Skip to content

test(auth): Assert self-signed JWT is used by ImpersonatedCredentials #13487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
westarle wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

test(auth): Assert self-signed JWT is used by ImpersonatedCredentials #13487

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions ...ibrary-java/oauth2_http/javatests/com/google/auth/oauth2/ImpersonatedCredentialsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -514,6 +514,19 @@ void refreshAccessToken_success_SSJflow() throws IOException, IllegalStateExcept
assertEquals(ACCESS_TOKEN, targetCredentials.refreshAccessToken().getTokenValue());
assertEquals(
DEFAULT_IMPERSONATION_URL, mockTransportFactory.getTransport().getRequest().getUrl());

String authHeader = mockTransportFactory.getTransport().getRequest().getHeaders().getAuthorization();
assertNotNull(authHeader);
assertTrue(authHeader.startsWith("Bearer "));
String assertion = authHeader.substring("Bearer ".length());
// Parse the JWT to verify it is indeed a self-signed JWT (has 3 parts)
String[] parts = assertion.split("\\.");
assertEquals(3, parts.length, "Authorization header must be a self-signed JWT");

// Verify the payload to ensure it is the locally generated self-signed JWT
String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8);
assertTrue(payload.contains("\"iss\":\"" + SA_CLIENT_EMAIL + "\""), "JWT must be issued by the source service account");
assertTrue(payload.contains("\"aud\":\"" + DEFAULT_IMPERSONATION_URL + "\""), "JWT audience must be the impersonation endpoint");
Comment on lines +527 to +529

@gemini-code-assist gemini-code-assist Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Asserting exact JSON fragments like "iss":" or "aud":" is fragile because JSON serializers can vary in formatting (e.g., adding spaces around colons, escaping slashes / in URLs, or key ordering). Since SA_CLIENT_EMAIL and DEFAULT_IMPERSONATION_URL are highly specific and unique strings, asserting their presence in the decoded payload directly is much more robust and less prone to breaking on library or environment updates.

Suggested change
String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8);
assertTrue(payload.contains("\"iss\":\"" + SA_CLIENT_EMAIL + "\""), "JWT must be issued by the source service account");
assertTrue(payload.contains("\"aud\":\"" + DEFAULT_IMPERSONATION_URL + "\""), "JWT audience must be the impersonation endpoint");
String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8);
assertTrue(payload.contains(SA_CLIENT_EMAIL), "JWT must be issued by the source service account");
assertTrue(payload.contains(DEFAULT_IMPERSONATION_URL), "JWT audience must be the impersonation endpoint");

}

@Test()
Expand Down
Loading