impersonated_credentials.py should use UTC

[clundin25]

ID tokens had an issue where the fromtimestamp API was used instead of utcfromtimestamp. Ref: #1323.

It appears that impersonated_credentials.py uses the same API, and is likely impacted by the same issue.

➜ rg "\.fromtimestamp" -g '!*test*'
google/auth/compute_engine/credentials.py
392:        return id_token, datetime.datetime.fromtimestamp(payload["exp"])

google/auth/impersonated_credentials.py
457:        self.expiry = datetime.fromtimestamp(jwt.decode(id_token, verify=False)["exp"])

google/auth/impersonated_credentials.py should be updated to use utcfromtimestamp instead of fromtimestamp.

[juzna]

I verified that this is failing as well:

import google.auth
import google.auth.transport.requests
import google.auth.impersonated_credentials

# gcloud auth application-default login --impersonate-service-account=...
creds, _project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
assert isinstance(creds, google.auth.impersonated_credentials.Credentials), "gcloud login with impersonated creds required"

request = google.auth.transport.requests.Request()
creds.refresh(request)
assert creds.token
assert not creds.expired

id_creds = google.auth.impersonated_credentials.IDTokenCredentials(creds, 'foo', include_email=True)
id_creds.refresh(request)
assert id_creds.token
assert not id_creds.expired

Same as in #1323, with export TZ=America/New_York the id token is considered expired immediately and the last assert fails.

[juzna]

And confirming that when I change the code to utcfromtimestamp then the test case passes.

[clundin25]

Awesome ! @juzna since you've already done all the hard work, do you want to open a PR for this? :)

If not I will, and will give you credit