googleapis · andriawang6 · Jul 30, 2025
@@ -128,7 +128,7 @@ def refresh(self, request):
         scopes = self._scopes if self._scopes is not None else self._default_scopes
         # pylint: disable=unused-argument
         token, ttl = app_identity.get_access_token(scopes, self._service_account_id)
-        expiry = datetime.datetime.utcfromtimestamp(ttl)
+        expiry = datetime.datetime.fromtimestamp(ttl, tz=datetime.timezone.utc)
 
         self.token, self.expiry = token, expiry
 

@@ -439,7 +439,7 @@ def _call_metadata_identity_endpoint(self, request):
             raise new_exc from caught_exc
 
         _, payload, _, _ = jwt._unverified_decode(id_token)
-        return id_token, datetime.datetime.utcfromtimestamp(payload["exp"])
+        return id_token, datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     def refresh(self, request):
         """Refreshes the ID token.

@@ -27,7 +27,7 @@
 
 import base64
 import copy
-from datetime import datetime
+from datetime import datetime, timezone
 import http.client as http_client
 import json
 
@@ -591,8 +591,8 @@ def refresh(self, request):
 
         id_token = response.json()["token"]
         self.token = id_token
-        self.expiry = datetime.utcfromtimestamp(
-            jwt.decode(id_token, verify=False)["exp"]
+        self.expiry = datetime.fromtimestamp(
+            jwt.decode(id_token, verify=False)["exp"], tz=timezone.utc
         )
 
 

@@ -362,7 +362,7 @@ def call_iam_generate_id_token_endpoint(
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry
 
@@ -414,7 +414,7 @@ def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry, response_data
 

@@ -223,7 +223,7 @@ async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry, response_data
 

@@ -308,7 +308,7 @@ def test_default_state(self, get):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -341,7 +341,7 @@ def test_make_authorization_grant_assertion(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -373,7 +373,7 @@ def test_with_service_account(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -429,7 +429,7 @@ def test_token_uri(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -551,7 +551,7 @@ def test_with_target_audience_integration(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -590,7 +590,7 @@ def test_with_quota_project(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -612,7 +612,7 @@ def test_with_token_uri(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -720,7 +720,7 @@ def test_with_quota_project_integration(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -731,7 +731,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
         ]
         sign.side_effect = [b"signature"]
         id_token_jwt_grant.side_effect = [
-            ("idtoken", datetime.datetime.utcfromtimestamp(3600), {})
+            ("idtoken", datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc), {})
         ]
 
         request = mock.create_autospec(transport.Request, instance=True)
@@ -744,7 +744,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
 
         # Check that the credentials have the token and proper expiration
         assert self.credentials.token == "idtoken"
-        assert self.credentials.expiry == (datetime.datetime.utcfromtimestamp(3600))
+        assert self.credentials.expiry == (datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc))
 
         # Check the credential info
         assert self.credentials.service_account_email == "[email protected]"
@@ -755,7 +755,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -782,7 +782,7 @@ def test_refresh_error(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -793,7 +793,7 @@ def test_before_request_refreshes(self, id_token_jwt_grant, sign, get, utcnow):
         ]
         sign.side_effect = [b"signature"]
         id_token_jwt_grant.side_effect = [
-            ("idtoken", datetime.datetime.utcfromtimestamp(3600), {})
+            ("idtoken", datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc), {})
         ]
 
         request = mock.create_autospec(transport.Request, instance=True)
@@ -862,7 +862,7 @@ def test_get_id_token_from_metadata(
         }
 
         assert cred.token == SAMPLE_ID_TOKEN
-        assert cred.expiry == datetime.datetime.utcfromtimestamp(SAMPLE_ID_TOKEN_EXP)
+        assert cred.expiry == datetime.datetime.fromtimestamp(SAMPLE_ID_TOKEN_EXP, tz=datetime.timezone.utc)
         assert cred._use_metadata_identity_endpoint
         assert cred._signer is None
         assert cred._token_uri is None

@@ -313,7 +313,7 @@ def test_jwt_grant_no_access_token():
 
 
 def test_call_iam_generate_id_token_endpoint():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"token": id_token})
@@ -343,7 +343,7 @@ def test_call_iam_generate_id_token_endpoint():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
 
 
@@ -368,7 +368,7 @@ def test_call_iam_generate_id_token_endpoint_no_id_token():
 
 
 def test_id_token_jwt_grant():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"id_token": id_token, "extra": "data"})
@@ -385,7 +385,7 @@ def test_id_token_jwt_grant():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
     assert extra_data["extra"] == "data"
 

@@ -159,7 +159,7 @@ def test_service_account_email_explicit(self, app_identity):
         assert credentials.service_account_email == mock.sentinel.service_account_email
         assert not app_identity.get_service_account_name.called
 
-    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min.replace(tzinfo=datetime.timezone.utc))
     def test_refresh(self, utcnow, app_identity):
         token = "token"
         ttl = 643942923
@@ -174,11 +174,11 @@ def test_refresh(self, utcnow, app_identity):
             credentials.scopes, credentials._service_account_id
         )
         assert credentials.token == token
-        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3)
+        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3, tzinfo=datetime.timezone.utc)
         assert credentials.valid
         assert not credentials.expired
 
-    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min.replace(tzinfo=datetime.timezone.utc))
     def test_refresh_with_default_scopes(self, utcnow, app_identity):
         token = "token"
         ttl = 643942923
@@ -191,7 +191,7 @@ def test_refresh_with_default_scopes(self, utcnow, app_identity):
             credentials.default_scopes, credentials._service_account_id
         )
         assert credentials.token == token
-        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3)
+        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3, tzinfo=datetime.timezone.utc)
         assert credentials.valid
         assert not credentials.expired
 

@@ -707,7 +707,7 @@ def test_id_token_success(
         id_creds.refresh(request)
 
         assert id_creds.token == ID_TOKEN_DATA
-        assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
+        assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY, tz=datetime.timezone.utc)
 
     def test_id_token_metrics(self, mock_donor_credentials):
         credentials = self.make_credentials(lifetime=None)
@@ -731,8 +731,8 @@ def test_id_token_metrics(self, mock_donor_credentials):
                 id_creds.refresh(None)
 
                 assert id_creds.token == ID_TOKEN_DATA
-                assert id_creds.expiry == datetime.datetime.utcfromtimestamp(
-                    ID_TOKEN_EXPIRY
+                assert id_creds.expiry == datetime.datetime.fromtimestamp(
+                    ID_TOKEN_EXPIRY, tz=datetime.timezone.utc
                 )
                 assert (
                     mock_post.call_args.kwargs["headers"]["x-goog-api-client"]
@@ -841,7 +841,7 @@ def test_id_token_with_target_audience(
         id_creds.refresh(request)
 
         assert id_creds.token == ID_TOKEN_DATA
-        assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
+        assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY, tz=datetime.timezone.utc)
         assert id_creds._include_email is True
 
     def test_id_token_invalid_cred(

@@ -245,7 +245,7 @@ async def test_jwt_grant_no_access_token():
 
 @pytest.mark.asyncio
 async def test_id_token_jwt_grant():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(test_client.SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"id_token": id_token, "extra": "data"})
@@ -263,7 +263,7 @@ async def test_id_token_jwt_grant():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
     assert extra_data["extra"] == "data"