diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index bb2670525..a0268970c 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -418,7 +418,7 @@ def refresh(self, request): # subject exists, then we should not use self signed JWT. if self._subject is None and self._jwt_credentials is not None: self._jwt_credentials.refresh(request) - self.token = self._jwt_credentials.token + self.token = self._jwt_credentials.token.decode() self.expiry = self._jwt_credentials.expiry else: assertion = self._make_authorization_grant_assertion() diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc index 8a3cf4010..3e07328e6 100644 Binary files a/system_tests/secrets.tar.enc and b/system_tests/secrets.tar.enc differ diff --git a/system_tests/system_tests_sync/test_requests.py b/system_tests/system_tests_sync/test_requests.py index 28004848b..1b3fba7b0 100644 --- a/system_tests/system_tests_sync/test_requests.py +++ b/system_tests/system_tests_sync/test_requests.py @@ -39,4 +39,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt(): # Check that self-signed JWT was created and is being used assert credentials._jwt_credentials is not None - assert credentials._jwt_credentials.token == credentials.token + assert credentials._jwt_credentials.token.decode() == credentials.token diff --git a/system_tests/system_tests_sync/test_urllib3.py b/system_tests/system_tests_sync/test_urllib3.py index 1932e1913..916211ac6 100644 --- a/system_tests/system_tests_sync/test_urllib3.py +++ b/system_tests/system_tests_sync/test_urllib3.py @@ -41,4 +41,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt(): # Check that self-signed JWT was created and is being used assert credentials._jwt_credentials is not None - assert credentials._jwt_credentials.token == credentials.token + assert credentials._jwt_credentials.token.decode() == credentials.token diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py index c48635d4d..8388acd06 100644 --- a/tests/oauth2/test_service_account.py +++ b/tests/oauth2/test_service_account.py @@ -18,6 +18,7 @@ import mock import pytest # type: ignore +import six from google.auth import _helpers from google.auth import crypt @@ -470,7 +471,7 @@ def test_refresh_with_jwt_credentials(self, make_jwt): token = "token" expiry = _helpers.utcnow() + datetime.timedelta(seconds=500) - make_jwt.return_value = (token, expiry) + make_jwt.return_value = (b"token", expiry) # Credentials should start as invalid assert not credentials.valid @@ -487,6 +488,16 @@ def test_refresh_with_jwt_credentials(self, make_jwt): assert credentials.token == token assert credentials.expiry == expiry + def test_refresh_with_jwt_credentials_token_type_check(self): + credentials = self.make_credentials() + credentials._create_self_signed_jwt("https://pubsub.googleapis.com") + credentials.refresh(mock.Mock()) + + # Credentials token should be a JWT string. + assert isinstance(credentials.token, six.string_types) + payload = jwt.decode(credentials.token, verify=False) + assert payload["aud"] == "https://pubsub.googleapis.com" + @mock.patch("google.oauth2._client.jwt_grant", autospec=True) @mock.patch("google.auth.jwt.Credentials.refresh", autospec=True) def test_refresh_jwt_not_used_for_domain_wide_delegation(