googleauth 0.1.0 → 0.16.2

data/lib/googleauth/credentials_loader.rb

@@ -0,0 +1,207 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "memoist"
+require "os"
+require "rbconfig"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # CredentialsLoader contains the behaviour used to locate and find default
+    # credentials files on the file system.
+    module CredentialsLoader
+      extend Memoist
+      ENV_VAR                   = "GOOGLE_APPLICATION_CREDENTIALS".freeze
+      PRIVATE_KEY_VAR           = "GOOGLE_PRIVATE_KEY".freeze
+      CLIENT_EMAIL_VAR          = "GOOGLE_CLIENT_EMAIL".freeze
+      CLIENT_ID_VAR             = "GOOGLE_CLIENT_ID".freeze
+      CLIENT_SECRET_VAR         = "GOOGLE_CLIENT_SECRET".freeze
+      REFRESH_TOKEN_VAR         = "GOOGLE_REFRESH_TOKEN".freeze
+      ACCOUNT_TYPE_VAR          = "GOOGLE_ACCOUNT_TYPE".freeze
+      PROJECT_ID_VAR            = "GOOGLE_PROJECT_ID".freeze
+      GCLOUD_POSIX_COMMAND      = "gcloud".freeze
+      GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
+      GCLOUD_CONFIG_COMMAND     =
+        "config config-helper --format json --verbosity none".freeze
+
+      CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
+      NOT_FOUND_ERROR =
+        "Unable to read the credential file specified by #{ENV_VAR}".freeze
+      WELL_KNOWN_PATH = "gcloud/#{CREDENTIALS_FILE_NAME}".freeze
+      WELL_KNOWN_ERROR = "Unable to read the default credential file".freeze
+
+      SYSTEM_DEFAULT_ERROR =
+        "Unable to read the system default credential file".freeze
+
+      CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app"\
+        "s.googleusercontent.com".freeze
+
+      CLOUD_SDK_CREDENTIALS_WARNING = "Your application has authenticated using end user "\
+        "credentials from Google Cloud SDK. We recommend that most server applications use "\
+        "service accounts instead. If your application continues to use end user credentials "\
+        'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For '\
+        "more information about service accounts, see "\
+        "https://cloud.google.com/docs/authentication/. To suppress this message, set the "\
+        "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
+
+      # make_creds proxies the construction of a credentials instance
+      #
+      # By default, it calls #new on the current class, but this behaviour can
+      # be modified, allowing different instances to be created.
+      def make_creds *args
+        creds = new(*args)
+        creds = creds.configure_connection args[0] if creds.respond_to?(:configure_connection) && args.size == 1
+        creds
+      end
+
+      # Creates an instance from the path specified in an environment
+      # variable.
+      #
+      # @param scope [string|array|nil] the scope(s) to access
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_env scope = nil, options = {}
+        options = interpret_options scope, options
+        if ENV.key?(ENV_VAR) && !ENV[ENV_VAR].empty?
+          path = ENV[ENV_VAR]
+          raise "file #{path} does not exist" unless File.exist? path
+          File.open path do |f|
+            return make_creds options.merge(json_key_io: f)
+          end
+        elsif service_account_env_vars? || authorized_user_env_vars?
+          make_creds options
+        end
+      rescue StandardError => e
+        raise "#{NOT_FOUND_ERROR}: #{e}"
+      end
+
+      # Creates an instance from a well known path.
+      #
+      # @param scope [string|array|nil] the scope(s) to access
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_well_known_path scope = nil, options = {}
+        options = interpret_options scope, options
+        home_var = OS.windows? ? "APPDATA" : "HOME"
+        base = WELL_KNOWN_PATH
+        root = ENV[home_var].nil? ? "" : ENV[home_var]
+        base = File.join ".config", base unless OS.windows?
+        path = File.join root, base
+        return nil unless File.exist? path
+        File.open path do |f|
+          return make_creds options.merge(json_key_io: f)
+        end
+      rescue StandardError => e
+        raise "#{WELL_KNOWN_ERROR}: #{e}"
+      end
+
+      # Creates an instance from the system default path
+      #
+      # @param scope [string|array|nil] the scope(s) to access
+      # @param options [Hash] Connection options. These may be used to configure
+      #     how OAuth tokens are retrieved, by providing a suitable
+      #     `Faraday::Connection`. For example, if a connection proxy must be
+      #     used in the current network, you may provide a connection with
+      #     with the needed proxy options.
+      #     The following keys are recognized:
+      #     * `:default_connection` The connection object to use.
+      #     * `:connection_builder` A `Proc` that returns a connection.
+      def from_system_default_path scope = nil, options = {}
+        options = interpret_options scope, options
+        if OS.windows?
+          return nil unless ENV["ProgramData"]
+          prefix = File.join ENV["ProgramData"], "Google/Auth"
+        else
+          prefix = "/etc/google/auth/"
+        end
+        path = File.join prefix, CREDENTIALS_FILE_NAME
+        return nil unless File.exist? path
+        File.open path do |f|
+          return make_creds options.merge(json_key_io: f)
+        end
+      rescue StandardError => e
+        raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
+      end
+
+      module_function
+
+      # Issues warning if cloud sdk client id is used
+      def warn_if_cloud_sdk_credentials client_id
+        return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
+        warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
+      end
+
+      # Finds project_id from gcloud CLI configuration
+      def load_gcloud_project_id
+        gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
+        gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
+        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", &:read)
+        config = MultiJson.load gcloud_json
+        config["configuration"]["properties"]["core"]["project"]
+      rescue StandardError
+        nil
+      end
+
+      private
+
+      def interpret_options scope, options
+        if scope.is_a? Hash
+          options = scope
+          scope = nil
+        end
+        return options.merge scope: scope if scope && !options[:scope]
+        options
+      end
+
+      def service_account_env_vars?
+        ([PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(PRIVATE_KEY_VAR, CLIENT_EMAIL_VAR).join(" ").empty?
+      end
+
+      def authorized_user_env_vars?
+        ([CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR] - ENV.keys).empty? &&
+          !ENV.to_h.fetch_values(CLIENT_ID_VAR, CLIENT_SECRET_VAR, REFRESH_TOKEN_VAR).join(" ").empty?
+      end
+    end
+  end
+end

data/lib/googleauth/default_credentials.rb

@@ -0,0 +1,93 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "multi_json"
+require "stringio"
+
+require "googleauth/credentials_loader"
+require "googleauth/service_account"
+require "googleauth/user_refresh"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # DefaultCredentials is used to preload the credentials file, to determine
+    # which type of credentials should be loaded.
+    class DefaultCredentials
+      extend CredentialsLoader
+
+      # override CredentialsLoader#make_creds to use the class determined by
+      # loading the json.
+      def self.make_creds options = {}
+        json_key_io = options[:json_key_io]
+        if json_key_io
+          json_key, clz = determine_creds_class json_key_io
+          warn_if_cloud_sdk_credentials json_key["client_id"]
+          io = StringIO.new MultiJson.dump(json_key)
+          clz.make_creds options.merge(json_key_io: io)
+        else
+          warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
+          clz = read_creds
+          clz.make_creds options
+        end
+      end
+
+      def self.read_creds
+        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
+        type = ENV[env_var]
+        raise "#{env_var} is undefined in env" unless type
+        case type
+        when "service_account"
+          ServiceAccountCredentials
+        when "authorized_user"
+          UserRefreshCredentials
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+
+      # Reads the input json and determines which creds class to use.
+      def self.determine_creds_class json_key_io
+        json_key = MultiJson.load json_key_io.read
+        key = "type"
+        raise "the json is missing the '#{key}' field" unless json_key.key? key
+        type = json_key[key]
+        case type
+        when "service_account"
+          [json_key, ServiceAccountCredentials]
+        when "authorized_user"
+          [json_key, UserRefreshCredentials]
+        else
+          raise "credentials type '#{type}' is not supported"
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/iam.rb

@@ -0,0 +1,75 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "multi_json"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # Authenticates requests using IAM credentials.
+    class IAMCredentials
+      SELECTOR_KEY = "x-goog-iam-authority-selector".freeze
+      TOKEN_KEY = "x-goog-iam-authorization-token".freeze
+
+      # Initializes an IAMCredentials.
+      #
+      # @param selector the IAM selector.
+      # @param token the IAM token.
+      def initialize selector, token
+        raise TypeError unless selector.is_a? String
+        raise TypeError unless token.is_a? String
+        @selector = selector
+        @token = token
+      end
+
+      # Adds the credential fields to the hash.
+      def apply! a_hash
+        a_hash[SELECTOR_KEY] = @selector
+        a_hash[TOKEN_KEY] = @token
+        a_hash
+      end
+
+      # Returns a clone of a_hash updated with the authoriation header
+      def apply a_hash
+        a_copy = a_hash.clone
+        apply! a_copy
+        a_copy
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, _opts = {}| apply a_hash }
+      end
+    end
+  end
+end

data/lib/googleauth/id_tokens.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/id_tokens/errors"
+require "googleauth/id_tokens/key_sources"
+require "googleauth/id_tokens/verifier"
+
+module Google
+  module Auth
+    ##
+    # ## Verifying Google ID tokens
+    #
+    # This module verifies ID tokens issued by Google. This can be used to
+    # authenticate signed-in users using OpenID Connect. See
+    # https://developers.google.com/identity/sign-in/web/backend-auth for more
+    # information.
+    #
+    # ### Basic usage
+    #
+    # To verify an ID token issued by Google accounts:
+    #
+    #     payload = Google::Auth::IDTokens.verify_oidc the_token,
+    #                                                  aud: "my-app-client-id"
+    #
+    # If verification succeeds, you will receive the token's payload as a hash.
+    # If verification fails, an exception (normally a subclass of
+    # {Google::Auth::IDTokens::VerificationError}) will be raised.
+    #
+    # To verify an ID token issued by the Google identity-aware proxy (IAP):
+    #
+    #     payload = Google::Auth::IDTokens.verify_iap the_token,
+    #                                                 aud: "my-app-client-id"
+    #
+    # These methods will automatically download and cache the Google public
+    # keys necessary to verify these tokens. They will also automatically
+    # verify the issuer (`iss`) field for their respective types of ID tokens.
+    #
+    # ### Advanced usage
+    #
+    # If you want to provide your own public keys, either by pointing at a
+    # custom URI or by providing the key data directly, use the Verifier class
+    # and pass in a key source.
+    #
+    # To point to a custom URI that returns a JWK set:
+    #
+    #     source = Google::Auth::IDTokens::JwkHttpKeySource.new "https://example.com/jwk"
+    #     verifier = Google::Auth::IDTokens::Verifier.new key_source: source
+    #     payload = verifier.verify the_token, aud: "my-app-client-id"
+    #
+    # To provide key data directly:
+    #
+    #     jwk_data = {
+    #       keys: [
+    #         {
+    #           alg: "ES256",
+    #           crv: "P-256",
+    #           kid: "LYyP2g",
+    #           kty: "EC",
+    #           use: "sig",
+    #           x: "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
+    #           y: "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
+    #         }
+    #       ]
+    #     }
+    #     source = Google::Auth::IDTokens::StaticKeySource.from_jwk_set jwk_data
+    #     verifier = Google::Auth::IDTokens::Verifier key_source: source
+    #     payload = verifier.verify the_token, aud: "my-app-client-id"
+    #
+    module IDTokens
+      ##
+      # A list of issuers expected for Google OIDC-issued tokens.
+      #
+      # @return [Array<String>]
+      #
+      OIDC_ISSUERS = ["accounts.google.com", "https://accounts.google.com"].freeze
+
+      ##
+      # A list of issuers expected for Google IAP-issued tokens.
+      #
+      # @return [Array<String>]
+      #
+      IAP_ISSUERS = ["https://cloud.google.com/iap"].freeze
+
+      ##
+      # The URL for Google OAuth2 V3 public certs
+      #
+      # @return [String]
+      #
+      OAUTH2_V3_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs"
+
+      ##
+      # The URL for Google IAP public keys
+      #
+      # @return [String]
+      #
+      IAP_JWK_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"
+
+      class << self
+        ##
+        # The key source providing public keys that can be used to verify
+        # ID tokens issued by Google OIDC.
+        #
+        # @return [Google::Auth::IDTokens::JwkHttpKeySource]
+        #
+        def oidc_key_source
+          @oidc_key_source ||= JwkHttpKeySource.new OAUTH2_V3_CERTS_URL
+        end
+
+        ##
+        # The key source providing public keys that can be used to verify
+        # ID tokens issued by Google IAP.
+        #
+        # @return [Google::Auth::IDTokens::JwkHttpKeySource]
+        #
+        def iap_key_source
+          @iap_key_source ||= JwkHttpKeySource.new IAP_JWK_URL
+        end
+
+        ##
+        # Reset all convenience key sources. Used for testing.
+        # @private
+        #
+        def forget_sources!
+          @oidc_key_source = @iap_key_source = nil
+          self
+        end
+
+        ##
+        # A convenience method that verifies a token allegedly issued by Google
+        # OIDC.
+        #
+        # @param token [String] The ID token to verify
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `aud` field in the token must match at least one of the
+        #     provided audiences, or the verification will fail with
+        #     {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
+        #     default), no audience checking is performed.
+        # @param azp [String,Array<String>,nil] The expected authorized party
+        #     (azp). At least one `azp` field in the token must match at least
+        #     one of the provided values, or the verification will fail with
+        #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
+        #     (the default), no azp checking is performed.
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `iss` field in the token must match at least one of the
+        #     provided issuers, or the verification will fail with
+        #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
+        #     checking is performed. Default is to check against {OIDC_ISSUERS}.
+        #
+        # @return [Hash] The decoded token payload.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify_oidc token,
+                        aud: nil,
+                        azp: nil,
+                        iss: OIDC_ISSUERS
+
+          verifier = Verifier.new key_source: oidc_key_source,
+                                  aud:        aud,
+                                  azp:        azp,
+                                  iss:        iss
+          verifier.verify token
+        end
+
+        ##
+        # A convenience method that verifies a token allegedly issued by Google
+        # IAP.
+        #
+        # @param token [String] The ID token to verify
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `aud` field in the token must match at least one of the
+        #     provided audiences, or the verification will fail with
+        #     {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
+        #     default), no audience checking is performed.
+        # @param azp [String,Array<String>,nil] The expected authorized party
+        #     (azp). At least one `azp` field in the token must match at least
+        #     one of the provided values, or the verification will fail with
+        #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
+        #     (the default), no azp checking is performed.
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `iss` field in the token must match at least one of the
+        #     provided issuers, or the verification will fail with
+        #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
+        #     checking is performed. Default is to check against {IAP_ISSUERS}.
+        #
+        # @return [Hash] The decoded token payload.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify_iap token,
+                       aud: nil,
+                       azp: nil,
+                       iss: IAP_ISSUERS
+
+          verifier = Verifier.new key_source: iap_key_source,
+                                  aud:        aud,
+                                  azp:        azp,
+                                  iss:        iss
+          verifier.verify token
+        end
+      end
+    end
+  end
+end