googleauth 0.5.1 → 0.14.0

data/googleauth.gemspec

@@ -1,35 +1,38 @@
 # -*- ruby -*-
 # encoding: utf-8
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
-require 'googleauth/version'
 
-Gem::Specification.new do |s|
-  s.name          = 'googleauth'
-  s.version       = Google::Auth::VERSION
-  s.authors       = ['Tim Emiola']
-  s.email         = 'temiola@google.com'
-  s.homepage      = 'https://github.com/google/google-auth-library-ruby'
-  s.summary       = 'Google Auth Library for Ruby'
-  s.license       = 'Apache-2.0'
-  s.description   = <<-eos
+$LOAD_PATH.push File.expand_path("lib", __dir__)
+require "googleauth/version"
+
+Gem::Specification.new do |gem|
+  gem.name          = "googleauth"
+  gem.version       = Google::Auth::VERSION
+  gem.authors       = ["Tim Emiola"]
+  gem.email         = "temiola@google.com"
+  gem.homepage      = "https://github.com/googleapis/google-auth-library-ruby"
+  gem.summary       = "Google Auth Library for Ruby"
+  gem.license       = "Apache-2.0"
+  gem.description   = <<-DESCRIPTION
    Allows simple authorization for accessing Google APIs.
    Provide support for Application Default Credentials, as described at
    https://developers.google.com/accounts/docs/application-default-credentials
-  eos
+  DESCRIPTION
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- spec/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
-    File.basename(f)
+  gem.files         = `git ls-files`.split "\n"
+  gem.test_files    = `git ls-files -- spec/*`.split "\n"
+  gem.executables   = `git ls-files -- bin/*.rb`.split("\n").map do |f|
+    File.basename f
   end
-  s.require_paths = ['lib']
-  s.platform      = Gem::Platform::RUBY
+  gem.require_paths = ["lib"]
+  gem.platform      = Gem::Platform::RUBY
+  gem.required_ruby_version = ">= 2.4.0"
+
+  gem.add_dependency "faraday", ">= 0.17.3", "< 2.0"
+  gem.add_dependency "jwt", ">= 1.4", "< 3.0"
+  gem.add_dependency "memoist", "~> 0.16"
+  gem.add_dependency "multi_json", "~> 1.11"
+  gem.add_dependency "os", ">= 0.9", "< 2.0"
+  gem.add_dependency "signet", "~> 0.14"
 
-  s.add_dependency 'faraday', '~> 0.9'
-  s.add_dependency 'logging', '~> 2.0'
-  s.add_dependency 'jwt', '~> 1.4'
-  s.add_dependency 'memoist', '~> 0.12'
-  s.add_dependency 'multi_json', '~> 1.11'
-  s.add_dependency 'os', '~> 0.9'
-  s.add_dependency 'signet', '~> 0.7'
+  gem.add_development_dependency "yard", "~> 0.9"
 end

data/integration/helper.rb

@@ -0,0 +1,31 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "minitest/autorun"
+require "minitest/focus"
+require "googleauth"

data/integration/id_tokens/key_source_test.rb

@@ -0,0 +1,74 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "helper"
+
+describe Google::Auth::IDTokens do
+  describe "key source" do
+    let(:legacy_oidc_key_source) {
+      Google::Auth::IDTokens::X509CertHttpKeySource.new "https://www.googleapis.com/oauth2/v1/certs"
+    }
+    let(:oidc_key_source) { Google::Auth::IDTokens.oidc_key_source }
+    let(:iap_key_source) { Google::Auth::IDTokens.iap_key_source }
+
+    it "Gets real keys from the OAuth2 V1 cert URL" do
+      keys = legacy_oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets real keys from the OAuth2 V3 cert URL" do
+      keys = oidc_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::RSA, key.key
+        refute key.key.private?
+        assert_equal "RS256", key.algorithm
+      end
+    end
+
+    it "Gets the same keys from the OAuth2 V1 and V3 cert URLs" do
+      keys_v1 = legacy_oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      keys_v3 = oidc_key_source.refresh_keys.map(&:key).map(&:export).sort
+      assert_equal keys_v1, keys_v3
+    end
+
+    it "Gets real keys from the IAP public key URL" do
+      keys = iap_key_source.refresh_keys
+      refute_empty keys
+      keys.each do |key|
+        assert_kind_of OpenSSL::PKey::EC, key.key
+        assert_equal "ES256", key.algorithm
+      end
+    end
+  end
+end

data/lib/googleauth.rb

@@ -27,99 +27,10 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
-require 'stringio'
-
-require 'googleauth/credentials_loader'
-require 'googleauth/compute_engine'
-require 'googleauth/service_account'
-require 'googleauth/user_refresh'
-require 'googleauth/client_id'
-require 'googleauth/user_authorizer'
-require 'googleauth/web_user_authorizer'
-
-module Google
-  # Module Auth provides classes that provide Google-specific authorization
-  # used to access Google APIs.
-  module Auth
-    NOT_FOUND_ERROR = <<END
-Could not load the default credentials. Browse to
-https://developers.google.com/accounts/docs/application-default-credentials
-for more information
-END
-
-    # DefaultCredentials is used to preload the credentials file, to determine
-    # which type of credentials should be loaded.
-    class DefaultCredentials
-      extend CredentialsLoader
-
-      # override CredentialsLoader#make_creds to use the class determined by
-      # loading the json.
-      def self.make_creds(options = {})
-        json_key_io, scope = options.values_at(:json_key_io, :scope)
-        if json_key_io
-          json_key, clz = determine_creds_class(json_key_io)
-          clz.make_creds(json_key_io: StringIO.new(MultiJson.dump(json_key)),
-                         scope: scope)
-        else
-          clz = read_creds
-          clz.make_creds(scope: scope)
-        end
-      end
-
-      def self.read_creds
-        env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
-        type = ENV[env_var]
-        fail "#{ACCOUNT_TYPE_VAR} is undefined in env" unless type
-        case type
-        when 'service_account'
-          ServiceAccountCredentials
-        when 'authorized_user'
-          UserRefreshCredentials
-        else
-          fail "credentials type '#{type}' is not supported"
-        end
-      end
-
-      # Reads the input json and determines which creds class to use.
-      def self.determine_creds_class(json_key_io)
-        json_key = MultiJson.load(json_key_io.read)
-        key = 'type'
-        fail "the json is missing the '#{key}' field" unless json_key.key?(key)
-        type = json_key[key]
-        case type
-        when 'service_account'
-          [json_key, ServiceAccountCredentials]
-        when 'authorized_user'
-          [json_key, UserRefreshCredentials]
-        else
-          fail "credentials type '#{type}' is not supported"
-        end
-      end
-    end
-
-    # Obtains the default credentials implementation to use in this
-    # environment.
-    #
-    # Use this to obtain the Application Default Credentials for accessing
-    # Google APIs.  Application Default Credentials are described in detail
-    # at http://goo.gl/IUuyuX.
-    #
-    # If supplied, scope is used to create the credentials instance, when it can
-    # be applied.  E.g, on google compute engine and for user credentials the
-    # scope is ignored.
-    #
-    # @param scope [string|array|nil] the scope(s) to access
-    # @param options [hash] allows override of the connection being used
-    def get_application_default(scope = nil, options = {})
-      creds = DefaultCredentials.from_env(scope) ||
-              DefaultCredentials.from_well_known_path(scope) ||
-              DefaultCredentials.from_system_default_path(scope)
-      return creds unless creds.nil?
-      fail NOT_FOUND_ERROR unless GCECredentials.on_gce?(options)
-      GCECredentials.new
-    end
-
-    module_function :get_application_default
-  end
-end
+require "googleauth/application_default"
+require "googleauth/client_id"
+require "googleauth/credentials"
+require "googleauth/default_credentials"
+require "googleauth/id_tokens"
+require "googleauth/user_authorizer"
+require "googleauth/web_user_authorizer"

data/lib/googleauth/application_default.rb

@@ -0,0 +1,81 @@
+# Copyright 2015, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/compute_engine"
+require "googleauth/default_credentials"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization
+  # used to access Google APIs.
+  module Auth
+    NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
+      Could not load the default credentials. Browse to
+      https://developers.google.com/accounts/docs/application-default-credentials
+      for more information
+    ERROR_MESSAGE
+
+    module_function
+
+    # Obtains the default credentials implementation to use in this
+    # environment.
+    #
+    # Use this to obtain the Application Default Credentials for accessing
+    # Google APIs.  Application Default Credentials are described in detail
+    # at https://cloud.google.com/docs/authentication/production.
+    #
+    # If supplied, scope is used to create the credentials instance, when it can
+    # be applied.  E.g, on google compute engine and for user credentials the
+    # scope is ignored.
+    #
+    # @param scope [string|array|nil] the scope(s) to access
+    # @param options [Hash] Connection options. These may be used to configure
+    #     the `Faraday::Connection` used for outgoing HTTP requests. For
+    #     example, if a connection proxy must be used in the current network,
+    #     you may provide a connection with with the needed proxy options.
+    #     The following keys are recognized:
+    #     * `:default_connection` The connection object to use for token
+    #       refresh requests.
+    #     * `:connection_builder` A `Proc` that creates and returns a
+    #       connection to use for token refresh requests.
+    #     * `:connection` The connection to use to determine whether GCE
+    #       metadata credentials are available.
+    def get_application_default scope = nil, options = {}
+      creds = DefaultCredentials.from_env(scope, options) ||
+              DefaultCredentials.from_well_known_path(scope, options) ||
+              DefaultCredentials.from_system_default_path(scope, options)
+      return creds unless creds.nil?
+      unless GCECredentials.on_gce? options
+        # Clear cache of the result of GCECredentials.on_gce?
+        GCECredentials.unmemoize_all
+        raise NOT_FOUND_ERROR
+      end
+      GCECredentials.new scope: scope
+    end
+  end
+end

data/lib/googleauth/client_id.rb

@@ -27,19 +27,20 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'multi_json'
+require "multi_json"
+require "googleauth/credentials_loader"
 
 module Google
   module Auth
     # Representation of an application's identity for user authorization
     # flows.
     class ClientId
-      INSTALLED_APP = 'installed'
-      WEB_APP = 'web'
-      CLIENT_ID = 'client_id'
-      CLIENT_SECRET = 'client_secret'
+      INSTALLED_APP = "installed".freeze
+      WEB_APP = "web".freeze
+      CLIENT_ID = "client_id".freeze
+      CLIENT_SECRET = "client_secret".freeze
       MISSING_TOP_LEVEL_ELEMENT_ERROR =
-        "Expected top level property 'installed' or 'web' to be present."
+        "Expected top level property 'installed' or 'web' to be present.".freeze
 
       # Text identifier of the client ID
       # @return [String]
@@ -62,25 +63,26 @@ module Google
       # @note Direction instantion is discouraged to avoid embedding IDs
       #       & secrets in source. See {#from_file} to load from
       #       `client_secrets.json` files.
-      def initialize(id, secret)
-        fail 'Client id can not be nil' if id.nil?
-        fail 'Client secret can not be nil' if secret.nil?
+      def initialize id, secret
+        CredentialsLoader.warn_if_cloud_sdk_credentials id
+        raise "Client id can not be nil" if id.nil?
+        raise "Client secret can not be nil" if secret.nil?
         @id = id
         @secret = secret
       end
 
-      # Constructs a Client ID from a JSON file downloaed from the
+      # Constructs a Client ID from a JSON file downloaded from the
       # Google Developers Console.
       #
       # @param [String, File] file
       #  Path of file to read from
       # @return [Google::Auth::ClientID]
-      def self.from_file(file)
-        fail 'File can not be nil.' if file.nil?
-        File.open(file.to_s) do |f|
+      def self.from_file file
+        raise "File can not be nil." if file.nil?
+        File.open file.to_s do |f|
           json = f.read
-          config = MultiJson.load(json)
-          from_hash(config)
+          config = MultiJson.load json
+          from_hash config
         end
       end
 
@@ -91,11 +93,11 @@ module Google
       # @param [hash] config
       #  Parsed contents of the JSON file
       # @return [Google::Auth::ClientID]
-      def self.from_hash(config)
-        fail 'Hash can not be nil.' if config.nil?
+      def self.from_hash config
+        raise "Hash can not be nil." if config.nil?
         raw_detail = config[INSTALLED_APP] || config[WEB_APP]
-        fail MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
-        ClientId.new(raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET])
+        raise MISSING_TOP_LEVEL_ELEMENT_ERROR if raw_detail.nil?
+        ClientId.new raw_detail[CLIENT_ID], raw_detail[CLIENT_SECRET]
       end
     end
   end

data/lib/googleauth/compute_engine.rb

@@ -27,57 +27,74 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'faraday'
-require 'googleauth/signet'
-require 'memoist'
+require "faraday"
+require "googleauth/signet"
+require "memoist"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    NO_METADATA_SERVER_ERROR = <<END
-Error code 404 trying to get security access token
-from Compute Engine metadata for the default service account. This
-may be because the virtual machine instance does not have permission
-scopes specified.
-END
-    UNEXPECTED_ERROR_SUFFIX = <<END
-trying to get security access token from Compute Engine metadata for
-the default service account
-END
+    NO_METADATA_SERVER_ERROR = <<~ERROR.freeze
+      Error code 404 trying to get security access token
+      from Compute Engine metadata for the default service account. This
+      may be because the virtual machine instance does not have permission
+      scopes specified.
+    ERROR
+    UNEXPECTED_ERROR_SUFFIX = <<~ERROR.freeze
+      trying to get security access token from Compute Engine metadata for
+      the default service account
+    ERROR
 
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
       # The IP Address is used in the URIs to speed up failures on non-GCE
       # systems.
-      COMPUTE_AUTH_TOKEN_URI = 'http://169.254.169.254/computeMetadata/v1/'\
-      'instance/service-accounts/default/token'
-      COMPUTE_CHECK_URI = 'http://169.254.169.254'
+      DEFAULT_METADATA_HOST = "169.254.169.254".freeze
+
+      # @private Unused and deprecated
+      COMPUTE_AUTH_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+      # @private Unused and deprecated
+      COMPUTE_ID_TOKEN_URI =
+        "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+      # @private Unused and deprecated
+      COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
       class << self
         extend Memoist
 
+        def metadata_host
+          ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
+        end
+
+        def compute_check_uri
+          "http://#{metadata_host}".freeze
+        end
+
+        def compute_auth_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
+        end
+
+        def compute_id_token_uri
+          "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
+        end
+
         # Detect if this appear to be a GCE instance, by checking if metadata
-        # is available
-        def on_gce?(options = {})
+        # is available.
+        def on_gce? options = {}
+          # TODO: This should use google-cloud-env instead.
           c = options[:connection] || Faraday.default_connection
-          resp = c.get(COMPUTE_CHECK_URI) do |req|
-            # Comment from: oauth2client/client.py
-            #
-            # Note: the explicit `timeout` below is a workaround. The underlying
-            # issue is that resolving an unknown host on some networks will take
-            # 20-30 seconds; making this timeout short fixes the issue, but
-            # could lead to false negatives in the event that we are on GCE, but
-            # the metadata resolution was particularly slow. The latter case is
-            # "unlikely".
-            req.options.timeout = 0.1
+          headers = { "Metadata-Flavor" => "Google" }
+          resp = c.get compute_check_uri, nil, headers do |req|
+            req.options.timeout = 1.0
+            req.options.open_timeout = 0.1
           end
           return false unless resp.status == 200
-          return false unless resp.headers.key?('Metadata-Flavor')
-          return resp.headers['Metadata-Flavor'] == 'Google'
+          resp.headers["Metadata-Flavor"] == "Google"
         rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-          return false
+          false
         end
 
         memoize :on_gce?
@@ -85,19 +102,29 @@ END
 
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token(options = {})
+      def fetch_access_token options = {}
         c = options[:connection] || Faraday.default_connection
-        c.headers = { 'Metadata-Flavor' => 'Google' }
-        resp = c.get(COMPUTE_AUTH_TOKEN_URI)
-        case resp.status
-        when 200
-          Signet::OAuth2.parse_credentials(resp.body,
-                                           resp.headers['content-type'])
-        when 404
-          fail(Signet::AuthorizationError, NO_METADATA_SERVER_ERROR)
-        else
-          msg = "Unexpected error code #{resp.status}" + UNEXPECTED_ERROR_SUFFIX
-          fail(Signet::AuthorizationError, msg)
+        retry_with_error do
+          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
+          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
+          query[:scopes] = Array(scope).join "," if scope
+          headers = { "Metadata-Flavor" => "Google" }
+          resp = c.get uri, query, headers
+          case resp.status
+          when 200
+            content_type = resp.headers["content-type"]
+            if content_type == "text/html"
+              { (target_audience ? "id_token" : "access_token") => resp.body }
+            else
+              Signet::OAuth2.parse_credentials resp.body, content_type
+            end
+          when 404
+            raise Signet::AuthorizationError, NO_METADATA_SERVER_ERROR
+          else
+            msg = "Unexpected error code #{resp.status}" \
+              "#{UNEXPECTED_ERROR_SUFFIX}"
+            raise Signet::AuthorizationError, msg
+          end
         end
       end
     end