fix: self signed jwt token should be string type (#1294)

* fix: self signed jwt token should be string type * chore: update sys test
googleapis · May 17, 2023 · 17356fd · 17356fd
1 parent 456de54
commit 17356fd
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 4 deletions.
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
@@ -418,7 +418,7 @@ def refresh(self, request):
  # subject exists, then we should not use self signed JWT.
  if self._subject is None and self._jwt_credentials is not None:
  self._jwt_credentials.refresh(request)
- self.token = self._jwt_credentials.token
+ self.token = self._jwt_credentials.token.decode()
  self.expiry = self._jwt_credentials.expiry
  else:
  assertion = self._make_authorization_grant_assertion()

diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/system_tests/system_tests_sync/test_requests.py b/system_tests/system_tests_sync/test_requests.py
@@ -39,4 +39,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
  # Check that self-signed JWT was created and is being used
  assert credentials._jwt_credentials is not None
- assert credentials._jwt_credentials.token == credentials.token
+ assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/system_tests/system_tests_sync/test_urllib3.py b/system_tests/system_tests_sync/test_urllib3.py
@@ -41,4 +41,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
  # Check that self-signed JWT was created and is being used
  assert credentials._jwt_credentials is not None
- assert credentials._jwt_credentials.token == credentials.token
+ assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py
@@ -18,6 +18,7 @@
 
 import mock
 import pytest # type: ignore
+import six
 
 from google.auth import _helpers
 from google.auth import crypt
@@ -470,7 +471,7 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
 
  token = "token"
  expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
- make_jwt.return_value = (token, expiry)
+ make_jwt.return_value = (b"token", expiry)
 
  # Credentials should start as invalid
  assert not credentials.valid
@@ -487,6 +488,16 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
  assert credentials.token == token
  assert credentials.expiry == expiry
 
+ def test_refresh_with_jwt_credentials_token_type_check(self):
+ credentials = self.make_credentials()
+ credentials._create_self_signed_jwt("https://pubsub.googleapis.com")
+ credentials.refresh(mock.Mock())
+
+ # Credentials token should be a JWT string.
+ assert isinstance(credentials.token, six.string_types)
+ payload = jwt.decode(credentials.token, verify=False)
+ assert payload["aud"] == "https://pubsub.googleapis.com"
+
  @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
  @mock.patch("google.auth.jwt.Credentials.refresh", autospec=True)
  def test_refresh_jwt_not_used_for_domain_wide_delegation(