commit 0a83706c9d65f7d5a30ea3b42c5beac269ed2a25
author arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com> Thu Apr 08 10:58:38 2021 -0700
committer GitHub <noreply@github.com> Thu Apr 08 10:58:38 2021 -0700
tree d4f9460208e4d552eb260277c9e31012988dbfbc
parent 6033e3080a9843f713c1cc925422e1f6810ae13a

fix: support custom alg in jwt header for signing (#729)

* fix: support custom alg in jwt header for signing

* lint

google/auth/jwt.py

diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index a4f04f5..8165dda 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -95,10 +95,11 @@
 
     header.update({"typ": "JWT"})
 
-    if es256 is not None and isinstance(signer, es256.ES256Signer):
-        header.update({"alg": "ES256"})
-    else:
-        header.update({"alg": "RS256"})
+    if "alg" not in header:
+        if es256 is not None and isinstance(signer, es256.ES256Signer):
+            header.update({"alg": "ES256"})
+        else:
+            header.update({"alg": "RS256"})
 
     if key_id is not None:
         header["kid"] = key_id

tests/test_jwt.py

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
index 7aa031e..7b5ba5c 100644
--- a/tests/test_jwt.py
+++ b/tests/test_jwt.py
@@ -73,6 +73,12 @@
     }
 
 
+def test_encode_custom_alg_in_headers(signer):
+    encoded = jwt.encode(signer, {}, header={"alg": "foo"})
+    header = jwt.decode_header(encoded)
+    assert header == {"typ": "JWT", "alg": "foo", "kid": signer.key_id}
+
+
 @pytest.fixture
 def es256_signer():
     return crypt.ES256Signer.from_string(EC_PRIVATE_KEY_BYTES, "1")