googleauth 0.9.0 → 0.13.1

data/rakelib/repo_metadata.rb

@@ -0,0 +1,59 @@
+require "json"
+
+class RepoMetadata
+  attr_reader :data
+
+  def initialize data
+    @data = data
+    normalize_data!
+  end
+
+  def allowed_fields
+    [
+      "name", "version", "language", "distribution-name",
+      "product-page", "github-repository", "issue-tracker"
+    ]
+  end
+
+  def build output_directory
+    fields = @data.to_a.map { |kv| "--#{kv[0]} #{kv[1]}" }
+    Dir.chdir output_directory do
+      cmd "python3 -m docuploader create-metadata #{fields.join ' '}"
+    end
+  end
+
+  def normalize_data!
+    require_relative "../lib/googleauth/version.rb"
+
+    @data.delete_if { |k, _| !allowed_fields.include?(k) }
+    @data["version"] = "v#{Google::Auth::VERSION}"
+  end
+
+  def [] key
+    data[key]
+  end
+
+  def []= key, value
+    @data[key] = value
+  end
+
+  def cmd line
+    puts line
+    output = `#{line}`
+    puts output
+    output
+  end
+
+  def self.from_source source
+    if source.is_a? RepoMetadata
+      data = source.data
+    elsif source.is_a? Hash
+      data = source
+    elsif File.file? source
+      data = JSON.parse File.read(source)
+    else
+      raise "Source must be a path, hash, or RepoMetadata instance"
+    end
+    RepoMetadata.new data
+  end
+end

data/spec/googleauth/apply_auth_examples.rb

@@ -45,26 +45,37 @@ shared_examples "apply/apply! are OK" do
   # auth client
   describe "#fetch_access_token" do
     let(:token) { "1/abcdef1234567890" }
-    let :stub do
+    let :access_stub do
       make_auth_stubs access_token: token
     end
+    let :id_stub do
+      make_auth_stubs id_token: token
+    end
 
     it "should set access_token to the fetched value" do
-      stub
+      access_stub
       @client.fetch_access_token!
       expect(@client.access_token).to eq(token)
-      expect(stub).to have_been_requested
+      expect(access_stub).to have_been_requested
+    end
+
+    it "should set id_token to the fetched value" do
+      skip unless @id_client
+      id_stub
+      @id_client.fetch_access_token!
+      expect(@id_client.id_token).to eq(token)
+      expect(id_stub).to have_been_requested
     end
 
     it "should notify refresh listeners after updating" do
-      stub
+      access_stub
       expect do |b|
         @client.on_refresh(&b)
         @client.fetch_access_token!
       end.to yield_with_args(have_attributes(
                                access_token: "1/abcdef1234567890"
                              ))
-      expect(stub).to have_been_requested
+      expect(access_stub).to have_been_requested
     end
   end
 
@@ -79,6 +90,18 @@ shared_examples "apply/apply! are OK" do
       expect(md).to eq(want)
       expect(stub).to have_been_requested
     end
+
+    it "should update the target hash with fetched ID token" do
+      skip unless @id_client
+      token = "1/abcdef1234567890"
+      stub = make_auth_stubs id_token: token
+
+      md = { foo: "bar" }
+      @id_client.apply! md
+      want = { :foo => "bar", auth_key => "Bearer #{token}" }
+      expect(md).to eq(want)
+      expect(stub).to have_been_requested
+    end
   end
 
   describe "updater_proc" do

data/spec/googleauth/compute_engine_spec.rb

@@ -37,31 +37,52 @@ require "googleauth/compute_engine"
 require "spec_helper"
 
 describe Google::Auth::GCECredentials do
-  MD_URI = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+  MD_ACCESS_URI = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
+  MD_ID_URI = "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://pubsub.googleapis.com/&format=full".freeze
   GCECredentials = Google::Auth::GCECredentials
 
   before :example do
     @client = GCECredentials.new
+    @id_client = GCECredentials.new target_audience: "https://pubsub.googleapis.com/"
   end
 
-  def make_auth_stubs opts = {}
-    access_token = opts[:access_token] || ""
-    body = MultiJson.dump("access_token" => access_token,
-                          "token_type"   => "Bearer",
-                          "expires_in"   => 3600)
-    stub_request(:get, MD_URI)
-      .with(headers: { "Metadata-Flavor" => "Google" })
-      .to_return(body:    body,
-                 status:  200,
-                 headers: { "Content-Type" => "application/json" })
+  def make_auth_stubs opts
+    if opts[:access_token]
+      body = MultiJson.dump("access_token" => opts[:access_token],
+                            "token_type"   => "Bearer",
+                            "expires_in"   => 3600)
+
+      uri = MD_ACCESS_URI
+      uri += "?scopes=#{opts[:scope]}" if opts[:scope]
+
+      stub_request(:get, uri)
+        .with(headers: { "Metadata-Flavor" => "Google" })
+        .to_return(body:    body,
+                   status:  200,
+                   headers: { "Content-Type" => "application/json" })
+    elsif opts[:id_token]
+      stub_request(:get, MD_ID_URI)
+        .with(headers: { "Metadata-Flavor" => "Google" })
+        .to_return(body:    opts[:id_token],
+                   status:  200,
+                   headers: { "Content-Type" => "text/html" })
+    end
   end
 
   it_behaves_like "apply/apply! are OK"
 
   context "metadata is unavailable" do
     describe "#fetch_access_token" do
+      it "should pass scopes when requesting an access token" do
+        scope = "https://www.googleapis.com/auth/drive"
+        stub = make_auth_stubs access_token: "1/abcdef1234567890", scope: scope
+        @client = GCECredentials.new(scope: [scope])
+        @client.fetch_access_token!
+        expect(stub).to have_been_requested
+      end
+
       it "should fail if the metadata request returns a 404" do
-        stub = stub_request(:get, MD_URI)
+        stub = stub_request(:get, MD_ACCESS_URI)
                .to_return(status:  404,
                           headers: { "Metadata-Flavor" => "Google" })
         expect { @client.fetch_access_token! }
@@ -70,7 +91,7 @@ describe Google::Auth::GCECredentials do
       end
 
       it "should fail if the metadata request returns an unexpected code" do
-        stub = stub_request(:get, MD_URI)
+        stub = stub_request(:get, MD_ACCESS_URI)
                .to_return(status:  503,
                           headers: { "Metadata-Flavor" => "Google" })
         expect { @client.fetch_access_token! }
@@ -97,6 +118,7 @@ describe Google::Auth::GCECredentials do
   describe "#on_gce?" do
     it "should be true when Metadata-Flavor is Google" do
       stub = stub_request(:get, "http://169.254.169.254")
+             .with(headers: { "Metadata-Flavor" => "Google" })
              .to_return(status:  200,
                         headers: { "Metadata-Flavor" => "Google" })
       expect(GCECredentials.on_gce?({}, true)).to eq(true)
@@ -105,6 +127,7 @@ describe Google::Auth::GCECredentials do
 
     it "should be false when Metadata-Flavor is not Google" do
       stub = stub_request(:get, "http://169.254.169.254")
+             .with(headers: { "Metadata-Flavor" => "Google" })
              .to_return(status:  200,
                         headers: { "Metadata-Flavor" => "NotGoogle" })
       expect(GCECredentials.on_gce?({}, true)).to eq(false)
@@ -113,6 +136,7 @@ describe Google::Auth::GCECredentials do
 
     it "should be false if the response is not 200" do
       stub = stub_request(:get, "http://169.254.169.254")
+             .with(headers: { "Metadata-Flavor" => "Google" })
              .to_return(status:  404,
                         headers: { "Metadata-Flavor" => "NotGoogle" })
       expect(GCECredentials.on_gce?({}, true)).to eq(false)

data/spec/googleauth/credentials_spec.rb

@@ -36,12 +36,13 @@ require "googleauth"
 describe Google::Auth::Credentials, :private do
   let :default_keyfile_hash do
     {
-      "private_key_id" => "testabc1234567890xyz",
-      "private_key"    => "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAOyi0Hy1l4Ym2m2o71Q0TF4O9E81isZEsX0bb+Bqz1SXEaSxLiXM\nUZE8wu0eEXivXuZg6QVCW/5l+f2+9UPrdNUCAwEAAQJAJkqubA/Chj3RSL92guy3\nktzeodarLyw8gF8pOmpuRGSiEo/OLTeRUMKKD1/kX4f9sxf3qDhB4e7dulXR1co/\nIQIhAPx8kMW4XTTL6lJYd2K5GrH8uBMp8qL5ya3/XHrBgw3dAiEA7+3Iw3ULTn2I\n1J34WlJ2D5fbzMzB4FAHUNEV7Ys3f1kCIQDtUahCMChrl7+H5t9QS+xrn77lRGhs\nB50pjvy95WXpgQIhAI2joW6JzTfz8fAapb+kiJ/h9Vcs1ZN3iyoRlNFb61JZAiA8\nNy5NyNrMVwtB/lfJf1dAK/p/Bwd8LZLtgM6PapRfgw==\n-----END RSA PRIVATE KEY-----\n",
-      "client_email"   => "credz-testabc1234567890xyz@developer.gserviceaccount.com",
-      "client_id"      => "credz-testabc1234567890xyz.apps.googleusercontent.com",
-      "type"           => "service_account",
-      "project_id"     => "a_project_id"
+      "private_key_id"   => "testabc1234567890xyz",
+      "private_key"      => "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAOyi0Hy1l4Ym2m2o71Q0TF4O9E81isZEsX0bb+Bqz1SXEaSxLiXM\nUZE8wu0eEXivXuZg6QVCW/5l+f2+9UPrdNUCAwEAAQJAJkqubA/Chj3RSL92guy3\nktzeodarLyw8gF8pOmpuRGSiEo/OLTeRUMKKD1/kX4f9sxf3qDhB4e7dulXR1co/\nIQIhAPx8kMW4XTTL6lJYd2K5GrH8uBMp8qL5ya3/XHrBgw3dAiEA7+3Iw3ULTn2I\n1J34WlJ2D5fbzMzB4FAHUNEV7Ys3f1kCIQDtUahCMChrl7+H5t9QS+xrn77lRGhs\nB50pjvy95WXpgQIhAI2joW6JzTfz8fAapb+kiJ/h9Vcs1ZN3iyoRlNFb61JZAiA8\nNy5NyNrMVwtB/lfJf1dAK/p/Bwd8LZLtgM6PapRfgw==\n-----END RSA PRIVATE KEY-----\n",
+      "client_email"     => "credz-testabc1234567890xyz@developer.gserviceaccount.com",
+      "client_id"        => "credz-testabc1234567890xyz.apps.googleusercontent.com",
+      "type"             => "service_account",
+      "project_id"       => "a_project_id",
+      "quota_project_id" => "b_project_id"
     }
   end
 
@@ -118,6 +119,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials1)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use PATH_ENV_VARS to get keyfile path" do
@@ -128,6 +130,7 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
@@ -152,6 +155,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials2)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use JSON_ENV_VARS to get keyfile contents" do
@@ -164,6 +168,7 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
@@ -188,6 +193,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials3)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use DEFAULT_PATHS to get keyfile path" do
@@ -198,6 +204,7 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
@@ -222,6 +229,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials4)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses that find no matches default to Google::Auth.get_application_default" do
@@ -232,6 +240,7 @@ describe Google::Auth::Credentials, :private do
         DEFAULT_PATHS = ["~/default/path/to/file.txt"].freeze
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
@@ -262,6 +271,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials5)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
   end
 
@@ -301,6 +311,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials11)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use PATH_ENV_VARS to get keyfile path" do
@@ -310,6 +321,7 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("PATH_ENV_TEST") { "/unknown/path/to/file.txt" }
@@ -334,6 +346,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials12)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use JSON_ENV_VARS to get keyfile contents" do
@@ -345,6 +358,7 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::File).to receive(:file?).with(test_json_env_val) { false }
@@ -369,6 +383,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials13)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses can use DEFAULT_PATHS to get keyfile path" do
@@ -378,6 +393,7 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
@@ -402,6 +418,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials14)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
 
     it "subclasses that find no matches default to Google::Auth.get_application_default" do
@@ -411,6 +428,7 @@ describe Google::Auth::Credentials, :private do
         self.paths = ["~/default/path/to/file.txt"]
       end
 
+      allow(::ENV).to receive(:[]).with("GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS") { "true" }
       allow(::ENV).to receive(:[]).with("PATH_ENV_DUMMY") { "/fake/path/to/file.txt" }
       allow(::File).to receive(:file?).with("/fake/path/to/file.txt") { false }
       allow(::ENV).to receive(:[]).with("JSON_ENV_DUMMY") { nil }
@@ -441,6 +459,7 @@ describe Google::Auth::Credentials, :private do
       expect(creds).to be_a_kind_of(TestCredentials15)
       expect(creds.client).to eq(mocked_signet)
       expect(creds.project_id).to eq(default_keyfile_hash["project_id"])
+      expect(creds.quota_project_id).to eq(default_keyfile_hash["quota_project_id"])
     end
   end
 

data/spec/googleauth/service_account_spec.rb

@@ -112,12 +112,13 @@ describe Google::Auth::ServiceAccountCredentials do
   let(:client_email) { "app@developer.gserviceaccount.com" }
   let :cred_json do
     {
-      private_key_id: "a_private_key_id",
-      private_key:    @key.to_pem,
-      client_email:   client_email,
-      client_id:      "app.apps.googleusercontent.com",
-      type:           "service_account",
-      project_id:     "a_project_id"
+      private_key_id:   "a_private_key_id",
+      private_key:      @key.to_pem,
+      client_email:     client_email,
+      client_id:        "app.apps.googleusercontent.com",
+      type:             "service_account",
+      project_id:       "a_project_id",
+      quota_project_id: "b_project_id"
     }
   end
 
@@ -127,24 +128,28 @@ describe Google::Auth::ServiceAccountCredentials do
       json_key_io: StringIO.new(cred_json_text),
       scope:       "https://www.googleapis.com/auth/userinfo.profile"
     )
+    @id_client = ServiceAccountCredentials.make_creds(
+      json_key_io:     StringIO.new(cred_json_text),
+      target_audience: "https://pubsub.googleapis.com/"
+    )
   end
 
-  def make_auth_stubs opts = {}
-    access_token = opts[:access_token] || ""
-    body = MultiJson.dump("access_token" => access_token,
-                          "token_type"   => "Bearer",
-                          "expires_in"   => 3600)
+  def make_auth_stubs opts
+    body_fields = { "token_type" => "Bearer", "expires_in" => 3600 }
+    body_fields["access_token"] = opts[:access_token] if opts[:access_token]
+    body_fields["id_token"] = opts[:id_token] if opts[:id_token]
+    body = MultiJson.dump body_fields
     blk = proc do |request|
       params = Addressable::URI.form_unencode request.body
-      _claim, _header = JWT.decode(params.assoc("assertion").last,
-                                   @key.public_key, true,
-                                   algorithm: "RS256")
+      claim, _header = JWT.decode(params.assoc("assertion").last,
+                                  @key.public_key, true,
+                                  algorithm: "RS256")
+      !opts[:id_token] || claim["target_audience"] == "https://pubsub.googleapis.com/"
     end
     stub_request(:post, "https://www.googleapis.com/oauth2/v4/token")
       .with(body: hash_including(
         "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer"
-      ),
-            &blk)
+      ), &blk)
       .to_return(body:    body,
                  status:  200,
                  headers: { "Content-Type" => "application/json" })
@@ -285,6 +290,7 @@ describe Google::Auth::ServiceAccountCredentials do
         ENV["APPDATA"] = dir
         credentials = @clz.from_well_known_path @scope
         expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to eq(cred_json[:quota_project_id])
       end
     end
 
@@ -476,6 +482,7 @@ describe Google::Auth::ServiceAccountJwtHeaderCredentials do
         ENV["APPDATA"] = dir
         credentials = clz.from_well_known_path @scope
         expect(credentials.project_id).to eq(cred_json[:project_id])
+        expect(credentials.quota_project_id).to be_nil
       end
     end
   end

data/spec/googleauth/signet_spec.rb

@@ -47,18 +47,26 @@ describe Signet::OAuth2::Client do
       audience:             "https://oauth2.googleapis.com/token",
       signing_key:          @key
     )
+    @id_client = Signet::OAuth2::Client.new(
+      token_credential_uri: "https://oauth2.googleapis.com/token",
+      target_audience:      "https://pubsub.googleapis.com/",
+      issuer:               "app@example.com",
+      audience:             "https://oauth2.googleapis.com/token",
+      signing_key:          @key
+    )
   end
 
   def make_auth_stubs opts
-    access_token = opts[:access_token] || ""
-    body = MultiJson.dump("access_token" => access_token,
-                          "token_type"   => "Bearer",
-                          "expires_in"   => 3600)
+    body_fields = { "token_type" => "Bearer", "expires_in" => 3600 }
+    body_fields["access_token"] = opts[:access_token] if opts[:access_token]
+    body_fields["id_token"] = opts[:id_token] if opts[:id_token]
+    body = MultiJson.dump body_fields
     blk = proc do |request|
       params = Addressable::URI.form_unencode request.body
-      _claim, _header = JWT.decode(params.assoc("assertion").last,
-                                   @key.public_key, true,
-                                   algorithm: "RS256")
+      claim, _header = JWT.decode(params.assoc("assertion").last,
+                                  @key.public_key, true,
+                                  algorithm: "RS256")
+      !opts[:id_token] || claim["target_audience"] == "https://pubsub.googleapis.com/"
     end
     with_params = { body: hash_including(
       "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer"