test(auth): Assert self-signed JWT is used by ImpersonatedCredentials#13487
test(auth): Assert self-signed JWT is used by ImpersonatedCredentials#13487westarle wants to merge 1 commit into
Conversation
This commit adds an assertion to ImpersonatedCredentialsTest to verify that when a ServiceAccountJwtAccessCredentials is used as the source credential, the actual HTTP request to the impersonation endpoint correctly sends the generated self-signed JWT in the Authorization header. This brings the Java library's test suite into alignment with the expected auth specification, validating that source credentials properly inject their authentication headers during token exchanges.
There was a problem hiding this comment.
Code Review
This pull request adds assertions to the refreshAccessToken_success_SSJflow test in ImpersonatedCredentialsTest.java to verify that the authorization header contains a valid self-signed JWT with the correct issuer and audience. The reviewer suggested a more robust assertion approach by checking for the presence of the unique strings directly, rather than asserting exact JSON fragments which can be fragile due to potential formatting variations.
| String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8); | ||
| assertTrue(payload.contains("\"iss\":\"" + SA_CLIENT_EMAIL + "\""), "JWT must be issued by the source service account"); | ||
| assertTrue(payload.contains("\"aud\":\"" + DEFAULT_IMPERSONATION_URL + "\""), "JWT audience must be the impersonation endpoint"); |
There was a problem hiding this comment.
Asserting exact JSON fragments like "iss":" or "aud":" is fragile because JSON serializers can vary in formatting (e.g., adding spaces around colons, escaping slashes / in URLs, or key ordering). Since SA_CLIENT_EMAIL and DEFAULT_IMPERSONATION_URL are highly specific and unique strings, asserting their presence in the decoded payload directly is much more robust and less prone to breaking on library or environment updates.
| String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8); | |
| assertTrue(payload.contains("\"iss\":\"" + SA_CLIENT_EMAIL + "\""), "JWT must be issued by the source service account"); | |
| assertTrue(payload.contains("\"aud\":\"" + DEFAULT_IMPERSONATION_URL + "\""), "JWT audience must be the impersonation endpoint"); | |
| String payload = new String(java.util.Base64.getUrlDecoder().decode(parts[1]), java.nio.charset.StandardCharsets.UTF_8); | |
| assertTrue(payload.contains(SA_CLIENT_EMAIL), "JWT must be issued by the source service account"); | |
| assertTrue(payload.contains(DEFAULT_IMPERSONATION_URL), "JWT audience must be the impersonation endpoint"); |
This commit adds an assertion to ImpersonatedCredentialsTest to verify that when a ServiceAccountJwtAccessCredentials is used as the source credential, the actual HTTP request to the impersonation endpoint correctly sends the generated self-signed JWT in the Authorization header.
This brings the Java library's test suite into alignment with the expected auth specification, validating that source credentials properly inject their authentication headers during token exchanges.