fix: raise RefreshError for missing token in impersonated credentials (#1897)

google-labs-jules[bot] · web-flow · commit 94d04e090fdf · 2025-12-20T03:36:30.000-05:00
Previously, `IDTokenCredentials.refresh` would raise a `KeyError` if the response from the IAM server was `200 OK` but did not contain the expected "token" field. This change wraps the token extraction in a `try...except` block to catch `KeyError` (and `ValueError` for malformed JSON) and raises a `google.auth.exceptions.RefreshError` instead, which is the expected behavior for credential refresh failures. I've added a new test `tests/test_impersonated_credentials.py` to verify: 1. A `200 OK` response with a missing token now raises `RefreshError`. 2. Non-200 responses (e.g., 403) still raise `RefreshError` as before. --- This PR replaces the PR #1167 from 3 years ago that addressed this issue, but was less robust/not fully correct. *PR created automatically by Jules for task [3520893520890582850](https://jules.google.com/task/3520893520890582850) started by @chalmerlowe* --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py
@@ -640,7 +640,14 @@ def refresh(self, request):
                 "Error getting ID token: {}".format(response.json())
             )
 
-        id_token = response.json()["token"]
+        try:
+            id_token = response.json()["token"]
+        except (KeyError, ValueError) as caught_exc:
+            new_exc = exceptions.RefreshError(
+                "No ID token in response.", response.json()
+            )
+            raise new_exc from caught_exc
+
         self.token = id_token
         self.expiry = datetime.utcfromtimestamp(
             jwt.decode(id_token, verify=False)["exp"]
diff --git a/tests/test_impersonated_credentials.py b/tests/test_impersonated_credentials.py
@@ -761,6 +761,28 @@ def test_refresh_failure(self):
 
         assert excinfo.match("Error getting ID token")
 
+    def test_refresh_failure_missing_token_in_200_response(self):
+        credentials = self.make_credentials(lifetime=None)
+        credentials.expiry = None
+        credentials.token = "token"
+        id_creds = impersonated_credentials.IDTokenCredentials(
+            credentials, target_audience="audience"
+        )
+
+        # Response has 200 OK status but is missing the "token" field
+        response = mock.create_autospec(transport.Response, instance=False)
+        response.status_code = http_client.OK
+        response.json = mock.Mock(return_value={"not_token": "something"})
+
+        with mock.patch(
+            "google.auth.transport.requests.AuthorizedSession.post",
+            return_value=response,
+        ):
+            with pytest.raises(exceptions.RefreshError) as excinfo:
+                id_creds.refresh(None)
+
+        assert excinfo.match("No ID token in response")
+
     def test_refresh_failure_http_error(self, mock_donor_credentials):
         credentials = self.make_credentials(lifetime=None)
 
