Treat both implicit or explicit 0 value as invalid behavior unless backend team giving a spec

Author: BigTailWolf

google/internal/externalaccount/basecredentials.go

@@ -247,13 +247,10 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
 	// The RFC8693 doesn't define the explicit 0 of "expires_in" field behavior.
 	// In practice a lot of sts request is using 0 means "never expire" for an sts token.
 	// So the logic here shall use a max unix time value.
-	if stsResp.ExpiresIn < 0 {
+	if stsResp.ExpiresIn <= 0 {
 		return nil, fmt.Errorf("oauth2/google: got invalid expiry from security token service")
-	} else if stsResp.ExpiresIn > 0 {
-		accessToken.Expiry = now().Add(time.Duration(stsResp.ExpiresIn) * time.Second)
-	} else {
-		accessToken.Expiry = maxUnixTime
 	}
+	accessToken.Expiry = now().Add(time.Duration(stsResp.ExpiresIn) * time.Second)
 
 	if stsResp.RefreshToken != "" {
 		accessToken.RefreshToken = stsResp.RefreshToken

google/internal/externalaccount/basecredentials_test.go

@@ -151,19 +151,15 @@ func TestToken(t *testing.T) {
 			},
 		},
 		{
-			name: "happy case, non expire token",
+			name: "no expiry time on token",
 			responseBody: MockSTSResponse{
 				AccessToken:     correctAT,
 				IssuedTokenType: "urn:ietf:params:oauth:token-type:access_token",
 				TokenType:       "Bearer",
-				ExpiresIn:       0,
 				Scope:           "https://www.googleapis.com/auth/cloud-platform",
 			},
-			expectToken: &oauth2.Token{
-				AccessToken: correctAT,
-				TokenType:   "Bearer",
-				Expiry:      maxUnixTime,
-			},
+			expectToken:    nil,
+			expectErrorMsg: "oauth2/google: got invalid expiry from security token service",
 		},
 		{
 			name: "negative expiry time",