googleapis · chalmerlowe · Jan 9, 2026 · Jul 30, 2025 · Dec 17, 2025 · Dec 18, 2025
@@ -128,7 +128,7 @@ def refresh(self, request):
         scopes = self._scopes if self._scopes is not None else self._default_scopes
         # pylint: disable=unused-argument
         token, ttl = app_identity.get_access_token(scopes, self._service_account_id)
-        expiry = datetime.datetime.utcfromtimestamp(ttl)
+        expiry = datetime.datetime.fromtimestamp(ttl, tz=datetime.timezone.utc)
 
         self.token, self.expiry = token, expiry
 

@@ -498,7 +498,7 @@ def _call_metadata_identity_endpoint(self, request):
             raise new_exc from caught_exc
 
         _, payload, _, _ = jwt._unverified_decode(id_token)
-        return id_token, datetime.datetime.utcfromtimestamp(payload["exp"])
+        return id_token, datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     def refresh(self, request):
         """Refreshes the ID token.

@@ -27,7 +27,7 @@
 
 import base64
 import copy
-from datetime import datetime
+from datetime import datetime, timezone
 import http.client as http_client
 import json
 
@@ -649,8 +649,8 @@ def refresh(self, request):
             raise new_exc from caught_exc
 
         self.token = id_token
-        self.expiry = datetime.utcfromtimestamp(
-            jwt.decode(id_token, verify=False)["exp"]
+        self.expiry = datetime.fromtimestamp(
+            jwt.decode(id_token, verify=False)["exp"], tz=timezone.utc
         )
 
 

@@ -368,7 +368,7 @@ def call_iam_generate_id_token_endpoint(
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry
 
@@ -420,7 +420,7 @@ def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry, response_data
 

@@ -227,7 +227,7 @@ async def id_token_jwt_grant(request, token_uri, assertion, can_retry=True):
         raise new_exc from caught_exc
 
     payload = jwt.decode(id_token, verify=False)
-    expiry = datetime.datetime.utcfromtimestamp(payload["exp"])
+    expiry = datetime.datetime.fromtimestamp(payload["exp"], tz=datetime.timezone.utc)
 
     return id_token, expiry, response_data
 

@@ -758,7 +758,7 @@ def test_default_state(self, get):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -791,7 +791,7 @@ def test_make_authorization_grant_assertion(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -823,7 +823,7 @@ def test_with_service_account(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -879,7 +879,7 @@ def test_token_uri(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1001,7 +1001,7 @@ def test_with_target_audience_integration(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1040,7 +1040,7 @@ def test_with_quota_project(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1062,7 +1062,7 @@ def test_with_token_uri(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1170,7 +1170,7 @@ def test_with_quota_project_integration(self):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1181,7 +1181,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
         ]
         sign.side_effect = [b"signature"]
         id_token_jwt_grant.side_effect = [
-            ("idtoken", datetime.datetime.utcfromtimestamp(3600), {})
+            ("idtoken", datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc), {})
         ]
 
         request = mock.create_autospec(transport.Request, instance=True)
@@ -1194,7 +1194,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
 
         # Check that the credentials have the token and proper expiration
         assert self.credentials.token == "idtoken"
-        assert self.credentials.expiry == (datetime.datetime.utcfromtimestamp(3600))
+        assert self.credentials.expiry == (datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc))
 
         # Check the credential info
         assert self.credentials.service_account_email == "service-account@example.com"
@@ -1205,7 +1205,7 @@ def test_refresh_success(self, id_token_jwt_grant, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1232,7 +1232,7 @@ def test_refresh_error(self, sign, get, utcnow):
 
     @mock.patch(
         "google.auth._helpers.utcnow",
-        return_value=datetime.datetime.utcfromtimestamp(0),
+        return_value=datetime.datetime.fromtimestamp(0, tz=datetime.timezone.utc),
     )
     @mock.patch("google.auth.compute_engine._metadata.get", autospec=True)
     @mock.patch("google.auth.iam.Signer.sign", autospec=True)
@@ -1243,7 +1243,7 @@ def test_before_request_refreshes(self, id_token_jwt_grant, sign, get, utcnow):
         ]
         sign.side_effect = [b"signature"]
         id_token_jwt_grant.side_effect = [
-            ("idtoken", datetime.datetime.utcfromtimestamp(3600), {})
+            ("idtoken", datetime.datetime.fromtimestamp(3600, tz=datetime.timezone.utc), {})
         ]
 
         request = mock.create_autospec(transport.Request, instance=True)
@@ -1312,7 +1312,7 @@ def test_get_id_token_from_metadata(
         }
 
         assert cred.token == SAMPLE_ID_TOKEN
-        assert cred.expiry == datetime.datetime.utcfromtimestamp(SAMPLE_ID_TOKEN_EXP)
+        assert cred.expiry == datetime.datetime.fromtimestamp(SAMPLE_ID_TOKEN_EXP, tz=datetime.timezone.utc)
         assert cred._use_metadata_identity_endpoint
         assert cred._signer is None
         assert cred._token_uri is None

diff --git a/tests/oauth2/test__client.py b/tests/oauth2/test__client.py
@@ -313,7 +313,7 @@ def test_jwt_grant_no_access_token():
 
 
 def test_call_iam_generate_id_token_endpoint():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"token": id_token})
@@ -343,7 +343,7 @@ def test_call_iam_generate_id_token_endpoint():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
 
 
@@ -368,7 +368,7 @@ def test_call_iam_generate_id_token_endpoint_no_id_token():
 
 
 def test_id_token_jwt_grant():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"id_token": id_token, "extra": "data"})
@@ -385,7 +385,7 @@ def test_id_token_jwt_grant():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
     assert extra_data["extra"] == "data"
 

diff --git a/tests/test_app_engine.py b/tests/test_app_engine.py
@@ -159,7 +159,7 @@ def test_service_account_email_explicit(self, app_identity):
         assert credentials.service_account_email == mock.sentinel.service_account_email
         assert not app_identity.get_service_account_name.called
 
-    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min.replace(tzinfo=datetime.timezone.utc))
     def test_refresh(self, utcnow, app_identity):
         token = "token"
         ttl = 643942923
@@ -174,11 +174,11 @@ def test_refresh(self, utcnow, app_identity):
             credentials.scopes, credentials._service_account_id
         )
         assert credentials.token == token
-        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3)
+        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3, tzinfo=datetime.timezone.utc)
         assert credentials.valid
         assert not credentials.expired
 
-    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min)
+    @mock.patch("google.auth._helpers.utcnow", return_value=datetime.datetime.min.replace(tzinfo=datetime.timezone.utc))
     def test_refresh_with_default_scopes(self, utcnow, app_identity):
         token = "token"
         ttl = 643942923
@@ -191,7 +191,7 @@ def test_refresh_with_default_scopes(self, utcnow, app_identity):
             credentials.default_scopes, credentials._service_account_id
         )
         assert credentials.token == token
-        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3)
+        assert credentials.expiry == datetime.datetime(1990, 5, 29, 1, 2, 3, tzinfo=datetime.timezone.utc)
         assert credentials.valid
         assert not credentials.expired
 

@@ -1046,7 +1046,7 @@ def test_id_token_success(
         id_creds.refresh(request)
 
         assert id_creds.token == ID_TOKEN_DATA
-        assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
+        assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY, tz=datetime.timezone.utc)
 
     def test_id_token_metrics(self, mock_donor_credentials):
         credentials = self.make_credentials(lifetime=None)
@@ -1070,8 +1070,8 @@ def test_id_token_metrics(self, mock_donor_credentials):
                 id_creds.refresh(None)
 
                 assert id_creds.token == ID_TOKEN_DATA
-                assert id_creds.expiry == datetime.datetime.utcfromtimestamp(
-                    ID_TOKEN_EXPIRY
+                assert id_creds.expiry == datetime.datetime.fromtimestamp(
+                    ID_TOKEN_EXPIRY, tz=datetime.timezone.utc
                 )
                 assert (
                     mock_post.call_args.kwargs["headers"]["x-goog-api-client"]
@@ -1180,7 +1180,7 @@ def test_id_token_with_target_audience(
         id_creds.refresh(request)
 
         assert id_creds.token == ID_TOKEN_DATA
-        assert id_creds.expiry == datetime.datetime.utcfromtimestamp(ID_TOKEN_EXPIRY)
+        assert id_creds.expiry == datetime.datetime.fromtimestamp(ID_TOKEN_EXPIRY, tz=datetime.timezone.utc)
         assert id_creds._include_email is True
 
     def test_id_token_invalid_cred(

diff --git a/tests_async/oauth2/test__client_async.py b/tests_async/oauth2/test__client_async.py
@@ -242,7 +242,7 @@ async def test_jwt_grant_no_access_token():
 
 @pytest.mark.asyncio
 async def test_id_token_jwt_grant():
-    now = _helpers.utcnow()
+    now = _helpers.utcnow().astimezone(datetime.timezone.utc)
     id_token_expiry = _helpers.datetime_to_secs(now)
     id_token = jwt.encode(test_client.SIGNER, {"exp": id_token_expiry}).decode("utf-8")
     request = make_request({"id_token": id_token, "extra": "data"})
@@ -260,7 +260,7 @@ async def test_id_token_jwt_grant():
     # Check result
     assert token == id_token
     # JWT does not store microseconds
-    now = now.replace(microsecond=0)
+    now = now.replace(microsecond=0).astimezone(datetime.timezone.utc)
     assert expiry == now
     assert extra_data["extra"] == "data"