test: handle invalid_grant in default creds system tests

This change updates the system tests for default credentials to explicitly
allow "invalid_grant" errors when running with `authorized_user.json`
credentials. This is because the CI environment uses credentials that
frequently expire, and the server response for expired credentials
has changed to return "invalid_grant", causing tests to fail instead
of being suppressed as intended. This ensures the tests verify the
library correctly handles the expiration error rather than failing.

References: #1882

Author: google-labs-jules[bot]

system_tests/system_tests_async/test_default.py

@@ -34,5 +34,12 @@ async def test_application_default_credentials(verify_refresh):
     except RefreshError as e:
         # allow expired credentials for explicit_authorized_user tests
         # TODO: https://github.com/googleapis/google-auth-library-python/issues/1882
-        if not CREDENTIALS.endswith("authorized_user.json") or "Token has been expired or revoked" not in str(e):
+        if not CREDENTIALS.endswith("authorized_user.json"):
+            raise
+
+        error_message = str(e)
+        if (
+            "Token has been expired or revoked" not in error_message
+            and "invalid_grant" not in error_message
+        ):
             raise

system_tests/system_tests_sync/test_default.py

@@ -32,5 +32,12 @@ def test_application_default_credentials(verify_refresh):
     except RefreshError as e:
         # allow expired credentials for explicit_authorized_user tests
         # TODO: https://github.com/googleapis/google-auth-library-python/issues/1882
-        if not CREDENTIALS.endswith("authorized_user.json") or "Token has been expired or revoked" not in str(e):
+        if not CREDENTIALS.endswith("authorized_user.json"):
+            raise
+
+        error_message = str(e)
+        if (
+            "Token has been expired or revoked" not in error_message
+            and "invalid_grant" not in error_message
+        ):
             raise