From e830060531e77bbd3e9b41a69765776b7b040ade Mon Sep 17 00:00:00 2001
From: Carlos O'Ryan <coryan@google.com>
Date: Sun, 25 Jan 2026 17:21:00 -0500
Subject: [PATCH] fix(auth): force minimum version for `aws-lc-rs`

The `jsonwebtoken` crate declare the wrong minimum version, so we need
to workaround that to test our own minimums.
---
 Cargo.lock          | 1 +
 Cargo.toml          | 9 ++++++---
 src/auth/Cargo.toml | 5 ++++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 40db9cca2d..454da3e806 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1371,6 +1371,7 @@ version = "1.5.0"
 dependencies = [
  "anyhow",
  "async-trait",
+ "aws-lc-rs",
  "base64",
  "bytes",
  "google-cloud-gax",
diff --git a/Cargo.toml b/Cargo.toml
index 5a351003f8..448e3adf87 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -323,7 +323,7 @@ http-body             = { default-features = false, version = "1" }
 http-body-util        = { default-features = false, version = "0.1.3" }
 humantime             = { default-features = false, version = "2" }
 hyper                 = { default-features = false, version = "1" }
-jsonwebtoken          = { default-features = false, version = "10" }
+jsonwebtoken          = { default-features = false, version = "10.2" }
 lazy_static           = { default-features = false, version = "1.2" }
 opentelemetry         = { default-features = false, version = "0.31", features = ["trace"] }
 opentelemetry-proto   = { default-features = false, version = "0.31", features = ["gen-tonic", "trace"] }
@@ -371,8 +371,11 @@ opentelemetry-semantic-conventions = { default-features = false, version = "0.31
 ] }
 
 
-# Transitive dependencies. Used for minimal version selection.
-mime = { default-features = false, version = "0.3.17" }
+# Some of our direct dependencies fail to declare the minimum version
+# requirements correctly. Force a higher version so we can test our own minimum
+# version requirements in the minimal-versions build.
+mime      = { default-features = false, version = "0.3.17" }
+aws-lc-rs = { default-features = false, version = "1.15.4" }
 
 # Test packages
 anyhow            = { default-features = false, version = "1.0.100", features = ["std"] }
diff --git a/src/auth/Cargo.toml b/src/auth/Cargo.toml
index 054b1c7c9f..89be99e1a3 100644
--- a/src/auth/Cargo.toml
+++ b/src/auth/Cargo.toml
@@ -47,6 +47,9 @@ thiserror.workspace   = true
 time                  = { workspace = true, features = ["serde"] }
 tokio                 = { workspace = true, features = ["fs", "process"] }
 jsonwebtoken          = { workspace = true, optional = true }
+# We do not use this directly, but without it the minimal-versions build breaks.
+# See: https://github.com/Keats/jsonwebtoken/pull/481
+aws-lc-rs = { workspace = true, optional = true }
 # Local dependencies
 gax.workspace = true
 
@@ -74,7 +77,7 @@ idtoken = ["dep:jsonwebtoken"]
 # link `google-cloud-auth` with `default-features = false, features = ["idtoken"]
 # and then directly configure the `jsonwebtoken` features to select the
 # `rust_crypto` backend.
-default-idtoken-backend = ["jsonwebtoken?/aws_lc_rs"]
+default-idtoken-backend = ["dep:aws-lc-rs", "jsonwebtoken?/aws_lc_rs"]
 # Enabled by default. Use the default rustls crypto provider ([aws-lc-rs]) for
 # TLS and authentication. Applications with specific requirements for
 # cryptography (such as exclusively using the [ring] crate) should disable this