzMDU4ODUifQ.redacted";
+
+  // Id Token which includes GCE extended claims and any VM License data (if applicable)
+  public static final String FULL_ID_TOKEN_WITH_LICENSE =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOG"
+          + "I3OTIyOTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.ew0KICAiYXVkIjogImh0dHBzOi8"
+          + "vZm9vLmJhciIsDQogICJhenAiOiAiMTEyMTc5MDYyNzIwMzkxMzA1ODg1IiwNCiAgImVtYWlsIjogIjEyMzQ1Ni1"
+          + "jb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIiwNCiAgImVtYWlsX3ZlcmlmaWVkIjogdHJ1ZSw"
+          + "NCiAgImV4cCI6IDE1NjQ1MTk0OTYsDQogICJnb29nbGUiOiB7DQogICAgImNvbXB1dGVfZW5naW5lIjogew0KICA"
+          + "gICAgImluc3RhbmNlX2NyZWF0aW9uX3RpbWVzdGFtcCI6IDE1NjMyMzA5MDcsDQogICAgICAiaW5zdGFuY2VfaWQ"
+          + "iOiAiMzQ5Nzk3NDM5MzQ0MTE3OTI0MyIsDQogICAgICAiaW5zdGFuY2VfbmFtZSI6ICJpYW0iLA0KICAgICAgInB"
+          + "yb2plY3RfaWQiOiAiZm9vLWJhci04MjAiLA0KICAgICAgInByb2plY3RfbnVtYmVyIjogMTA3MTI4NDE4NDQzNiw"
+          + "NCiAgICAgICJ6b25lIjogInVzLWNlbnRyYWwxLWEiDQogICAgfSwNCiAgICAibGljZW5zZSI6IFsNCiAgICAgICA"
+          + "iTElDRU5TRV8xIiwNCiAgICAgICAiTElDRU5TRV8yIg0KICAgIF0NCiAgfSwNCiAgImlhdCI6IDE1NjQ1MTU4OTY"
+          + "sDQogICJpc3MiOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwNCiAgInN1YiI6ICIxMTIxNzkwNjI3MjA"
+          + "zOTEzMDU4ODUiDQp9.redacted";
+
   static class MockMetadataServerTransportFactory implements HttpTransportFactory {
 
     MockMetadataServerTransport transport = new MockMetadataServerTransport();
@@ -440,4 +479,91 @@ public LowLevelHttpResponse execute() throws IOException {
       assertTrue(e.getCause().getMessage().contains("Empty content"));
     }
   }
+
+  @Test
+  public void idTokenWithAudience_sameAs() throws IOException {
+    MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
+    transportFactory.transport.setIdToken(STANDARD_ID_TOKEN);
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+    assertEquals(
+        targetAudience,
+        (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
+  }
+
+  @Test
+  public void idTokenWithAudience_standard() throws IOException {
+    MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+    assertNull(tokenCredential.getIdToken().getJsonWebSignature().getPayload().get("google"));
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  public void idTokenWithAudience_full() throws IOException {
+    MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .setOptions(Arrays.asList(IdTokenProvider.Option.FORMAT_FULL))
+            .build();
+    tokenCredential.refresh();
+    Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
+    if (!p.containsKey("google")) {
+      assertFalse("Full ID Token format not provided", false);
+    }
+    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
+    assert (googleClaim.containsKey("compute_engine"));
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  public void idTokenWithAudience_license() throws IOException {
+    MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .setOptions(
+                Arrays.asList(
+                    IdTokenProvider.Option.FORMAT_FULL, IdTokenProvider.Option.LICENSES_TRUE))
+            .build();
+    tokenCredential.refresh();
+    Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
+    if (!p.containsKey("google")) {
+      assertFalse("Full ID Token format not provided", false);
+    }
+    ArrayMap<String, ArrayMap> googleClaim = (ArrayMap<String, ArrayMap>) p.get("google");
+    assert (googleClaim.containsKey("license"));
+  }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdTokenCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdTokenCredentialsTest.java
new file mode 100644
index 000000000..7dbf770c3
--- /dev/null
+++ b/oauth2_http/javatests/com/google/auth/oauth2/IdTokenCredentialsTest.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright 2019, Google LLC
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google LLC nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Test case for {@link IdTokenCredentials}. */
+@RunWith(JUnit4.class)
+public class IdTokenCredentialsTest extends BaseSerializationTest {
+
+  @Test
+  public void hashCode_equals() throws IOException {
+    ComputeEngineCredentialsTest.MockMetadataServerTransportFactory transportFactory =
+        new ComputeEngineCredentialsTest.MockMetadataServerTransportFactory();
+    transportFactory.transport.setIdToken(ComputeEngineCredentialsTest.STANDARD_ID_TOKEN);
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+
+    IdTokenCredentials otherCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    otherCredential.refresh();
+    assertEquals(tokenCredential, tokenCredential.toBuilder().build());
+    assertEquals(tokenCredential.hashCode(), otherCredential.hashCode());
+  }
+
+  @Test
+  public void toString_equals() throws IOException {
+    ComputeEngineCredentialsTest.MockMetadataServerTransportFactory transportFactory =
+        new ComputeEngineCredentialsTest.MockMetadataServerTransportFactory();
+    transportFactory.transport.setIdToken(ComputeEngineCredentialsTest.STANDARD_ID_TOKEN);
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+
+    IdTokenCredentials otherCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    otherCredential.refresh();
+
+    assertEquals(tokenCredential.toString(), otherCredential.toString());
+  }
+
+  @Test
+  public void serialize() throws IOException, ClassNotFoundException {
+
+    ComputeEngineCredentialsTest.MockMetadataServerTransportFactory transportFactory =
+        new ComputeEngineCredentialsTest.MockMetadataServerTransportFactory();
+    transportFactory.transport.setIdToken(ComputeEngineCredentialsTest.STANDARD_ID_TOKEN);
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    IdTokenCredentials deserializedCredentials = serializeAndDeserialize(tokenCredential);
+    assertEquals(tokenCredential, deserializedCredentials);
+  }
+}
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/IdTokenTest.java b/oauth2_http/javatests/com/google/auth/oauth2/IdTokenTest.java
new file mode 100644
index 000000000..14c94995e
--- /dev/null
+++ b/oauth2_http/javatests/com/google/auth/oauth2/IdTokenTest.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2016, Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *    * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *    * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ *    * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package com.google.auth.oauth2;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.Date;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+/** Unit tests for AccessToken */
+@RunWith(JUnit4.class)
+public class IdTokenTest extends BaseSerializationTest {
+
+  private static final String TOKEN_1 =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0OTRiMWU3ODZjZGFkMDkyZTQyMzc2NmJiZTM3ZjU0ZWQ4N2IyMmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhdWQiOiJodHRwczovL2Zvby5iYXIiLCJhenAiOiJzdmMtMi00MjlAbWluZXJhbC1taW51dGlhLTgyMC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6IjEwMDE0NzEwNjk5Njc2NDQ3OTA4NSIsImVtYWlsIjoic3ZjLTItNDI5QG1pbmVyYWwtbWludXRpYS04MjAuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaWF0IjoxNTY1Mzg3NTM4LCJleHAiOjE1NjUzOTExMzh9.foo";
+  private static final String TOKEN_2 =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0OTRiMWU3ODZjZGFkMDkyZTQyMzc2NmJiZTM3ZjU0ZWQ4N2IyMmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhdWQiOiJodHRwczovL2Jhci5mb28iLCJhenAiOiJzdmMtMi00MjlAbWluZXJhbC1taW51dGlhLTgyMC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6IjEwMDE0NzEwNjk5Njc2NDQ3OTA4NSIsImVtYWlsIjoic3ZjLTItNDI5QG1pbmVyYWwtbWludXRpYS04MjAuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaWF0IjoxNTY1Mzg4NjM0LCJleHAiOjE1NjUzOTIyMzR9.foo";
+  private static final Date EXPIRATION_DATE = new Date((long) 1565391138 * 1000);
+
+  @Test
+  public void constructor() throws IOException {
+    IdToken idToken = IdToken.create(TOKEN_1);
+    assertEquals(TOKEN_1, idToken.getTokenValue());
+    assertEquals(EXPIRATION_DATE, idToken.getExpirationTime());
+  }
+
+  @Test
+  public void equals_true() throws IOException {
+    IdToken accessToken = IdToken.create(TOKEN_1);
+    IdToken otherAccessToken = IdToken.create(TOKEN_1);
+    assertTrue(accessToken.equals(otherAccessToken));
+    assertTrue(otherAccessToken.equals(accessToken));
+  }
+
+  @Test
+  public void equals_false_token() throws IOException {
+    IdToken accessToken = IdToken.create(TOKEN_1);
+    IdToken otherAccessToken = IdToken.create(TOKEN_2);
+    assertFalse(accessToken.equals(otherAccessToken));
+    assertFalse(otherAccessToken.equals(accessToken));
+  }
+
+  @Test
+  public void toString_test() throws IOException {
+    IdToken accessToken = IdToken.create(TOKEN_1);
+    String expectedToString =
+        String.format(
+            "IdToken{tokenValue=%s, JsonWebSignature=JsonWebSignature{header={\"alg\":\"RS256\",\"kid\":\"3494b1e786cdad092e423766bbe37f54ed87b22d\",\"typ\":\"JWT\"}, payload={\"aud\":\"https://foo.bar\",\"exp\":1565391138,\"iat\":1565387538,\"iss\":\"https://accounts.google.com\",\"sub\":\"100147106996764479085\",\"azp\":\"svc-2-429@mineral-minutia-820.iam.gserviceaccount.com\",\"email\":\"svc-2-429@mineral-minutia-820.iam.gserviceaccount.com\",\"email_verified\":true}}}",
+            TOKEN_1);
+    assertEquals(expectedToString, accessToken.toString());
+  }
+
+  @Test
+  public void hashCode_equals() throws IOException {
+    IdToken accessToken = IdToken.create(TOKEN_1);
+    IdToken otherAccessToken = IdToken.create(TOKEN_1);
+    assertEquals(accessToken.hashCode(), otherAccessToken.hashCode());
+  }
+
+  @Test
+  public void serialize() throws IOException, ClassNotFoundException {
+    IdToken accessToken = IdToken.create(TOKEN_1);
+    IdToken deserializedAccessToken = serializeAndDeserialize(accessToken);
+    assertEquals(accessToken, deserializedAccessToken);
+    assertEquals(accessToken.hashCode(), deserializedAccessToken.hashCode());
+    assertEquals(accessToken.toString(), deserializedAccessToken.toString());
+  }
+}
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java
index 515f2ab21..29eef937a 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java
@@ -44,6 +44,7 @@
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonGenerator;
 import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.json.webtoken.JsonWebToken.Payload;
 import com.google.api.client.testing.http.MockLowLevelHttpRequest;
 import com.google.api.client.util.Clock;
 import com.google.auth.ServiceAccountSigner.SigningException;
@@ -85,6 +86,23 @@ public class ImpersonatedCredentialsTest extends BaseSerializationTest {
           + "ADj3e1YhMVdjJW5jqwlD/VNddGjgzyunmiZg0uOXsHXbytYmsA545S8KRQFaJKFXYYFo2kOjqOiC1T2cAzMDjCQ"
           + "==\n-----END PRIVATE KEY-----\n";
 
+  // Id Token provided by the default IAM API that does not include the "email" claim
+  public static final String STANDARD_ID_TOKEN =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIy"
+          + "OTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIi"
+          + "LCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ1MzI5NzIsImlhdCI6MTU2NDUyOTM3Miw"
+          + "iaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In"
+          + "0.redacted";
+
+  // Id Token provided by the default IAM API that includes the "email" claim
+  public static final String TOKEN_WITH_EMAIL =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIy"
+          + "OTNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIi"
+          + "LCJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJlbWFpbCI6ImltcGVyc29uYXRlZC1hY2NvdW50QGZhYmx"
+          + "lZC1yYXktMTA0MTE3LmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cC"
+          + "I6MTU2NDUzMzA0MiwiaWF0IjoxNTY0NTI5NDQyLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iL"
+          + "CJzdWIiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgifQ.redacted";
+
   private static final String PROJECT_ID = "project-id";
   private static final String IMPERSONATED_CLIENT_EMAIL =
       "impersonated-account@iam.gserviceaccount.com";
@@ -422,7 +440,7 @@ public void sign_accessDenied_throws() throws IOException {
 
     mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
     mtransportFactory.transport.setSignedBlob(expectedSignature);
-    mtransportFactory.transport.setSigningErrorResponseCodeAndMessage(
+    mtransportFactory.transport.setErrorResponseCodeAndMessage(
         HttpStatusCodes.STATUS_CODE_FORBIDDEN, "Sign Error");
 
     try {
@@ -457,7 +475,7 @@ public void sign_serverError_throws() throws IOException {
 
     mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
     mtransportFactory.transport.setSignedBlob(expectedSignature);
-    mtransportFactory.transport.setSigningErrorResponseCodeAndMessage(
+    mtransportFactory.transport.setErrorResponseCodeAndMessage(
         HttpStatusCodes.STATUS_CODE_SERVER_ERROR, "Sign Error");
 
     try {
@@ -471,6 +489,143 @@ public void sign_serverError_throws() throws IOException {
     }
   }
 
+  @Test
+  public void idTokenWithAudience_sameAs() throws IOException {
+    GoogleCredentials sourceCredentials = getSourceCredentials();
+    MockIAMCredentialsServiceTransportFactory mtransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mtransportFactory.transport.setAccessToken(ACCESS_TOKEN);
+    mtransportFactory.transport.setExpireTime(getDefaultExpireTime());
+
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            sourceCredentials,
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            SCOPES,
+            VALID_LIFETIME,
+            mtransportFactory);
+
+    mtransportFactory.transport.setIdToken(STANDARD_ID_TOKEN);
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(targetCredentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(STANDARD_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+    assertEquals(
+        targetAudience,
+        (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
+  }
+
+  @Test
+  public void idTokenWithAudience_withEmail() throws IOException {
+    GoogleCredentials sourceCredentials = getSourceCredentials();
+    MockIAMCredentialsServiceTransportFactory mtransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mtransportFactory.transport.setAccessToken(ACCESS_TOKEN);
+    mtransportFactory.transport.setExpireTime(getDefaultExpireTime());
+
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            sourceCredentials,
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            SCOPES,
+            VALID_LIFETIME,
+            mtransportFactory);
+
+    mtransportFactory.transport.setIdToken(TOKEN_WITH_EMAIL);
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(targetCredentials)
+            .setTargetAudience(targetAudience)
+            .setOptions(Arrays.asList(IdTokenProvider.Option.INCLUDE_EMAIL))
+            .build();
+    tokenCredential.refresh();
+    assertEquals(TOKEN_WITH_EMAIL, tokenCredential.getAccessToken().getTokenValue());
+    Payload p = tokenCredential.getIdToken().getJsonWebSignature().getPayload();
+    assertTrue(p.containsKey("email"));
+  }
+
+  @Test
+  public void idToken_withServerError() throws IOException {
+    GoogleCredentials sourceCredentials = getSourceCredentials();
+    MockIAMCredentialsServiceTransportFactory mtransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mtransportFactory.transport.setAccessToken(ACCESS_TOKEN);
+    mtransportFactory.transport.setExpireTime(getDefaultExpireTime());
+
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            sourceCredentials,
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            SCOPES,
+            VALID_LIFETIME,
+            mtransportFactory);
+
+    mtransportFactory.transport.setIdToken(STANDARD_ID_TOKEN);
+    mtransportFactory.transport.setErrorResponseCodeAndMessage(
+        HttpStatusCodes.STATUS_CODE_SERVER_ERROR, "Internal Server Error");
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(targetCredentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    try {
+      tokenCredential.refresh();
+    } catch (IOException e) {
+      assertTrue(e.getMessage().contains("Error code 500 trying to getIDToken"));
+    }
+  }
+
+  @Test
+  public void idToken_withOtherError() throws IOException {
+    GoogleCredentials sourceCredentials = getSourceCredentials();
+    MockIAMCredentialsServiceTransportFactory mtransportFactory =
+        new MockIAMCredentialsServiceTransportFactory();
+    mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+    mtransportFactory.transport.setAccessToken(ACCESS_TOKEN);
+    mtransportFactory.transport.setExpireTime(getDefaultExpireTime());
+
+    ImpersonatedCredentials targetCredentials =
+        ImpersonatedCredentials.create(
+            sourceCredentials,
+            IMPERSONATED_CLIENT_EMAIL,
+            null,
+            SCOPES,
+            VALID_LIFETIME,
+            mtransportFactory);
+
+    mtransportFactory.transport.setIdToken(STANDARD_ID_TOKEN);
+    mtransportFactory.transport.setErrorResponseCodeAndMessage(
+        HttpStatusCodes.STATUS_CODE_MOVED_PERMANENTLY, "Redirect");
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(targetCredentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    try {
+      tokenCredential.refresh();
+    } catch (IOException e) {
+      assertTrue(e.getMessage().contains("Unexpected Error code 301 trying to getIDToken"));
+    }
+  }
+
   @Test
   public void hashCode_equals() throws IOException {
     GoogleCredentials sourceCredentials = getSourceCredentials();
@@ -479,6 +634,7 @@ public void hashCode_equals() throws IOException {
     mtransportFactory.transport.setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
     mtransportFactory.transport.setAccessToken(ACCESS_TOKEN);
     mtransportFactory.transport.setExpireTime(getDefaultExpireTime());
+
     ImpersonatedCredentials credentials =
         ImpersonatedCredentials.create(
             sourceCredentials,
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java
index 6a7b41405..dcf1ef950 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockIAMCredentialsServiceTransport.java
@@ -48,6 +48,8 @@ public class MockIAMCredentialsServiceTransport extends MockHttpTransport {
 
   private static final String IAM_ACCESS_TOKEN_ENDPOINT =
       "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken";
+  private static final String IAM_ID_TOKEN_ENDPOINT =
+      "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateIdToken";
   private static final String IAM_SIGN_ENDPOINT =
       "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:signBlob";
   private Integer tokenResponseErrorCode;
@@ -60,6 +62,8 @@ public class MockIAMCredentialsServiceTransport extends MockHttpTransport {
   private String accessToken;
   private String expireTime;
 
+  private String idToken;
+
   private MockLowLevelHttpRequest request;
 
   public MockIAMCredentialsServiceTransport() {}
@@ -88,11 +92,15 @@ public void setSignedBlob(byte[] signedBlob) {
     this.signedBlob = signedBlob;
   }
 
-  public void setSigningErrorResponseCodeAndMessage(int responseCode, String errorMessage) {
+  public void setErrorResponseCodeAndMessage(int responseCode, String errorMessage) {
     this.responseCode = responseCode;
     this.errorMessage = errorMessage;
   }
 
+  public void setIdToken(String idToken) {
+    this.idToken = idToken;
+  }
+
   public MockLowLevelHttpRequest getRequest() {
     return request;
   }
@@ -103,6 +111,7 @@ public LowLevelHttpRequest buildRequest(String method, String url) throws IOExce
     String iamAccesssTokenformattedUrl =
         String.format(IAM_ACCESS_TOKEN_ENDPOINT, this.targetPrincipal);
     String iamSignBlobformattedUrl = String.format(IAM_SIGN_ENDPOINT, this.targetPrincipal);
+    String iamIdTokenformattedUrl = String.format(IAM_ID_TOKEN_ENDPOINT, this.targetPrincipal);
     if (url.equals(iamAccesssTokenformattedUrl)) {
       this.request =
           new MockLowLevelHttpRequest(url) {
@@ -173,6 +182,28 @@ public LowLevelHttpResponse execute() throws IOException {
                   .setContent(refreshText);
             }
           };
+    } else if (url.equals(iamIdTokenformattedUrl)) {
+      this.request =
+          new MockLowLevelHttpRequest(url) {
+            @Override
+            public LowLevelHttpResponse execute() throws IOException {
+
+              if (responseCode != HttpStatusCodes.STATUS_CODE_OK) {
+                return new MockLowLevelHttpResponse()
+                    .setStatusCode(responseCode)
+                    .setContentType(Json.MEDIA_TYPE)
+                    .setContent(errorMessage);
+              }
+
+              GenericJson refreshContents = new GenericJson();
+              refreshContents.setFactory(OAuth2Utils.JSON_FACTORY);
+              refreshContents.put("token", idToken);
+              String tokenContent = refreshContents.toPrettyString();
+              return new MockLowLevelHttpResponse()
+                  .setContentType(Json.MEDIA_TYPE)
+                  .setContent(tokenContent);
+            }
+          };
     } else {
       return super.buildRequest(method, url);
     }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
index 7de0db2c7..07c5b0fb5 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
@@ -40,6 +40,10 @@
 import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.common.io.BaseEncoding;
 import java.io.IOException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.Map;
 
 /** Transport that simulates the GCE metadata server for access tokens. */
 public class MockMetadataServerTransport extends MockHttpTransport {
@@ -50,6 +54,8 @@ public class MockMetadataServerTransport extends MockHttpTransport {
 
   private String serviceAccountEmail;
 
+  private String idToken;
+
   private byte[] signature;
 
   public MockMetadataServerTransport() {}
@@ -70,6 +76,10 @@ public void setSignature(byte[] signature) {
     this.signature = signature;
   }
 
+  public void setIdToken(String idToken) {
+    this.idToken = idToken;
+  }
+
   @Override
   public LowLevelHttpRequest buildRequest(String method, String url) throws IOException {
     if (url.equals(ComputeEngineCredentials.getTokenServerEncodedUrl())) {
@@ -145,6 +155,60 @@ public LowLevelHttpResponse execute() throws IOException {
               .setContent(signature);
         }
       };
+    } else if (isIdentityDocumentUrl(url)) {
+      if (idToken != null) {
+        return new MockLowLevelHttpRequest(url) {
+          @Override
+          public LowLevelHttpResponse execute() throws IOException {
+            return new MockLowLevelHttpResponse().setContent(idToken);
+          }
+        };
+      }
+
+      // https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
+      Map<String, String> queryPairs = new HashMap<String, String>();
+      String query = (new URL(url)).getQuery();
+      String[] pairs = query.split("&");
+      for (String pair : pairs) {
+        int idx = pair.indexOf("=");
+        queryPairs.put(
+            URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+            URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+      }
+
+      if (queryPairs.containsKey("format")) {
+        if (((String) queryPairs.get("format")).equals("full")) {
+
+          // return license only if format=full is set
+          if (queryPairs.containsKey("license")) {
+            if (((String) queryPairs.get("license")).equals("TRUE")) {
+              return new MockLowLevelHttpRequest(url) {
+                @Override
+                public LowLevelHttpResponse execute() throws IOException {
+                  return new MockLowLevelHttpResponse()
+                      .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN_WITH_LICENSE);
+                }
+              };
+            }
+          }
+          // otherwise return full format
+          return new MockLowLevelHttpRequest(url) {
+            @Override
+            public LowLevelHttpResponse execute() throws IOException {
+              return new MockLowLevelHttpResponse()
+                  .setContent(ComputeEngineCredentialsTest.FULL_ID_TOKEN);
+            }
+          };
+        }
+      }
+      // Return default format if nothing is set
+      return new MockLowLevelHttpRequest(url) {
+        @Override
+        public LowLevelHttpResponse execute() throws IOException {
+          return new MockLowLevelHttpResponse()
+              .setContent(ComputeEngineCredentialsTest.STANDARD_ID_TOKEN);
+        }
+      };
     }
     return super.buildRequest(method, url);
   }
@@ -158,4 +222,8 @@ protected boolean isSignRequestUrl(String url) {
         && url.equals(
             String.format(ComputeEngineCredentials.SIGN_BLOB_URL_FORMAT, serviceAccountEmail));
   }
+
+  protected boolean isIdentityDocumentUrl(String url) {
+    return url.startsWith(String.format(ComputeEngineCredentials.getIdentityDocumentUrl()));
+  }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
index a69ba2a50..e37e64b7b 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockTokenServerTransport.java
@@ -142,6 +142,7 @@ public LowLevelHttpResponse execute() throws IOException {
           Map<String, String> query = TestUtils.parseQuery(content);
           String accessToken;
           String refreshToken = null;
+          boolean generateAccessToken = true;
 
           String foundId = query.get("client_id");
           if (foundId != null) {
@@ -179,24 +180,38 @@ public LowLevelHttpResponse execute() throws IOException {
               throw new IOException("Service Account Email not found as issuer.");
             }
             accessToken = serviceAccounts.get(foundEmail);
+            String foundTargetAudience = (String) signature.getPayload().get("target_audience");
             String foundScopes = (String) signature.getPayload().get("scope");
-            if (foundScopes == null || foundScopes.length() == 0) {
-              throw new IOException("Scopes not found.");
+            if ((foundScopes == null || foundScopes.length() == 0)
+                && (foundTargetAudience == null || foundTargetAudience.length() == 0)) {
+              throw new IOException("Either target_audience or scopes must be specified.");
+            }
+
+            if (foundScopes != null && foundTargetAudience != null) {
+              throw new IOException("Only one of target_audience or scopes must be specified.");
+            }
+            if (foundTargetAudience != null) {
+              generateAccessToken = false;
             }
           } else {
             throw new IOException("Unknown token type.");
           }
 
           // Create the JSON response
-          GenericJson refreshContents = new GenericJson();
-          refreshContents.setFactory(JSON_FACTORY);
-          refreshContents.put("access_token", accessToken);
-          refreshContents.put("expires_in", expiresInSeconds);
-          refreshContents.put("token_type", "Bearer");
-          if (refreshToken != null) {
-            refreshContents.put("refresh_token", refreshToken);
+          // https://developers.google.com/identity/protocols/OpenIDConnect#server-flow
+          GenericJson responseContents = new GenericJson();
+          responseContents.setFactory(JSON_FACTORY);
+          responseContents.put("token_type", "Bearer");
+          responseContents.put("expires_in", expiresInSeconds);
+          if (generateAccessToken) {
+            responseContents.put("access_token", accessToken);
+            if (refreshToken != null) {
+              responseContents.put("refresh_token", refreshToken);
+            }
+          } else {
+            responseContents.put("id_token", ServiceAccountCredentialsTest.DEFAULT_ID_TOKEN);
           }
-          String refreshText = refreshContents.toPrettyString();
+          String refreshText = responseContents.toPrettyString();
 
           return new MockLowLevelHttpResponse()
               .setContentType(Json.MEDIA_TYPE)
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index c8f81c130..be12fc7f1 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -34,6 +34,7 @@
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
@@ -101,6 +102,12 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
   private static final HttpTransportFactory DUMMY_TRANSPORT_FACTORY =
       new MockTokenServerTransportFactory();
+  public static final String DEFAULT_ID_TOKEN =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmMzc1ODkwOGI3OTIyO"
+          + "TNhZDk3N2EwYjk5MWQ5OGE3N2Y0ZWVlY2QiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2Zvby5iYXIiL"
+          + "CJhenAiOiIxMDIxMDE1NTA4MzQyMDA3MDg1NjgiLCJleHAiOjE1NjQ0NzUwNTEsImlhdCI6MTU2NDQ3MTQ1MSwi"
+          + "aXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAyMTAxNTUwODM0MjAwNzA4NTY4In0"
+          + ".redacted";
 
   @Test
   public void createdScoped_clones() throws IOException {
@@ -191,6 +198,65 @@ public void createAssertion_correct() throws IOException {
     assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
   }
 
+  @Test
+  public void createAssertionForIdToken_correct() throws IOException {
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(SA_CLIENT_ID)
+            .setClientEmail(SA_CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+            .setServiceAccountUser(SERVICE_ACCOUNT_USER)
+            .setProjectId(PROJECT_ID)
+            .build();
+
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+    long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
+    String assertion =
+        credentials.createAssertionForIdToken(
+            jsonFactory, currentTimeMillis, null, "https://foo.com/bar");
+
+    JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
+    JsonWebToken.Payload payload = signature.getPayload();
+    assertEquals(SA_CLIENT_EMAIL, payload.getIssuer());
+    assertEquals("https://foo.com/bar", (String) (payload.getUnknownKeys().get("target_audience")));
+    assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds());
+    assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds());
+    assertEquals(SERVICE_ACCOUNT_USER, payload.getSubject());
+  }
+
+  @Test
+  public void createAssertionForIdToken_incorrect() throws IOException {
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(SA_CLIENT_ID)
+            .setClientEmail(SA_CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+            .setServiceAccountUser(SERVICE_ACCOUNT_USER)
+            .setProjectId(PROJECT_ID)
+            .build();
+
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+    long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
+    String assertion =
+        credentials.createAssertionForIdToken(
+            jsonFactory, currentTimeMillis, null, "https://foo.com/bar");
+
+    JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
+    JsonWebToken.Payload payload = signature.getPayload();
+    assertEquals(SA_CLIENT_EMAIL, payload.getIssuer());
+    assertNotEquals(
+        "https://bar.com/foo", (String) (payload.getUnknownKeys().get("target_audience")));
+    assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds());
+    assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds());
+    assertEquals(SERVICE_ACCOUNT_USER, payload.getSubject());
+  }
+
   @Test
   public void createAssertion_withTokenUri_correct() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
@@ -517,6 +583,68 @@ public void refreshAccessToken_failsNotFoundError() throws IOException {
     }
   }
 
+  @Test
+  public void idTokenWithAudience_correct() throws IOException {
+    String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    MockTokenServerTransport transport = transportFactory.transport;
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            SA_CLIENT_ID,
+            SA_CLIENT_EMAIL,
+            SA_PRIVATE_KEY_PKCS8,
+            SA_PRIVATE_KEY_ID,
+            SCOPES,
+            transportFactory,
+            null);
+
+    transport.addServiceAccount(SA_CLIENT_EMAIL, accessToken1);
+    TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken1);
+
+    String targetAudience = "https://foo.bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getAccessToken().getTokenValue());
+    assertEquals(DEFAULT_ID_TOKEN, tokenCredential.getIdToken().getTokenValue());
+    assertEquals(
+        targetAudience,
+        (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
+  }
+
+  @Test
+  public void idTokenWithAudience_incorrect() throws IOException {
+    String accessToken1 = "1/MkSJoj1xsli0AccessToken_NKPY2";
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    MockTokenServerTransport transport = transportFactory.transport;
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            SA_CLIENT_ID,
+            SA_CLIENT_EMAIL,
+            SA_PRIVATE_KEY_PKCS8,
+            SA_PRIVATE_KEY_ID,
+            SCOPES,
+            transportFactory,
+            null);
+
+    transport.addServiceAccount(SA_CLIENT_EMAIL, accessToken1);
+    TestUtils.assertContainsBearerToken(credentials.getRequestMetadata(CALL_URI), accessToken1);
+
+    String targetAudience = "https://bar";
+    IdTokenCredentials tokenCredential =
+        IdTokenCredentials.newBuilder()
+            .setIdTokenProvider(credentials)
+            .setTargetAudience(targetAudience)
+            .build();
+    tokenCredential.refresh();
+    assertNotEquals(
+        targetAudience,
+        (String) tokenCredential.getIdToken().getJsonWebSignature().getPayload().getAudience());
+  }
+
   @Test
   public void getScopes_nullReturnsEmpty() throws IOException {
     ServiceAccountCredentials credentials =