google-id-token 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 65d747323f11a45f8a50cf6a4fc7c08de0bba49a
-  data.tar.gz: aee5256465f70b690d83fcaee93a0036e3444e7c
+  metadata.gz: 24089c2c4e9bb86822d3c8530b92d91b43d5d9c1
+  data.tar.gz: '068251a4ac9a3e856881b8d6babeb36865145c4e'
 SHA512:
-  metadata.gz: 5cf39a389110be3cdd99482fcb25840d7fcb8de85569a91eba39e54d83dc321ea9a64e162fd7f8b081ce50a82b799ad8ec0229a4d9cbd89faab323efbb10f901
-  data.tar.gz: df6376c1d08aee4f11943920d56ba358293991302747ba5b45a238e654ce0b8bf108b09aefb05d6f4fa71c3c985070359120830e0ab259d50389e2bc1ccf094c
+  metadata.gz: 332ef6d84f3a1b2cb008a8931d2d8389bd605f4d670ea7821cc8fd6cc31044fde7581f0d3d85a1417df34d06ec1b2fbc92a4af4e1db2d093ee7edce5467a8310
+  data.tar.gz: 27dd06d5c1b686699acb96b819c926a1f22a729d1b7c1a534821c6941a1f0c160112c4aca72ffe68f923affa940f5e0fb018d8d5c43e6f5826d0f94f14e6e9f9

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+## [1.4.0] - 2017-01-20
+### Added
+- Add `expiry` option to the `Validator` which defines the time after which the certificates cache should be renewed. This prevents continuously fetching them in case of constant decoding errors.
+
+### Changed
+- Make `Validator` thread-safe by not maintaining error state. Errors in `#check` are not saved to the instance variable `problem`. Added specific error classes which are raised upon validation errors instead.
+- Caching certificates in the `Validator` instead of always fetching them from Google servers.

data/Gemfile

@@ -0,0 +1,4 @@
+# encoding: utf-8
+source "https://rubygems.org"
+
+gemspec

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,55 @@
+# GoogleIDToken
+
+GoogleIDToken verifies the integrity of ID tokens generated by Google authentication servers.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'google-id-token'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install google-id-token
+
+## Usage
+
+GoogleIDToken currently provides a single useful class `Validator`, which provides a single method `#check`, which parses and validates the integrity of an ID Token allegedly generated by Google auth servers.
+
+```ruby
+validator = GoogleIDToken::Validator.new
+begin
+  payload = validator.check(token, required_audience, optional_client_id)
+  email = payload['email']
+rescue GoogleIDToken::ValidationError => e
+  report "Cannot validate: #{e}"
+end
+```
+
+## Configuration
+
+Creating a new validator takes a single optional hash argument. If the hash has an entry for :x509_key, that value is taken to be a key as created by OpenSSL::X509::Certificate.new, and the token is validated using that key.  If there is no such entry, the keys are fetched from the Google certs endpoint https://www.googleapis.com/oauth2/v1/certs. The certificates are cached for some time (default: 1 hour) which can be configured by adding the :expiry argument to the initialization hash (in seconds).
+
+### expiry
+
+Expiry defines the the time (in seconds) in which the cached Google certificates are valid.
+
+```ruby
+GoogleIDToken::Validator.new(expiry: 1800) # 30 minutes
+```
+
+### x509_cert
+
+x509_cert can be provided to manually define a certificate to validate the tokens.
+
+```ruby
+cert = OpenSSL::X509::Certificate.new(File.read('my-cert.pem'))
+validator = GoogleIDToken::Validator.new(x509_cert: cert)
+```
+

data/Rakefile

@@ -0,0 +1,22 @@
+# encoding: utf-8
+# Copyright 2012 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+task :default => :spec
+
+RSpec::Core::RakeTask.new

data/bin/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "google-id-token"
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install

data/google-id-token.gemspec

@@ -0,0 +1,40 @@
+# encoding: utf-8
+# Copyright 2012 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'google-id-token/version'
+
+Gem::Specification.new do |s|
+  s.name = 'google-id-token'
+  s.version = GoogleIDToken::VERSION
+
+  s.homepage = 'https://github.com/google/google-id-token/'
+  s.license = 'APACHE-2.0'
+  s.summary = 'Google ID Token utilities'
+  s.description = 'Google ID Token utilities; currently just a parser/checker'
+
+  s.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  s.require_paths = ["lib"]
+
+  s.add_runtime_dependency 'jwt', '>= 1'
+
+  s.add_development_dependency 'fakeweb'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'openssl'
+
+  s.authors = ['Tim Bray', 'Bob Aman']
+  s.email = 'tbray@textuality.com'
+end

data/lib/google-id-token.rb

@@ -18,29 +18,42 @@
 #  succeeds, returns the decoded ID Token as a hash.
 # It's a good idea to keep an instance of this class around for a long time,
 #  because it caches the keys, performs validation statically, and only
-#  refreshes from Google when required (typically once per day)
+#  refreshes from Google when required (once per day by default)
 #
 # @author Tim Bray, adapted from code by Bob Aman
 
-require 'multi_json'
+require 'google-id-token/version'
+require 'json'
 require 'jwt'
-require 'openssl'
+require 'monitor'
 require 'net/http'
+require 'openssl'
 
 module GoogleIDToken
+  class CertificateError < StandardError; end
+  class ValidationError < StandardError; end
+  class ExpiredTokenError < ValidationError; end
+  class SignatureError < ValidationError; end
+  class InvalidIssuerError < ValidationError; end
+  class AudienceMismatchError < ValidationError; end
+  class ClientIDMismatchError < ValidationError; end
+
   class Validator
+    include MonitorMixin
 
     GOOGLE_CERTS_URI = 'https://www.googleapis.com/oauth2/v1/certs'
+    GOOGLE_CERTS_EXPIRY = 3600 # 1 hour
 
-    # @!attribute [r] problem
-    #   Reason for failure, if #check returns nil
-    attr_reader :problem
+    # https://developers.google.com/identity/sign-in/web/backend-auth
+    GOOGLE_ISSUERS = ['accounts.google.com', 'https://accounts.google.com']
 
-    def initialize(keyopts = {})
-      if keyopts[:x509_cert]
+    def initialize(options = {})
+      super()
+
+      if options[:x509_cert]
         @certs_mode = :literal
-        @certs = { :_ => keyopts[:x509_cert] }
-      # elsif keyopts[:jwk_uri]  # TODO
+        @certs = { :_ => options[:x509_cert] }
+      # elsif options[:jwk_uri]  # TODO
       #   @certs_mode = :jwk
       #   @certs = {}
       else
@@ -48,14 +61,15 @@ module GoogleIDToken
         @certs = {}
       end
 
+      @certs_expiry = options.fetch(:expiry, GOOGLE_CERTS_EXPIRY)
     end
 
     ##
-    # If it validates, returns a hash with the JWT fields from the ID Token.
+    # If it validates, returns a hash with the JWT payload from the ID Token.
     #  You have to provide an "aud" value, which must match the
     #  token's field with that name, and will similarly check cid if provided.
     #
-    # If something fails, returns nil; #problem returns error text
+    # If something fails, raises an error
     #
     # @param [String] token
     #   The string form of the token
@@ -64,82 +78,80 @@ module GoogleIDToken
     # @param [String] cid
     #   The optional client-id ("azp" field) value
     #
-    # @return [Hash] The decoded ID token, or null
+    # @return [Hash] The decoded ID token
     def check(token, aud, cid = nil)
-      case check_cached_certs(token, aud, cid)
-      when :valid
-        @token
-      when :problem
-        nil
-      else
-        # no certs worked, might've expired, refresh
-        if refresh_certs
-          @problem = 'Unable to retrieve Google public keys'
-          nil
-        else
-          case check_cached_certs(token, aud, cid)
-          when :valid
-            @token
-          when :problem
-            nil
+      synchronize do
+        payload = check_cached_certs(token, aud, cid)
+
+        unless payload
+          # no certs worked, might've expired, refresh
+          if refresh_certs
+            payload = check_cached_certs(token, aud, cid)
+
+            unless payload
+              raise SignatureError, 'Token not verified as issued by Google'
+            end
           else
-            @problem = 'Token not verified as issued by Google'
-            nil
+            raise CertificateError, 'Unable to retrieve Google public keys'
           end
         end
+
+        payload
       end
     end
 
     private
 
     # tries to validate the token against each cached cert.
-    # Returns :valid (sets @token) or :problem (sets @problem) or
+    # Returns the token payload or raises a ValidationError or
     #  nil, which means none of the certs validated.
     def check_cached_certs(token, aud, cid)
-      @problem = @token = @tokens = nil
+      payload = nil
 
       # find first public key that validates this token
       @certs.detect do |key, cert|
         begin
           public_key = cert.public_key
-          @tokens = JWT.decode(token, public_key, !!public_key)
-          @tokens.each do |currtoken|
-            # in Feb 2013, the 'cid' claim became the 'azp' claim per changes
-            #  in the OIDC draft. At some future point we can go all-azp, but
-            #  this should keep everything running for a while
-            if currtoken['azp']
-              currtoken['cid'] = currtoken['azp']
-              if(currtoken.has_key?('aud') && (currtoken['aud'] == aud) &&
-                 currtoken.has_key?('cid') && (currtoken['cid'] == cid))
-                # If we find a valid token, save it for further verification.
-                @token = currtoken
-              end
-            elsif currtoken['cid']
-              currtoken['azp'] = currtoken['cid']
-            end
+          decoded_token = JWT.decode(token, public_key, !!public_key)
+          payload = decoded_token.first
+
+          # in Feb 2013, the 'cid' claim became the 'azp' claim per changes
+          #  in the OIDC draft. At some future point we can go all-azp, but
+          #  this should keep everything running for a while
+          if payload['azp']
+            payload['cid'] = payload['azp']
+          elsif payload['cid']
+            payload['azp'] = payload['cid']
           end
-        rescue JWT::DecodeError
+          payload
+        rescue JWT::ExpiredSignature
+          raise ExpiredTokenError, 'Token signature is expired'
+        rescue JWT::DecodeError => e
           nil # go on, try the next cert
         end
       end
 
-      if @token
-        if !(@token.has_key?('aud') && (@token['aud'] == aud))
-          @problem = 'Token audience mismatch'
-        elsif cid && !(@token.has_key?('cid') && (@token['cid'] == cid))
-          @problem = 'Token client-id mismatch'
+      if payload
+        if !(payload.has_key?('aud') && payload['aud'] == aud)
+          raise AudienceMismatchError, 'Token audience mismatch'
+        end
+        if cid && payload['cid'] != cid
+          raise ClientIDMismatchError, 'Token client-id mismatch'
         end
-        @problem ? :problem : :valid
+        if !GOOGLE_ISSUERS.include?(payload['iss'])
+          raise InvalidIssuerError, 'Token issuer mismatch'
+        end
+        payload
       else
         nil
       end
     end
 
-    # returns true if there was a problem
+    # returns false if there was a problem
     def refresh_certs
       case @certs_mode
       when :literal
-        return # no-op
+        true # no-op
       when :old_skool
         old_skool_refresh_certs
       # when :jwk          # TODO
@@ -148,18 +160,29 @@ module GoogleIDToken
     end
 
     def old_skool_refresh_certs
+      return true unless certs_cache_expired?
+
       uri = URI(GOOGLE_CERTS_URI)
       get = Net::HTTP::Get.new uri.request_uri
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = true
       res = http.request(get)
 
-      if res.kind_of?(Net::HTTPSuccess)
-        new_certs = Hash[MultiJson.load(res.body).map do |key, cert|
-                           [key, OpenSSL::X509::Certificate.new(cert)]
-                         end]
+      if res.is_a?(Net::HTTPSuccess)
+        new_certs = Hash[JSON.load(res.body).map do |key, cert|
+          [key, OpenSSL::X509::Certificate.new(cert)]
+        end]
         @certs.merge! new_certs
+        @certs_last_refresh = Time.now
+        true
+      else
         false
+      end
+    end
+
+    def certs_cache_expired?
+      if defined? @certs_last_refresh
+        Time.now > @certs_last_refresh + @certs_expiry
       else
         true
       end

data/lib/google-id-token/version.rb

@@ -0,0 +1,3 @@
+module GoogleIDToken
+  VERSION = "1.4.0".freeze
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-id-token
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Tim Bray
@@ -9,36 +9,22 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-11 00:00:00.000000000 Z
+date: 2017-09-01 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: multi_json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: fakeweb
   requirement: !ruby/object:Gem::Requirement
@@ -101,11 +87,21 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- README.rdoc
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- google-id-token.gemspec
 - lib/google-id-token.rb
+- lib/google-id-token/version.rb
 homepage: https://github.com/google/google-id-token/
 licenses:
-- Apache-2.0
+- APACHE-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -123,7 +119,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Google ID Token utilities

data/README.rdoc

@@ -1,29 +0,0 @@
-= GoogleIDToken
-
-GoogleIDToken currently provides a single useful class "Validator", which provides a single method "#check", which parses and validates an ID Token allegedly generated by Google auth servers.
-
-Creating a new validator takes a single optional hash argument. If the hash has an entry for :x509_key, that value is taken to be a key as created by OpenSSL::X509::Certificate.new, and the token is validated using that key.  If there is no such entry, the keys are fetched from the Google certs endpoint https://www.googleapis.com/oauth2/v1/certs.
-
-=== Installation
-
-  gem install google-id-token
-
-=== Examples
-
-  validator = GoogleIDToken::Validator.new
-  jwt = validator.check(token, required_audience, required_client_id)
-  if jwt
-    email = jwt['email']
-  else
-    report "Cannot validate: #{validator.problem}"
-  end
-
-
-  cert = OpenSSL::X509::Certificate.new(File.read('my-cert.pem'))
-  validator = GoogleIDToken::Validator.new(:x509_cert => cert)
-  jwt = validator.check(token, required_audience, required_client_id)
-  if jwt
-    email = jwt['email']
-  else
-    report "Cannot validate: #{validator.problem}"
-  end