fix: support custom alg in jwt header for signing (#729)
* fix: support custom alg in jwt header for signing
* lint
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index a4f04f5..8165dda 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -95,10 +95,11 @@
header.update({"typ": "JWT"})
- if es256 is not None and isinstance(signer, es256.ES256Signer):
- header.update({"alg": "ES256"})
- else:
- header.update({"alg": "RS256"})
+ if "alg" not in header:
+ if es256 is not None and isinstance(signer, es256.ES256Signer):
+ header.update({"alg": "ES256"})
+ else:
+ header.update({"alg": "RS256"})
if key_id is not None:
header["kid"] = key_id
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
index 7aa031e..7b5ba5c 100644
--- a/tests/test_jwt.py
+++ b/tests/test_jwt.py
@@ -73,6 +73,12 @@
}
+def test_encode_custom_alg_in_headers(signer):
+ encoded = jwt.encode(signer, {}, header={"alg": "foo"})
+ header = jwt.decode_header(encoded)
+ assert header == {"typ": "JWT", "alg": "foo", "kid": signer.key_id}
+
+
@pytest.fixture
def es256_signer():
return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")