googleauth 0.17.1 → 1.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cc321053063d0fcbe9b0ac9cece62227049fca62bb4377161cd0679342ceee9
-  data.tar.gz: 635e4992df0bfc21fe3df120dc86347619324e685ca136aa6770c23b4104153a
+  metadata.gz: 37795e56189392a97d5941b4982730ffa2ee1dd53ec63593bbb7f5ad50be044e
+  data.tar.gz: 72d6b584c89c321698485bda1e4aef33f361ed35da4762bd22b5dc4634556f8f
 SHA512:
-  metadata.gz: 19b49461310e8b41a4062005255d51c15792481183c6fc161baf36a13e40ba1528d604ef8c17048de1661a41dfe7de6867fab3b721cd1be3b148b1c5a15f8a97
-  data.tar.gz: 2ae55a1ad27def042196075cb8c5e46db5295797edc568126903ccd7e345a2b7400d5a30f3d79d7001588a1c25ec9fcb12ea128dfc06234dd67077a3c1aae0af
+  metadata.gz: 1dcfc8f1e8e65f9b4b27c4933e71faffd2998d11766307cf464d0551d5f37e41c266e840a340a9aba41d49f44d05005006077526851b1b33e277ce3155d16370
+  data.tar.gz: f036b3403998c93f41eae33c472ad714758e6c6d06e9a1b197b53d118d182c2abb9caf40636ff63c152e2186642430de824e7929dcd2978cd358a5bd03194c1c

data/CHANGELOG.md

@@ -1,85 +1,160 @@
 # Release History
 
-### [0.17.1](https://www.github.com/googleapis/google-auth-library-ruby/compare/googleauth/v0.15.0...googleauth/v0.17.1) (2021-09-01)
+### 1.8.1 (2023-09-19)
 
-### Bug Fixes
+#### Documentation
 
-* Updates to gem metadata ([fb5e56d](https://www.github.com/googleapis/google-auth-library-ruby/commit/fb5e56dad1e6ed6afd4f9b5c626e5e1495e48343))
+* improve ADC related error and warning messages ([#452](https://github.com/googleapis/google-auth-library-ruby/issues/452)) 
 
-## [0.17.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/google-auth-library-ruby/v0.16.2...google-auth-library-ruby/v0.17.0) (2021-07-30)
+### 1.8.0 (2023-09-07)
 
+#### Features
 
-### Features
+* Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447)) 
+#### Documentation
 
-* Allow scopes to be self-signed into jwts ([e67ce40](https://www.github.com/googleapis/google-auth-library-ruby/commit/e67ce40f919b7eb3723c2ec95f5b8d58315ab1ee))
+* improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449)) 
 
-### [0.16.2](https://www.github.com/googleapis/google-auth-library-ruby/compare/google-auth-library-ruby/v0.16.1...google-auth-library-ruby/v0.16.2) (2021-04-28)
+### 1.7.0 (2023-07-14)
 
+#### Features
 
-### Bug Fixes
+* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437)) 
+#### Documentation
 
-* Stop attempting to get the project from gcloud when applying self-signed JWTs ([#317](https://www.github.com/googleapis/google-auth-library-ruby/issues/317)) ([39258ca](https://www.github.com/googleapis/google-auth-library-ruby/commit/39258cacafa5c770fb40d99075a97b8e6427adba))
+* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438)) 
 
-### [0.16.1](https://www.github.com/googleapis/google-auth-library-ruby/compare/google-auth-library-ruby/v0.16.0...google-auth-library-ruby/v0.16.1) (2021-04-01)
+### 1.6.0 (2023-06-20)
 
+#### Features
 
-### Bug Fixes
+* adding identity pool credentials ([#433](https://github.com/googleapis/google-auth-library-ruby/issues/433)) 
+#### Documentation
 
-* Accept application/text content-type for plain idtoken response ([4948ebb](https://www.github.com/googleapis/google-auth-library-ruby/commit/4948ebb3ca151e9f0433585a41bad6f415416b2d))
+* deprecation message for discontinuing command line auth flow ([#435](https://github.com/googleapis/google-auth-library-ruby/issues/435)) 
 
-## [0.16.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/v0.15.1...v0.16.0) (2021-03-04)
+### 1.5.2 (2023-04-13)
 
+#### Bug Fixes
 
-### Features
+* AWS IMDSV2 session token fetching shall call PUT method instead of GET ([#429](https://github.com/googleapis/google-auth-library-ruby/issues/429)) 
+* GCECredentials - Allow retrieval of ID token ([#425](https://github.com/googleapis/google-auth-library-ruby/issues/425)) 
 
-* Drop support for Ruby 2.4 and add support for Ruby 3.0 ([6644806](https://www.github.com/googleapis/google-auth-library-ruby/commit/6644806ab47cea6d08e1901c2ed808e53a579bc3))
+### 1.5.1 (2023-04-10)
 
-## [0.15.1](https://www.github.com/googleapis/google-auth-library-ruby/compare/v0.15.0...v0.15.1) (2021-02-08)
+#### Bug Fixes
 
+* Remove external account config validation ([#427](https://github.com/googleapis/google-auth-library-ruby/issues/427)) 
 
-### Bug Fixes
+### 1.5.0 (2023-03-21)
 
-* Fix crash when using a client credential without any paths or env_vars set ([#296](https://www.github.com/googleapis/google-auth-library-ruby/issues/296)) ([c971c1a](https://www.github.com/googleapis/google-auth-library-ruby/commit/c971c1ad2d7730c0f5b389d533a972be32fbaf49))
+#### Features
 
-## [0.15.0](https://www.github.com/googleapis/google-auth-library-ruby/compare/v0.14.0...v0.15.0) (2021-01-26)
+* Add support for AWS Workload Identity Federation ([#418](https://github.com/googleapis/google-auth-library-ruby/issues/418)) 
 
+### 1.4.0 (2022-12-14)
 
-### Features
+#### Features
 
-* Credential parameters inherit from superclasses ([4fa4720](https://www.github.com/googleapis/google-auth-library-ruby/commit/4fa47206dbd62f8bbdd1b9d3721f6baee9fd1d62))
-* Service accounts apply a self-signed JWT if scopes are marked as default ([d22acb8](https://www.github.com/googleapis/google-auth-library-ruby/commit/d22acb8a510e6711b5674545c31a4816e5a9168f))
+* make new_jwt_token public in order to fetch raw token directly ([#405](https://github.com/googleapis/google-auth-library-ruby/issues/405)) 
 
+### 1.3.0 (2022-10-18)
 
-### Bug Fixes
+#### Features
 
-* Retry fetch_access_token when GCE metadata server returns unexpected errors ([cd9b012](https://www.github.com/googleapis/google-auth-library-ruby/commit/cd9b0126d3419b9953982f71edc9e6ba3f640e3c))
-* Support correct service account and user refresh behavior for custom credential env variables ([d2dffe5](https://www.github.com/googleapis/google-auth-library-ruby/commit/d2dffe592112b45006291ad9a57f56e00fb208c3))
+* Use OpenSSL 3.0 compatible interfaces for IDTokens ([#397](https://github.com/googleapis/google-auth-library-ruby/issues/397)) 
 
-## 0.14.0 / 2020-10-09
+### 1.2.0 (2022-06-23)
+
+* Updated minimum Ruby version to 2.6
+
+### 1.1.3 (2022-04-20)
+
+#### Documentation
+
+* Add README instructions for 3-Legged OAuth with a service account
+
+### 1.1.2 (2022-02-22)
+
+#### Bug Fixes
+
+* Support Faraday 2
+
+### 1.1.1 (2022-02-14)
+
+#### Bug Fixes
+
+* add quota_project to user refresh credentials
+
+### 1.1.0 (2021-10-24)
+
+#### Features
+
+* Support short-lived tokens in Credentials
+
+### 1.0.0 (2021-09-27)
+
+Bumped version to 1.0.0. Releases from this point will follow semver.
+
+* Allow dependency on future 1.x versions of signet
+* Prevented gcloud from authenticating on the console when getting the gcloud project
+
+### 0.17.1 (2021-09-01)
+
+* Updates to gem metadata
+
+### 0.17.0 (2021-07-30)
+
+* Allow scopes to be self-signed into jwts
+
+### 0.16.2 (2021-04-28)
+
+* Stop attempting to get the project from gcloud when applying self-signed JWTs
+
+### 0.16.1 (2021-04-01)
+
+* Accept application/text content-type for plain idtoken response
+
+### 0.16.0 (2021-03-04)
+
+* Drop support for Ruby 2.4 and add support for Ruby 3.0
+
+### 0.15.1 (2021-02-08)
+
+* Fix crash when using a client credential without any paths or env_vars set
+
+### 0.15.0 (2021-01-26)
+
+* Credential parameters inherit from superclasses
+* Service accounts apply a self-signed JWT if scopes are marked as default
+* Retry fetch_access_token when GCE metadata server returns unexpected errors
+* Support correct service account and user refresh behavior for custom credential env variables
+
+### 0.14.0 / 2020-10-09
 
 * Honor GCE_METADATA_HOST environment variable
 * Fix errors in some environments when requesting an access token for multiple scopes
 
-## 0.13.1 / 2020-07-30
+### 0.13.1 / 2020-07-30
 
 * Support scopes when using GCE Metadata Server authentication ([@ball-hayden][])
 
-## 0.13.0 / 2020-06-17
+### 0.13.0 / 2020-06-17
 
 * Support for validating ID tokens.
 * Fixed header application of ID tokens from service accounts.
 
-## 0.12.0 / 2020-04-08
+### 0.12.0 / 2020-04-08
 
 * Support for ID token credentials.
 * Support reading quota_id_project from service account credentials.
 
-## 0.11.0 / 2020-02-24
+### 0.11.0 / 2020-02-24
 
 * Support Faraday 1.x.
 * Allow special "postmessage" value for redirect_uri.
 
-## 0.10.0 / 2019-10-09
+### 0.10.0 / 2019-10-09
 
 Note: This release now requires Ruby 2.4 or later
 
@@ -89,7 +164,7 @@ Note: This release now requires Ruby 2.4 or later
 * Set instance variables at initialization to avoid spamming warnings
 * Pass "Metadata-Flavor" header to metadata server when checking for GCE
 
-## 0.9.0 / 2019-08-05
+### 0.9.0 / 2019-08-05
 
 * Restore compatibility with Ruby 2.0. This is the last release that will work on end-of-lifed versions of Ruby. The 0.10 release will require Ruby 2.4 or later.
 * Update Credentials to use methods for values that are intended to be changed by users, replacing constants.
@@ -98,105 +173,95 @@ Note: This release now requires Ruby 2.4 or later
 * Add verbosity none to gcloud command
 * Make arity of WebUserAuthorizer#get_credentials compatible with the base class
 
-## 0.8.1 / 2019-03-27
+### 0.8.1 / 2019-03-27
 
 * Silence unnecessary gcloud warning
 * Treat empty credentials environment variables as unset
 
-## 0.8.0 / 2019-01-02
+### 0.8.0 / 2019-01-02
 
 * Support connection options :default_connection and :connection_builder when creating credentials that need to refresh OAuth tokens. This lets clients provide connection objects with custom settings, such as proxies, needed for the client environment.
 * Removed an unnecessary warning about project IDs.
 
-## 0.7.1 / 2018-10-25
+### 0.7.1 / 2018-10-25
 
 * Make load_gcloud_project_id module function.
 
-## 0.7.0 / 2018-10-24
+### 0.7.0 / 2018-10-24
 
 * Add project_id instance variable to UserRefreshCredentials, ServiceAccountCredentials, and Credentials.
 
-## 0.6.7 / 2018-10-16
+### 0.6.7 / 2018-10-16
 
 * Update memoist dependency to ~> 0.16.
 
-## 0.6.6 / 2018-08-22
+### 0.6.6 / 2018-08-22
 
 * Remove ruby version warnings.
 
-## 0.6.5 / 2018-08-16
+### 0.6.5 / 2018-08-16
 
 * Fix incorrect http verb when revoking credentials.
 * Warn on EOL ruby versions.
 
-## 0.6.4 / 2018-08-03
+### 0.6.4 / 2018-08-03
 
 * Resolve issue where DefaultCredentials constant was undefined.
 
-## 0.6.3 / 2018-08-02
+### 0.6.3 / 2018-08-02
 
 * Resolve issue where token_store was being written to twice
 
-## 0.6.2 / 2018-08-01
+### 0.6.2 / 2018-08-01
 
 * Add warning when using cloud sdk credentials
 
-## 0.6.1 / 2017-10-18
+### 0.6.1 / 2017-10-18
 
 * Fix file permissions
 
-## 0.6.0 / 2017-10-17
+### 0.6.0 / 2017-10-17
 
 * Support ruby-jwt 2.0
 * Add simple credentials class
 
-## 0.5.3 / 2017-07-21
+### 0.5.3 / 2017-07-21
 
 * Fix file permissions on the gem's `.rb` files.
 
-## 0.5.2 / 2017-07-19
+### 0.5.2 / 2017-07-19
 
 * Add retry mechanism when fetching access tokens in `GCECredentials` and `UserRefreshCredentials` classes.
 * Update Google API OAuth2 token credential URI to v4.
 
-## 0.5.1 / 2016-01-06
+### 0.5.1 / 2016-01-06
 
 * Change header name emitted by `Client#apply` from "Authorization" to "authorization" ([@murgatroid99][])
 * Fix ADC not working on some windows machines ([@vsubramani][])
-[#55](https://github.com/google/google-auth-library-ruby/issues/55)
 
-## 0.5.0 / 2015-10-12
+### 0.5.0 / 2015-10-12
 
 * Initial support for user credentials ([@sqrrrl][])
 * Update Signet to 0.7
 
-## 0.4.2 / 2015-08-05
+### 0.4.2 / 2015-08-05
 
 * Updated UserRefreshCredentials hash to use string keys ([@haabaato][])
-[#36](https://github.com/google/google-auth-library-ruby/issues/36)
-
 * Add support for a system default credentials file. ([@mr-salty][])
-[#33](https://github.com/google/google-auth-library-ruby/issues/33)
-
 * Fix bug when loading credentials from ENV ([@dwilkie][])
-[#31](https://github.com/google/google-auth-library-ruby/issues/31)
-
 * Relax the constraint of dependent version of multi_json ([@igrep][])
-[#30](https://github.com/google/google-auth-library-ruby/issues/30)
-
 * Enables passing credentials via environment variables. ([@haabaato][])
-[#27](https://github.com/google/google-auth-library-ruby/issues/27)
 
-## 0.4.1 / 2015-04-25
+### 0.4.1 / 2015-04-25
 
 * Improves handling of --no-scopes GCE authorization ([@tbetbetbe][])
 * Refactoring and cleanup ([@joneslee85][])
 
-## 0.4.0 / 2015-03-25
+### 0.4.0 / 2015-03-25
 
 * Adds an implementation of JWT header auth ([@tbetbetbe][])
 
-## 0.3.0 / 2015-03-23
+### 0.3.0 / 2015-03-23
 
 * makes the scope parameter's optional in all APIs. ([@tbetbetbe][])
 * changes the scope parameter's position in various constructors. ([@tbetbetbe][])

data/README.md

@@ -14,11 +14,6 @@
 This is Google's officially supported ruby client library for using OAuth 2.0
 authorization and authentication with Google APIs.
 
-## Alpha
-
-This library is in Alpha. We will make an effort to support the library, but
-we reserve the right to make incompatible changes when necessary.
-
 ## Install
 
 Be sure `https://rubygems.org/` is in your gem sources.
@@ -102,7 +97,9 @@ get('/oauth2callback') do
 end
 ```
 
-### Example (Command Line)
+### Example (Command Line) [Deprecated]
+
+The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.
 
 ```ruby
 require 'googleauth'
@@ -116,6 +113,7 @@ token_store = Google::Auth::Stores::FileTokenStore.new(
   :file => '/path/to/tokens.yaml')
 authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store)
 
+user_id = ENV['USER']
 credentials = authorizer.get_credentials(user_id)
 if credentials.nil?
   url = authorizer.get_authorization_url(base_url: OOB_URI )
@@ -140,6 +138,43 @@ authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
 authorizer.fetch_access_token!
 ```
 
+You can also use a JSON keyfile by setting the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
+
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_json_key.json
+```
+
+```ruby
+require 'googleauth'
+require 'google/apis/drive_v3'
+
+Drive = ::Google::Apis::DriveV3
+drive = Drive::DriveService.new
+
+scope = 'https://www.googleapis.com/auth/drive'
+
+authorizer = Google::Auth::ServiceAccountCredentials.from_env(scope: scope)
+drive.authorization = authorizer
+
+list_files = drive.list_files()
+```
+
+### 3-Legged OAuth with a Service Account
+
+This is similar to regular service account authorization (see [this answer](https://support.google.com/a/answer/2538798?hl=en) for more details on the differences), but you'll need to indicate which user your service account is impersonating by manually updating the `sub` field.
+
+```ruby
+scope = 'https://www.googleapis.com/auth/androidpublisher'
+
+authorizer = Google::Auth::ServiceAccountCredentials.make_creds(
+  json_key_io: File.open('/path/to/service_account_json_key.json'),
+  scope: scope
+)
+authorizer.update!(sub: "email-to-impersonate@your-domain.com")
+
+authorizer.fetch_access_token!
+```
+
 ### Example (Environment Variables)
 
 ```bash
@@ -182,14 +217,14 @@ Custom storage implementations can also be used. See
 
 ## Supported Ruby Versions
 
-This library is supported on Ruby 2.5+.
+This library is supported on Ruby 2.6+.
 
 Google provides official support for Ruby versions that are actively supported
-by Ruby Core—that is, Ruby versions that are either in normal maintenance or in
-security maintenance, and not end of life. Currently, this means Ruby 2.5 and
-later. Older versions of Ruby _may_ still work, but are unsupported and not
-recommended. See https://www.ruby-lang.org/en/downloads/branches/ for details
-about the Ruby support schedule.
+by Ruby Core—that is, Ruby versions that are either in normal maintenance or
+in security maintenance, and not end of life. Older versions of Ruby _may_
+still work, but are unsupported and not recommended. See
+https://www.ruby-lang.org/en/downloads/branches/ for details about the Ruby
+support schedule.
 
 ## License
 
@@ -208,6 +243,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
-[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/master/.github/CONTRIBUTING.md
-[license]: https://github.com/googleapis/google-auth-library-ruby/tree/master/LICENSE
+[application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
+[contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
+[license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE

data/lib/googleauth/application_default.rb

@@ -1,31 +1,16 @@
-# Copyright 2015, Google Inc.
-# All rights reserved.
+# Copyright 2015 Google, Inc.
 #
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-#     * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following disclaimer
-# in the documentation and/or other materials provided with the
-# distribution.
-#     * Neither the name of Google Inc. nor the names of its
-# contributors may be used to endorse or promote products derived from
-# this software without specific prior written permission.
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 require "googleauth/compute_engine"
 require "googleauth/default_credentials"
@@ -35,9 +20,9 @@ module Google
   # used to access Google APIs.
   module Auth
     NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
-      Could not load the default credentials. Browse to
-      https://developers.google.com/accounts/docs/application-default-credentials
-      for more information
+      Your credentials were not found. To set up Application Default
+      Credentials for your environment, see
+      https://cloud.google.com/docs/authentication/external/set-up-adc
     ERROR_MESSAGE
 
     module_function
@@ -72,10 +57,10 @@ module Google
       return creds unless creds.nil?
       unless GCECredentials.on_gce? options
         # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.unmemoize_all
+        GCECredentials.reset_cache
         raise NOT_FOUND_ERROR
       end
-      GCECredentials.new scope: scope
+      GCECredentials.new options.merge(scope: scope)
     end
   end
 end

data/lib/googleauth/base_client.rb

@@ -0,0 +1,80 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    # BaseClient is a class used to contain common methods that are required by any
+    # Credentials Client, including AwsCredentials, ServiceAccountCredentials,
+    # and UserRefreshCredentials. This is a superclass of Signet::OAuth2::Client
+    # and has been created to create a generic interface for all credentials clients
+    # to use, including ones which do not inherit from Signet::OAuth2::Client.
+    module BaseClient
+      AUTH_METADATA_KEY = :authorization
+
+      # Updates a_hash updated with the authentication token
+      def apply! a_hash, opts = {}
+        # fetch the access token there is currently not one, or if the client
+        # has expired
+        fetch_access_token! opts if needs_access_token?
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
+      end
+
+      # Returns a clone of a_hash updated with the authentication token
+      def apply a_hash, opts = {}
+        a_copy = a_hash.clone
+        apply! a_copy, opts
+        a_copy
+      end
+
+      # Whether the id_token or access_token is missing or about to expire.
+      def needs_access_token?
+        send(token_type).nil? || expires_within?(60)
+      end
+
+      # Returns a reference to the #apply method, suitable for passing as
+      # a closure
+      def updater_proc
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      def on_refresh &block
+        @refresh_listeners = [] unless defined? @refresh_listeners
+        @refresh_listeners << block
+      end
+
+      def notify_refresh_listeners
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
+        listeners.each do |block|
+          block.call self
+        end
+      end
+
+      def expires_within?
+        raise NotImplementedError
+      end
+
+      private
+
+      def token_type
+        raise NotImplementedError
+      end
+
+      def fetch_access_token!
+        raise NotImplementedError
+      end
+    end
+  end
+end