Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

common/auth/internal/luci_ctx.go

Index: common/auth/internal/luci_ctx.go
diff --git a/common/auth/internal/luci_ctx.go b/common/auth/internal/luci_ctx.go
index 720e3b6ad0ec3822f6aace7d3161a19246886b41..5816252e04d875e354a814199c9f960baac2cf9d 100644
--- a/common/auth/internal/luci_ctx.go
+++ b/common/auth/internal/luci_ctx.go
@@ -39,11 +39,18 @@ type luciContextTokenProvider struct {
 // description of how to locate and contact the local auth server.
 //
 // See common/auth/localauth package for the implementation of the server.
+//
+// TODO(vadimsh): This method currently supports both "old" auth server that
+// don't understand "account_id", and new servers that do. Remove support for
+// old servers once Swarming is updated to understand new protocol.
 func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, transport http.RoundTripper) (TokenProvider, error) {
 	localAuth := lucictx.GetLocalAuth(ctx)
 	if localAuth == nil {
 		return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)
 	}
+	if !localAuth.CanUseByDefault() {
+		return nil, fmt.Errorf(`no "default_account_id" in LUCI_CONTEXT["local_auth"]`)
+	}
 
 	// All authenticators share singleton in-process token cache, see
 	// ProcTokenCache variable in proc_cache.go.
@@ -90,8 +97,9 @@ func (p *luciContextTokenProvider) MintToken(ctx context.Context, base *oauth2.T
 	// should just make a single attempt, and mark an error as transient to
 	// trigger a retry, if necessary.
 	request := rpcs.GetOAuthTokenRequest{
-		Scopes: p.scopes,
-		Secret: p.localAuth.Secret,
+		Scopes:    p.scopes,
+		Secret:    p.localAuth.Secret,
+		AccountID: p.localAuth.DefaultAccountID, // note: this is "" for old servers
 	}
 	if err := request.Validate(); err != nil {
 		return nil, err // should not really happen