googleauth 0.10.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. checksums.yaml +4 -4
  2. data/.github/CODEOWNERS +7 -0
  3. data/.kokoro/continuous/linux.cfg +2 -2
  4. data/.kokoro/continuous/post.cfg +30 -0
  5. data/.kokoro/presubmit/linux.cfg +1 -1
  6. data/.kokoro/release.cfg +1 -1
  7. data/.repo-metadata.json +5 -0
  8. data/.rubocop.yml +5 -4
  9. data/CHANGELOG.md +27 -0
  10. data/Gemfile +5 -2
  11. data/{COPYING → LICENSE} +0 -0
  12. data/README.md +4 -5
  13. data/Rakefile +45 -3
  14. data/googleauth.gemspec +5 -3
  15. data/integration/helper.rb +31 -0
  16. data/integration/id_tokens/key_source_test.rb +74 -0
  17. data/lib/googleauth.rb +1 -0
  18. data/lib/googleauth/application_default.rb +2 -2
  19. data/lib/googleauth/compute_engine.rb +36 -6
  20. data/lib/googleauth/credentials.rb +89 -22
  21. data/lib/googleauth/id_tokens.rb +233 -0
  22. data/lib/googleauth/id_tokens/errors.rb +71 -0
  23. data/lib/googleauth/id_tokens/key_sources.rb +394 -0
  24. data/lib/googleauth/id_tokens/verifier.rb +144 -0
  25. data/lib/googleauth/json_key_reader.rb +6 -2
  26. data/lib/googleauth/service_account.rb +16 -7
  27. data/lib/googleauth/signet.rb +3 -2
  28. data/lib/googleauth/user_authorizer.rb +6 -1
  29. data/lib/googleauth/user_refresh.rb +1 -1
  30. data/lib/googleauth/version.rb +1 -1
  31. data/rakelib/devsite_builder.rb +45 -0
  32. data/rakelib/link_checker.rb +64 -0
  33. data/rakelib/repo_metadata.rb +59 -0
  34. data/spec/googleauth/apply_auth_examples.rb +28 -5
  35. data/spec/googleauth/compute_engine_spec.rb +48 -13
  36. data/spec/googleauth/credentials_spec.rb +17 -6
  37. data/spec/googleauth/service_account_spec.rb +23 -16
  38. data/spec/googleauth/signet_spec.rb +15 -7
  39. data/spec/googleauth/user_authorizer_spec.rb +21 -1
  40. data/spec/googleauth/user_refresh_spec.rb +1 -1
  41. data/test/helper.rb +33 -0
  42. data/test/id_tokens/key_sources_test.rb +240 -0
  43. data/test/id_tokens/verifier_test.rb +269 -0
  44. metadata +46 -12
@@ -47,6 +47,8 @@ module Google
47
47
  # The default target audience ID to be used when none is provided during initialization.
48
48
  AUDIENCE = "https://oauth2.googleapis.com/token".freeze
49
49
 
50
+ @audience = @scope = @target_audience = @env_vars = @paths = nil
51
+
50
52
  ##
51
53
  # The default token credential URI to be used when none is provided during initialization.
52
54
  # The URI is the authorization server's HTTP endpoint capable of issuing tokens and
@@ -97,20 +99,25 @@ module Google
97
99
  # A scope is an access range defined by the authorization server.
98
100
  # The scope can be a single value or a list of values.
99
101
  #
102
+ # Either {#scope} or {#target_audience}, but not both, should be non-nil.
103
+ # If {#scope} is set, this credential will produce access tokens.
104
+ # If {#target_audience} is set, this credential will produce ID tokens.
105
+ #
100
106
  # @return [String, Array<String>]
101
107
  #
102
108
  def self.scope
103
109
  return @scope unless @scope.nil?
104
110
 
105
- tmp_scope = []
106
- # Pull in values is the SCOPE constant exists.
107
- tmp_scope << const_get(:SCOPE) if const_defined? :SCOPE
108
- tmp_scope.flatten.uniq
111
+ Array(const_get(:SCOPE)).flatten.uniq if const_defined? :SCOPE
109
112
  end
110
113
 
111
114
  ##
112
115
  # Sets the default scope to be used when none is provided during initialization.
113
116
  #
117
+ # Either {#scope} or {#target_audience}, but not both, should be non-nil.
118
+ # If {#scope} is set, this credential will produce access tokens.
119
+ # If {#target_audience} is set, this credential will produce ID tokens.
120
+ #
114
121
  # @param [String, Array<String>] new_scope
115
122
  # @return [String, Array<String>]
116
123
  #
@@ -119,6 +126,34 @@ module Google
119
126
  @scope = new_scope
120
127
  end
121
128
 
129
+ ##
130
+ # The default final target audience for ID tokens, to be used when none
131
+ # is provided during initialization.
132
+ #
133
+ # Either {#scope} or {#target_audience}, but not both, should be non-nil.
134
+ # If {#scope} is set, this credential will produce access tokens.
135
+ # If {#target_audience} is set, this credential will produce ID tokens.
136
+ #
137
+ # @return [String]
138
+ #
139
+ def self.target_audience
140
+ @target_audience
141
+ end
142
+
143
+ ##
144
+ # Sets the default final target audience for ID tokens, to be used when none
145
+ # is provided during initialization.
146
+ #
147
+ # Either {#scope} or {#target_audience}, but not both, should be non-nil.
148
+ # If {#scope} is set, this credential will produce access tokens.
149
+ # If {#target_audience} is set, this credential will produce ID tokens.
150
+ #
151
+ # @param [String] new_target_audience
152
+ #
153
+ def self.target_audience= new_target_audience
154
+ @target_audience = new_target_audience
155
+ end
156
+
122
157
  ##
123
158
  # The environment variables to search for credentials. Values can either be a file path to the
124
159
  # credentials file, or the JSON contents of the credentials file.
@@ -185,6 +220,13 @@ module Google
185
220
  #
186
221
  attr_reader :project_id
187
222
 
223
+ ##
224
+ # Identifier for a separate project used for billing/quota, if any.
225
+ #
226
+ # @return [String,nil]
227
+ #
228
+ attr_reader :quota_project_id
229
+
188
230
  # @private Delegate client methods to the client object.
189
231
  extend Forwardable
190
232
 
@@ -201,6 +243,9 @@ module Google
201
243
  # @return [String, Array<String>] The scope for this client. A scope is an access range
202
244
  # defined by the authorization server. The scope can be a single value or a list of values.
203
245
  #
246
+ # @!attribute [r] target_audience
247
+ # @return [String] The final target audience for ID tokens returned by this credential.
248
+ #
204
249
  # @!attribute [r] issuer
205
250
  # @return [String] The issuer ID associated with this client.
206
251
  #
@@ -213,9 +258,7 @@ module Google
213
258
  #
214
259
  def_delegators :@client,
215
260
  :token_credential_uri, :audience,
216
- :scope, :issuer, :signing_key, :updater_proc
217
-
218
- # rubocop:disable Metrics/AbcSize
261
+ :scope, :issuer, :signing_key, :updater_proc, :target_audience
219
262
 
220
263
  ##
221
264
  # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -236,23 +279,15 @@ module Google
236
279
  # * +:default_connection+ - the default connection to use for the client
237
280
  #
238
281
  def initialize keyfile, options = {}
239
- scope = options[:scope]
240
282
  verify_keyfile_provided! keyfile
241
283
  @project_id = options["project_id"] || options["project"]
284
+ @quota_project_id = options["quota_project_id"]
242
285
  if keyfile.is_a? Signet::OAuth2::Client
243
- @client = keyfile
244
- @project_id ||= keyfile.project_id if keyfile.respond_to? :project_id
286
+ update_from_signet keyfile
245
287
  elsif keyfile.is_a? Hash
246
- hash = stringify_hash_keys keyfile
247
- hash["scope"] ||= scope
248
- @client = init_client hash, options
249
- @project_id ||= (hash["project_id"] || hash["project"])
288
+ update_from_hash keyfile, options
250
289
  else
251
- verify_keyfile_exists! keyfile
252
- json = JSON.parse ::File.read(keyfile)
253
- json["scope"] ||= scope
254
- @project_id ||= (json["project_id"] || json["project"])
255
- @client = init_client json, options
290
+ update_from_filepath keyfile, options
256
291
  end
257
292
  CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
258
293
  @project_id ||= CredentialsLoader.load_gcloud_project_id
@@ -261,7 +296,6 @@ module Google
261
296
  @paths = nil
262
297
  @scope = nil
263
298
  end
264
- # rubocop:enable Metrics/AbcSize
265
299
 
266
300
  ##
267
301
  # Creates a new Credentials instance with auth credentials acquired by searching the
@@ -323,7 +357,8 @@ module Google
323
357
  # @private Lookup Credentials using Google::Auth.get_application_default.
324
358
  def self.from_application_default options
325
359
  scope = options[:scope] || self.scope
326
- client = Google::Auth.get_application_default scope
360
+ auth_opts = { target_audience: options[:target_audience] || target_audience }
361
+ client = Google::Auth.get_application_default scope, auth_opts
327
362
  new client, options
328
363
  end
329
364
 
@@ -362,14 +397,46 @@ module Google
362
397
  options["token_credential_uri"] ||= self.class.token_credential_uri
363
398
  options["audience"] ||= self.class.audience
364
399
  options["scope"] ||= self.class.scope
400
+ options["target_audience"] ||= self.class.target_audience
365
401
 
402
+ if !Array(options["scope"]).empty? && options["target_audience"]
403
+ raise ArgumentError, "Cannot specify both scope and target_audience"
404
+ end
405
+
406
+ needs_scope = options["target_audience"].nil?
366
407
  # client options for initializing signet client
367
408
  { token_credential_uri: options["token_credential_uri"],
368
409
  audience: options["audience"],
369
- scope: Array(options["scope"]),
410
+ scope: (needs_scope ? Array(options["scope"]) : nil),
411
+ target_audience: options["target_audience"],
370
412
  issuer: options["client_email"],
371
413
  signing_key: OpenSSL::PKey::RSA.new(options["private_key"]) }
372
414
  end
415
+
416
+ def update_from_signet client
417
+ @project_id ||= client.project_id if client.respond_to? :project_id
418
+ @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
419
+ @client = client
420
+ end
421
+
422
+ def update_from_hash hash, options
423
+ hash = stringify_hash_keys hash
424
+ hash["scope"] ||= options[:scope]
425
+ hash["target_audience"] ||= options[:target_audience]
426
+ @project_id ||= (hash["project_id"] || hash["project"])
427
+ @quota_project_id ||= hash["quota_project_id"]
428
+ @client = init_client hash, options
429
+ end
430
+
431
+ def update_from_filepath path, options
432
+ verify_keyfile_exists! path
433
+ json = JSON.parse ::File.read(path)
434
+ json["scope"] ||= options[:scope]
435
+ json["target_audience"] ||= options[:target_audience]
436
+ @project_id ||= (json["project_id"] || json["project"])
437
+ @quota_project_id ||= json["quota_project_id"]
438
+ @client = init_client json, options
439
+ end
373
440
  end
374
441
  end
375
442
  end
@@ -0,0 +1,233 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2020 Google LLC
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are
7
+ # met:
8
+ #
9
+ # * Redistributions of source code must retain the above copyright
10
+ # notice, this list of conditions and the following disclaimer.
11
+ # * Redistributions in binary form must reproduce the above
12
+ # copyright notice, this list of conditions and the following disclaimer
13
+ # in the documentation and/or other materials provided with the
14
+ # distribution.
15
+ # * Neither the name of Google Inc. nor the names of its
16
+ # contributors may be used to endorse or promote products derived from
17
+ # this software without specific prior written permission.
18
+ #
19
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20
+ # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21
+ # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22
+ # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23
+ # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24
+ # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25
+ # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26
+ # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27
+ # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28
+ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
+
31
+ require "googleauth/id_tokens/errors"
32
+ require "googleauth/id_tokens/key_sources"
33
+ require "googleauth/id_tokens/verifier"
34
+
35
+ module Google
36
+ module Auth
37
+ ##
38
+ # ## Verifying Google ID tokens
39
+ #
40
+ # This module verifies ID tokens issued by Google. This can be used to
41
+ # authenticate signed-in users using OpenID Connect. See
42
+ # https://developers.google.com/identity/sign-in/web/backend-auth for more
43
+ # information.
44
+ #
45
+ # ### Basic usage
46
+ #
47
+ # To verify an ID token issued by Google accounts:
48
+ #
49
+ # payload = Google::Auth::IDTokens.verify_oidc the_token,
50
+ # aud: "my-app-client-id"
51
+ #
52
+ # If verification succeeds, you will receive the token's payload as a hash.
53
+ # If verification fails, an exception (normally a subclass of
54
+ # {Google::Auth::IDTokens::VerificationError}) will be raised.
55
+ #
56
+ # To verify an ID token issued by the Google identity-aware proxy (IAP):
57
+ #
58
+ # payload = Google::Auth::IDTokens.verify_iap the_token,
59
+ # aud: "my-app-client-id"
60
+ #
61
+ # These methods will automatically download and cache the Google public
62
+ # keys necessary to verify these tokens. They will also automatically
63
+ # verify the issuer (`iss`) field for their respective types of ID tokens.
64
+ #
65
+ # ### Advanced usage
66
+ #
67
+ # If you want to provide your own public keys, either by pointing at a
68
+ # custom URI or by providing the key data directly, use the Verifier class
69
+ # and pass in a key source.
70
+ #
71
+ # To point to a custom URI that returns a JWK set:
72
+ #
73
+ # source = Google::Auth::IDTokens::JwkHttpKeySource.new "https://example.com/jwk"
74
+ # verifier = Google::Auth::IDTokens::Verifier.new key_source: source
75
+ # payload = verifier.verify the_token, aud: "my-app-client-id"
76
+ #
77
+ # To provide key data directly:
78
+ #
79
+ # jwk_data = {
80
+ # keys: [
81
+ # {
82
+ # alg: "ES256",
83
+ # crv: "P-256",
84
+ # kid: "LYyP2g",
85
+ # kty: "EC",
86
+ # use: "sig",
87
+ # x: "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
88
+ # y: "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
89
+ # }
90
+ # ]
91
+ # }
92
+ # source = Google::Auth::IDTokens::StaticKeySource.from_jwk_set jwk_data
93
+ # verifier = Google::Auth::IDTokens::Verifier key_source: source
94
+ # payload = verifier.verify the_token, aud: "my-app-client-id"
95
+ #
96
+ module IDTokens
97
+ ##
98
+ # A list of issuers expected for Google OIDC-issued tokens.
99
+ #
100
+ # @return [Array<String>]
101
+ #
102
+ OIDC_ISSUERS = ["accounts.google.com", "https://accounts.google.com"].freeze
103
+
104
+ ##
105
+ # A list of issuers expected for Google IAP-issued tokens.
106
+ #
107
+ # @return [Array<String>]
108
+ #
109
+ IAP_ISSUERS = ["https://cloud.google.com/iap"].freeze
110
+
111
+ ##
112
+ # The URL for Google OAuth2 V3 public certs
113
+ #
114
+ # @return [String]
115
+ #
116
+ OAUTH2_V3_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs"
117
+
118
+ ##
119
+ # The URL for Google IAP public keys
120
+ #
121
+ # @return [String]
122
+ #
123
+ IAP_JWK_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"
124
+
125
+ class << self
126
+ ##
127
+ # The key source providing public keys that can be used to verify
128
+ # ID tokens issued by Google OIDC.
129
+ #
130
+ # @return [Google::Auth::IDTokens::JwkHttpKeySource]
131
+ #
132
+ def oidc_key_source
133
+ @oidc_key_source ||= JwkHttpKeySource.new OAUTH2_V3_CERTS_URL
134
+ end
135
+
136
+ ##
137
+ # The key source providing public keys that can be used to verify
138
+ # ID tokens issued by Google IAP.
139
+ #
140
+ # @return [Google::Auth::IDTokens::JwkHttpKeySource]
141
+ #
142
+ def iap_key_source
143
+ @iap_key_source ||= JwkHttpKeySource.new IAP_JWK_URL
144
+ end
145
+
146
+ ##
147
+ # Reset all convenience key sources. Used for testing.
148
+ # @private
149
+ #
150
+ def forget_sources!
151
+ @oidc_key_source = @iap_key_source = nil
152
+ self
153
+ end
154
+
155
+ ##
156
+ # A convenience method that verifies a token allegedly issued by Google
157
+ # OIDC.
158
+ #
159
+ # @param token [String] The ID token to verify
160
+ # @param aud [String,Array<String>,nil] The expected audience. At least
161
+ # one `aud` field in the token must match at least one of the
162
+ # provided audiences, or the verification will fail with
163
+ # {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
164
+ # default), no audience checking is performed.
165
+ # @param azp [String,Array<String>,nil] The expected authorized party
166
+ # (azp). At least one `azp` field in the token must match at least
167
+ # one of the provided values, or the verification will fail with
168
+ # {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
169
+ # (the default), no azp checking is performed.
170
+ # @param aud [String,Array<String>,nil] The expected audience. At least
171
+ # one `iss` field in the token must match at least one of the
172
+ # provided issuers, or the verification will fail with
173
+ # {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
174
+ # checking is performed. Default is to check against {OIDC_ISSUERS}.
175
+ #
176
+ # @return [Hash] The decoded token payload.
177
+ # @raise [KeySourceError] if the key source failed to obtain public keys
178
+ # @raise [VerificationError] if the token verification failed.
179
+ # Additional data may be available in the error subclass and message.
180
+ #
181
+ def verify_oidc token,
182
+ aud: nil,
183
+ azp: nil,
184
+ iss: OIDC_ISSUERS
185
+
186
+ verifier = Verifier.new key_source: oidc_key_source,
187
+ aud: aud,
188
+ azp: azp,
189
+ iss: iss
190
+ verifier.verify token
191
+ end
192
+
193
+ ##
194
+ # A convenience method that verifies a token allegedly issued by Google
195
+ # IAP.
196
+ #
197
+ # @param token [String] The ID token to verify
198
+ # @param aud [String,Array<String>,nil] The expected audience. At least
199
+ # one `aud` field in the token must match at least one of the
200
+ # provided audiences, or the verification will fail with
201
+ # {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
202
+ # default), no audience checking is performed.
203
+ # @param azp [String,Array<String>,nil] The expected authorized party
204
+ # (azp). At least one `azp` field in the token must match at least
205
+ # one of the provided values, or the verification will fail with
206
+ # {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
207
+ # (the default), no azp checking is performed.
208
+ # @param aud [String,Array<String>,nil] The expected audience. At least
209
+ # one `iss` field in the token must match at least one of the
210
+ # provided issuers, or the verification will fail with
211
+ # {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
212
+ # checking is performed. Default is to check against {IAP_ISSUERS}.
213
+ #
214
+ # @return [Hash] The decoded token payload.
215
+ # @raise [KeySourceError] if the key source failed to obtain public keys
216
+ # @raise [VerificationError] if the token verification failed.
217
+ # Additional data may be available in the error subclass and message.
218
+ #
219
+ def verify_iap token,
220
+ aud: nil,
221
+ azp: nil,
222
+ iss: IAP_ISSUERS
223
+
224
+ verifier = Verifier.new key_source: iap_key_source,
225
+ aud: aud,
226
+ azp: azp,
227
+ iss: iss
228
+ verifier.verify token
229
+ end
230
+ end
231
+ end
232
+ end
233
+ end
@@ -0,0 +1,71 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2020 Google LLC
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are
7
+ # met:
8
+ #
9
+ # * Redistributions of source code must retain the above copyright
10
+ # notice, this list of conditions and the following disclaimer.
11
+ # * Redistributions in binary form must reproduce the above
12
+ # copyright notice, this list of conditions and the following disclaimer
13
+ # in the documentation and/or other materials provided with the
14
+ # distribution.
15
+ # * Neither the name of Google Inc. nor the names of its
16
+ # contributors may be used to endorse or promote products derived from
17
+ # this software without specific prior written permission.
18
+ #
19
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20
+ # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21
+ # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22
+ # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23
+ # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24
+ # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25
+ # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26
+ # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27
+ # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28
+ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
+
31
+
32
+ module Google
33
+ module Auth
34
+ module IDTokens
35
+ ##
36
+ # Failed to obtain keys from the key source.
37
+ #
38
+ class KeySourceError < StandardError; end
39
+
40
+ ##
41
+ # Failed to verify a token.
42
+ #
43
+ class VerificationError < StandardError; end
44
+
45
+ ##
46
+ # Failed to verify a token because it is expired.
47
+ #
48
+ class ExpiredTokenError < VerificationError; end
49
+
50
+ ##
51
+ # Failed to verify a token because its signature did not match.
52
+ #
53
+ class SignatureError < VerificationError; end
54
+
55
+ ##
56
+ # Failed to verify a token because its issuer did not match.
57
+ #
58
+ class IssuerMismatchError < VerificationError; end
59
+
60
+ ##
61
+ # Failed to verify a token because its audience did not match.
62
+ #
63
+ class AudienceMismatchError < VerificationError; end
64
+
65
+ ##
66
+ # Failed to verify a token because its authorized party did not match.
67
+ #
68
+ class AuthorizedPartyMismatchError < VerificationError; end
69
+ end
70
+ end
71
+ end