Environment details

1. OS type and version: All
2. Java version: 1.8
3. version(s): 1.7.0 and before

Steps to reproduce

1. Set the TZ environment variable to America/Los_Angeles (or any other timezone that is not GMT)
2. Retrieve an access token with the AWS workload identity federation credentials
3. Expiration time of the OAuth2 token will be incorrectly saved as 8 hours (or other value depending on the timezone set previously) from the moment it was requested instead of 1 hour, which is the actual requested lifetime.

Code example

There's an integration test for AWS workload identity federation here

External references such as API reference guides

• The generateAccessToken API documentation where the default maximum 1 hour lifetime is specified as well as:
• The line of code where the lifetime of the token is set to 3600 seconds

Additional information

The cause of the issue was traced to the following constant

private static final String RFC3339 = "yyyy-MM-dd'T'HH:mm:ss'Z'";

Since the constant defines the format to expect a literal 'Z' in the text string, it is ignoring whatever timezone definition is present in the input string returned from the STS response.

According to the javadoc for SimpleDateFormat (see), the correct value for this constant should be "yyyy-MM-dd'T'HH:mm:ssX", as shown in this jshell session (note my machine timezone is CEST):

jshell> var format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'")
format ==> java.text.SimpleDateFormat@fe8ba6fa

jshell> format.parse("2022-06-22T11:14:52Z")
$3 ==> Wed Jun 22 11:14:52 CEST 2022 <-------- Zulu timezone ignored, local tz is assumed

jshell> var format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssX")
format ==> java.text.SimpleDateFormat@faabb35e

jshell> format.parse("2022-06-22T11:14:52Z")
$5 ==> Wed Jun 22 13:14:52 CEST 2022 <------- Zulu timezone is assumed

Will create a PR with the small change. Thanks!