fix: self signed jwt token should be string type (#1294)

arithmetic1728 · web-flow · commit 17356fdd92da · 2023-05-17T13:52:02.000-07:00
* fix: self signed jwt token should be string type

* chore: update sys test
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
@@ -418,7 +418,7 @@ def refresh(self, request):
         # subject exists, then we should not use self signed JWT.
         if self._subject is None and self._jwt_credentials is not None:
             self._jwt_credentials.refresh(request)
-            self.token = self._jwt_credentials.token
+            self.token = self._jwt_credentials.token.decode()
             self.expiry = self._jwt_credentials.expiry
         else:
             assertion = self._make_authorization_grant_assertion()
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
diff --git a/system_tests/system_tests_sync/test_requests.py b/system_tests/system_tests_sync/test_requests.py
@@ -39,4 +39,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
     # Check that self-signed JWT was created and is being used
     assert credentials._jwt_credentials is not None
-    assert credentials._jwt_credentials.token == credentials.token
+    assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/system_tests/system_tests_sync/test_urllib3.py b/system_tests/system_tests_sync/test_urllib3.py
@@ -41,4 +41,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
     # Check that self-signed JWT was created and is being used
     assert credentials._jwt_credentials is not None
-    assert credentials._jwt_credentials.token == credentials.token
+    assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py
@@ -18,6 +18,7 @@
 
 import mock
 import pytest  # type: ignore
+import six
 
 from google.auth import _helpers
 from google.auth import crypt
@@ -470,7 +471,7 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
 
         token = "token"
         expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
-        make_jwt.return_value = (token, expiry)
+        make_jwt.return_value = (b"token", expiry)
 
         # Credentials should start as invalid
         assert not credentials.valid
@@ -487,6 +488,16 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
         assert credentials.token == token
         assert credentials.expiry == expiry
 
+    def test_refresh_with_jwt_credentials_token_type_check(self):
+        credentials = self.make_credentials()
+        credentials._create_self_signed_jwt("https://pubsub.googleapis.com")
+        credentials.refresh(mock.Mock())
+
+        # Credentials token should be a JWT string.
+        assert isinstance(credentials.token, six.string_types)
+        payload = jwt.decode(credentials.token, verify=False)
+        assert payload["aud"] == "https://pubsub.googleapis.com"
+
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     @mock.patch("google.auth.jwt.Credentials.refresh", autospec=True)
     def test_refresh_jwt_not_used_for_domain_wide_delegation(
