diff --git a/google/internal/externalaccount/executablecredsource.go b/google/internal/externalaccount/executablecredsource.go
index 6ecbe6e..7e8f85b 100644
--- a/google/internal/externalaccount/executablecredsource.go
+++ b/google/internal/externalaccount/executablecredsource.go
@@ -178,7 +178,7 @@ type executableResponse struct {
 	Message        string `json:"message,omitempty"`
 }
 
-func parseSubjectTokenFromSource(response []byte, source string, now int64) (string, error) {
+func (cs executableCredentialSource) parseSubjectTokenFromSource(response []byte, source string, now int64) (string, error) {
 	var result executableResponse
 	if err := json.Unmarshal(response, &result); err != nil {
 		return "", jsonParsingError(source, string(response))
@@ -203,7 +203,7 @@ func parseSubjectTokenFromSource(response []byte, source string, now int64) (str
 		return "", unsupportedVersionError(source, result.Version)
 	}
 
-	if result.ExpirationTime == 0 {
+	if result.ExpirationTime == 0 && cs.OutputFile != "" {
 		return "", missingFieldError(source, "expiration_time")
 	}
 
@@ -211,7 +211,7 @@ func parseSubjectTokenFromSource(response []byte, source string, now int64) (str
 		return "", missingFieldError(source, "token_type")
 	}
 
-	if result.ExpirationTime < now {
+	if result.ExpirationTime != 0 && result.ExpirationTime < now {
 		return "", tokenExpiredError()
 	}
 
@@ -259,7 +259,7 @@ func (cs executableCredentialSource) getTokenFromOutputFile() (token string, err
 		return "", nil
 	}
 
-	token, err = parseSubjectTokenFromSource(data, outputFileSource, cs.env.now().Unix())
+	token, err = cs.parseSubjectTokenFromSource(data, outputFileSource, cs.env.now().Unix())
 	if err != nil {
 		if _, ok := err.(nonCacheableError); ok {
 			// If the cached token is expired we need a new token,
@@ -304,5 +304,5 @@ func (cs executableCredentialSource) getTokenFromExecutableCommand() (string, er
 	if err != nil {
 		return "", err
 	}
-	return parseSubjectTokenFromSource(output, executableSource, cs.env.now().Unix())
+	return cs.parseSubjectTokenFromSource(output, executableSource, cs.env.now().Unix())
 }
diff --git a/google/internal/externalaccount/executablecredsource_test.go b/google/internal/externalaccount/executablecredsource_test.go
index f115b29..074dfc4 100644
--- a/google/internal/externalaccount/executablecredsource_test.go
+++ b/google/internal/externalaccount/executablecredsource_test.go
@@ -388,19 +388,6 @@ var failureTests = []struct {
 		expectedErr: missingFieldError(executableSource, "token_type"),
 	},
 
-	{
-		name: "Missing Expiration",
-		testEnvironment: testEnvironment{
-			envVars: executablesAllowed,
-			jsonResponse: &executableResponse{
-				Success:   Bool(true),
-				Version:   1,
-				TokenType: "urn:ietf:params:oauth:token-type:jwt",
-			},
-		},
-		expectedErr: missingFieldError(executableSource, "expiration_time"),
-	},
-
 	{
 		name: "Token Expired",
 		testEnvironment: testEnvironment{
@@ -564,6 +551,19 @@ var successTests = []struct {
 			},
 		},
 	},
+
+	{
+		name: "Missing Expiration",
+		testEnvironment: testEnvironment{
+			envVars: executablesAllowed,
+			jsonResponse: &executableResponse{
+				Success:   Bool(true),
+				Version:   1,
+				TokenType: "urn:ietf:params:oauth:token-type:jwt",
+				IdToken:   "tokentokentoken",
+			},
+		},
+	},
 }
 
 func TestRetrieveExecutableSubjectTokenSuccesses(t *testing.T) {