googleauth 0.9.0 → 0.17.1

data/lib/googleauth/id_tokens.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "googleauth/id_tokens/errors"
+require "googleauth/id_tokens/key_sources"
+require "googleauth/id_tokens/verifier"
+
+module Google
+  module Auth
+    ##
+    # ## Verifying Google ID tokens
+    #
+    # This module verifies ID tokens issued by Google. This can be used to
+    # authenticate signed-in users using OpenID Connect. See
+    # https://developers.google.com/identity/sign-in/web/backend-auth for more
+    # information.
+    #
+    # ### Basic usage
+    #
+    # To verify an ID token issued by Google accounts:
+    #
+    #     payload = Google::Auth::IDTokens.verify_oidc the_token,
+    #                                                  aud: "my-app-client-id"
+    #
+    # If verification succeeds, you will receive the token's payload as a hash.
+    # If verification fails, an exception (normally a subclass of
+    # {Google::Auth::IDTokens::VerificationError}) will be raised.
+    #
+    # To verify an ID token issued by the Google identity-aware proxy (IAP):
+    #
+    #     payload = Google::Auth::IDTokens.verify_iap the_token,
+    #                                                 aud: "my-app-client-id"
+    #
+    # These methods will automatically download and cache the Google public
+    # keys necessary to verify these tokens. They will also automatically
+    # verify the issuer (`iss`) field for their respective types of ID tokens.
+    #
+    # ### Advanced usage
+    #
+    # If you want to provide your own public keys, either by pointing at a
+    # custom URI or by providing the key data directly, use the Verifier class
+    # and pass in a key source.
+    #
+    # To point to a custom URI that returns a JWK set:
+    #
+    #     source = Google::Auth::IDTokens::JwkHttpKeySource.new "https://example.com/jwk"
+    #     verifier = Google::Auth::IDTokens::Verifier.new key_source: source
+    #     payload = verifier.verify the_token, aud: "my-app-client-id"
+    #
+    # To provide key data directly:
+    #
+    #     jwk_data = {
+    #       keys: [
+    #         {
+    #           alg: "ES256",
+    #           crv: "P-256",
+    #           kid: "LYyP2g",
+    #           kty: "EC",
+    #           use: "sig",
+    #           x: "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
+    #           y: "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
+    #         }
+    #       ]
+    #     }
+    #     source = Google::Auth::IDTokens::StaticKeySource.from_jwk_set jwk_data
+    #     verifier = Google::Auth::IDTokens::Verifier key_source: source
+    #     payload = verifier.verify the_token, aud: "my-app-client-id"
+    #
+    module IDTokens
+      ##
+      # A list of issuers expected for Google OIDC-issued tokens.
+      #
+      # @return [Array<String>]
+      #
+      OIDC_ISSUERS = ["accounts.google.com", "https://accounts.google.com"].freeze
+
+      ##
+      # A list of issuers expected for Google IAP-issued tokens.
+      #
+      # @return [Array<String>]
+      #
+      IAP_ISSUERS = ["https://cloud.google.com/iap"].freeze
+
+      ##
+      # The URL for Google OAuth2 V3 public certs
+      #
+      # @return [String]
+      #
+      OAUTH2_V3_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs"
+
+      ##
+      # The URL for Google IAP public keys
+      #
+      # @return [String]
+      #
+      IAP_JWK_URL = "https://www.gstatic.com/iap/verify/public_key-jwk"
+
+      class << self
+        ##
+        # The key source providing public keys that can be used to verify
+        # ID tokens issued by Google OIDC.
+        #
+        # @return [Google::Auth::IDTokens::JwkHttpKeySource]
+        #
+        def oidc_key_source
+          @oidc_key_source ||= JwkHttpKeySource.new OAUTH2_V3_CERTS_URL
+        end
+
+        ##
+        # The key source providing public keys that can be used to verify
+        # ID tokens issued by Google IAP.
+        #
+        # @return [Google::Auth::IDTokens::JwkHttpKeySource]
+        #
+        def iap_key_source
+          @iap_key_source ||= JwkHttpKeySource.new IAP_JWK_URL
+        end
+
+        ##
+        # Reset all convenience key sources. Used for testing.
+        # @private
+        #
+        def forget_sources!
+          @oidc_key_source = @iap_key_source = nil
+          self
+        end
+
+        ##
+        # A convenience method that verifies a token allegedly issued by Google
+        # OIDC.
+        #
+        # @param token [String] The ID token to verify
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `aud` field in the token must match at least one of the
+        #     provided audiences, or the verification will fail with
+        #     {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
+        #     default), no audience checking is performed.
+        # @param azp [String,Array<String>,nil] The expected authorized party
+        #     (azp). At least one `azp` field in the token must match at least
+        #     one of the provided values, or the verification will fail with
+        #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
+        #     (the default), no azp checking is performed.
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `iss` field in the token must match at least one of the
+        #     provided issuers, or the verification will fail with
+        #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
+        #     checking is performed. Default is to check against {OIDC_ISSUERS}.
+        #
+        # @return [Hash] The decoded token payload.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify_oidc token,
+                        aud: nil,
+                        azp: nil,
+                        iss: OIDC_ISSUERS
+
+          verifier = Verifier.new key_source: oidc_key_source,
+                                  aud:        aud,
+                                  azp:        azp,
+                                  iss:        iss
+          verifier.verify token
+        end
+
+        ##
+        # A convenience method that verifies a token allegedly issued by Google
+        # IAP.
+        #
+        # @param token [String] The ID token to verify
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `aud` field in the token must match at least one of the
+        #     provided audiences, or the verification will fail with
+        #     {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the
+        #     default), no audience checking is performed.
+        # @param azp [String,Array<String>,nil] The expected authorized party
+        #     (azp). At least one `azp` field in the token must match at least
+        #     one of the provided values, or the verification will fail with
+        #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
+        #     (the default), no azp checking is performed.
+        # @param aud [String,Array<String>,nil] The expected audience. At least
+        #     one `iss` field in the token must match at least one of the
+        #     provided issuers, or the verification will fail with
+        #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
+        #     checking is performed. Default is to check against {IAP_ISSUERS}.
+        #
+        # @return [Hash] The decoded token payload.
+        # @raise [KeySourceError] if the key source failed to obtain public keys
+        # @raise [VerificationError] if the token verification failed.
+        #     Additional data may be available in the error subclass and message.
+        #
+        def verify_iap token,
+                       aud: nil,
+                       azp: nil,
+                       iss: IAP_ISSUERS
+
+          verifier = Verifier.new key_source: iap_key_source,
+                                  aud:        aud,
+                                  azp:        azp,
+                                  iss:        iss
+          verifier.verify token
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/json_key_reader.rb

@@ -38,8 +38,12 @@ module Google
         json_key = MultiJson.load json_key_io.read
         raise "missing client_email" unless json_key.key? "client_email"
         raise "missing private_key" unless json_key.key? "private_key"
-        project_id = json_key["project_id"]
-        [json_key["private_key"], json_key["client_email"], project_id]
+        [
+          json_key["private_key"],
+          json_key["client_email"],
+          json_key["project_id"],
+          json_key["quota_project_id"]
+        ]
       end
     end
   end

data/lib/googleauth/scope_util.rb

@@ -51,7 +51,7 @@ module Google
         when Array
           scope
         when String
-          scope.split " "
+          scope.split
         else
           raise "Invalid scope value. Must be string or array"
         end

data/lib/googleauth/service_account.rb

@@ -45,34 +45,47 @@ module Google
     # from credentials from a json key file downloaded from the developer
     # console (via 'Generate new Json Key').
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountCredentials < Signet::OAuth2::Client
       TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
       extend CredentialsLoader
       extend JsonKeyReader
       attr_reader :project_id
+      attr_reader :quota_project_id
+
+      def enable_self_signed_jwt?
+        @enable_self_signed_jwt
+      end
 
       # Creates a ServiceAccountCredentials.
       #
       # @param json_key_io [IO] an IO from which the JSON key can be read
       # @param scope [string|array|nil] the scope(s) to access
       def self.make_creds options = {}
-        json_key_io, scope = options.values_at :json_key_io, :scope
+        json_key_io, scope, enable_self_signed_jwt, target_audience, audience, token_credential_uri =
+          options.values_at :json_key_io, :scope, :enable_self_signed_jwt, :target_audience,
+                            :audience, :token_credential_uri
+        raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
+
         if json_key_io
-          private_key, client_email, project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          quota_project_id = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
-        new(token_credential_uri: TOKEN_CRED_URI,
-            audience:             TOKEN_CRED_URI,
-            scope:                scope,
-            issuer:               client_email,
-            signing_key:          OpenSSL::PKey::RSA.new(private_key),
-            project_id:           project_id)
+        new(token_credential_uri:   token_credential_uri || TOKEN_CRED_URI,
+            audience:               audience || TOKEN_CRED_URI,
+            scope:                  scope,
+            enable_self_signed_jwt: enable_self_signed_jwt,
+            target_audience:        target_audience,
+            issuer:                 client_email,
+            signing_key:            OpenSSL::PKey::RSA.new(private_key),
+            project_id:             project_id,
+            quota_project_id:       quota_project_id)
           .configure_connection(options)
       end
 
@@ -87,30 +100,36 @@ module Google
 
       def initialize options = {}
         @project_id = options[:project_id]
+        @quota_project_id = options[:quota_project_id]
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
         super options
       end
 
-      # Extends the base class.
-      #
-      # If scope(s) is not set, it creates a transient
-      # ServiceAccountJwtHeaderCredentials instance and uses that to
-      # authenticate instead.
+      # Extends the base class to use a transient
+      # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use the base implementation if scopes are set
-        unless scope.nil?
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token.
+        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+          apply_self_signed_jwt! a_hash
+        else
           super
-          return
         end
+      end
+
+      private
 
+      def apply_self_signed_jwt! a_hash
         # Use the ServiceAccountJwtHeaderCredentials using the same cred values
-        # if no scopes are set.
         cred_json = {
-          private_key:  @signing_key.to_s,
-          client_email: @issuer
+          private_key: @signing_key.to_s,
+          client_email: @issuer,
+          project_id: @project_id,
+          quota_project_id: @quota_project_id
         }
-        alt_clz = ServiceAccountJwtHeaderCredentials
         key_io = StringIO.new MultiJson.dump(cred_json)
-        alt = alt_clz.make_creds json_key_io: key_io
+        alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
         alt.apply! a_hash
       end
     end
@@ -123,7 +142,7 @@ module Google
     # console (via 'Generate new Json Key').  It is not part of any OAuth2
     # flow, rather it creates a JWT and sends that as a credential.
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class ServiceAccountJwtHeaderCredentials
       JWT_AUD_URI_KEY = :jwt_aud_uri
       AUTH_METADATA_KEY = Signet::OAuth2::AUTH_METADATA_KEY
@@ -133,16 +152,15 @@ module Google
       extend CredentialsLoader
       extend JsonKeyReader
       attr_reader :project_id
+      attr_reader :quota_project_id
 
-      # make_creds proxies the construction of a credentials instance
+      # Create a ServiceAccountJwtHeaderCredentials.
       #
-      # make_creds is used by the methods in CredentialsLoader.
-      #
-      # By default, it calls #new with 2 args, the second one being an
-      # optional scope. Here's the constructor only has one param, so
-      # we modify make_creds to reflect this.
-      def self.make_creds *args
-        new json_key_io: args[0][:json_key_io]
+      # @param json_key_io [IO] an IO from which the JSON key can be read
+      # @param scope [string|array|nil] the scope(s) to access
+      def self.make_creds options = {}
+        json_key_io, scope = options.values_at :json_key_io, :scope
+        new json_key_io: json_key_io, scope: scope
       end
 
       # Initializes a ServiceAccountJwtHeaderCredentials.
@@ -151,15 +169,17 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id =
+          @private_key, @issuer, @project_id, @quota_project_id =
             self.class.read_json_key json_key_io
         else
           @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
+          @quota_project_id = nil
         end
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
+        @scope = options[:scope]
       end
 
       # Construct a jwt token if the JWT_AUD_URI key is present in the input
@@ -168,7 +188,7 @@ module Google
       # The jwt token is used as the value of a 'Bearer '.
       def apply! a_hash, opts = {}
         jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil?
+        return a_hash if jwt_aud_uri.nil? && @scope.nil?
         jwt_token = new_jwt_token jwt_aud_uri, opts
         a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
         a_hash
@@ -184,22 +204,27 @@ module Google
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       protected
 
       # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri, options = {}
+      def new_jwt_token jwt_aud_uri = nil, options = {}
         now = Time.new
         skew = options[:skew] || 60
         assertion = {
           "iss" => @issuer,
           "sub" => @issuer,
-          "aud" => jwt_aud_uri,
           "exp" => (now + EXPIRY).to_i,
           "iat" => (now - skew).to_i
         }
+
+        jwt_aud_uri = nil if @scope
+
+        assertion["scope"] = Array(@scope).join " " if @scope
+        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
+
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
     end

data/lib/googleauth/signet.rb

@@ -48,8 +48,9 @@ module Signet
       def apply! a_hash, opts = {}
         # fetch the access token there is currently not one, or if the client
         # has expired
-        fetch_access_token! opts if access_token.nil? || expires_within?(60)
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{access_token}"
+        token_type = target_audience ? :id_token : :access_token
+        fetch_access_token! opts if send(token_type).nil? || expires_within?(60)
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
       end
 
       # Returns a clone of a_hash updated with the authentication token
@@ -62,11 +63,11 @@ module Signet
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
       end
 
       def on_refresh &block
-        @refresh_listeners ||= []
+        @refresh_listeners = [] unless defined? @refresh_listeners
         @refresh_listeners << block
       end
 
@@ -84,15 +85,16 @@ module Signet
       end
 
       def notify_refresh_listeners
-        listeners = @refresh_listeners || []
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
         listeners.each do |block|
           block.call self
         end
       end
 
       def build_default_connection
-        return nil unless defined?(@connection_info)
-        if @connection_info.respond_to? :call
+        if !defined?(@connection_info)
+          nil
+        elsif @connection_info.respond_to? :call
           @connection_info.call
         else
           @connection_info

data/lib/googleauth/stores/file_token_store.rb

@@ -40,6 +40,7 @@ module Google
         # @param [String, File] file
         #  Path to storage file
         def initialize options = {}
+          super()
           path = options[:file]
           @store = YAML::Store.new path
         end

data/lib/googleauth/stores/redis_token_store.rb

@@ -49,6 +49,7 @@ module Google
         #  the options passed through. You may include any other keys accepted
         #  by `Redis.new`
         def initialize options = {}
+          super()
           redis = options.delete :redis
           prefix = options.delete :prefix
           @redis = case redis

data/lib/googleauth/user_authorizer.rb

@@ -129,8 +129,8 @@ module Google
         data = MultiJson.load saved_token
 
         if data.fetch("client_id", @client_id.id) != @client_id.id
-          raise sprintf(MISMATCHED_CLIENT_ID_ERROR,
-                        data["client_id"], @client_id.id)
+          raise format(MISMATCHED_CLIENT_ID_ERROR,
+                       data["client_id"], @client_id.id)
         end
 
         credentials = UserRefreshCredentials.new(
@@ -271,10 +271,15 @@ module Google
       # @return [String]
       #  Redirect URI
       def redirect_uri_for base_url
-        return @callback_uri unless URI(@callback_uri).scheme.nil?
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
         raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
         URI.join(base_url, @callback_uri).to_s
       end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -44,7 +44,7 @@ module Google
     # 'gcloud auth login' saves a file with these contents in well known
     # location
     #
-    # cf [Application Default Credentials](http://goo.gl/mkAHpZ)
+    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
     class UserRefreshCredentials < Signet::OAuth2::Client
       TOKEN_CRED_URI = "https://oauth2.googleapis.com/token".freeze
       AUTHORIZATION_URI = "https://accounts.google.com/o/oauth2/auth".freeze

data/lib/googleauth/version.rb

@@ -31,6 +31,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "0.9.0".freeze
+    VERSION = "0.17.1".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -58,12 +58,9 @@ module Google
     #    end
     #
     # Instead of implementing the callback directly, applications are
-    # encouraged to use {Google::Auth::Web::AuthCallbackApp} instead.
+    # encouraged to use {Google::Auth::WebUserAuthorizer::CallbackApp} instead.
     #
-    # For rails apps, see {Google::Auth::ControllerHelpers}
-    #
-    # @see {Google::Auth::AuthCallbackApp}
-    # @see {Google::Auth::ControllerHelpers}
+    # @see CallbackApp
     # @note Requires sessions are enabled
     class WebUserAuthorizer < Google::Auth::UserAuthorizer
       STATE_PARAM = "state".freeze
@@ -171,7 +168,7 @@ module Google
         options[:state] = MultiJson.dump(state.merge(
                                            SESSION_ID_KEY  => request.session[XSRF_KEY],
                                            CURRENT_URI_KEY => redirect_to
-        ))
+                                         ))
         options[:base_url] = request.url
         super options
       end
@@ -192,7 +189,7 @@ module Google
       #  May raise an error if an authorization code is present in the session
       #  and exchange of the code fails
       def get_credentials user_id, request = nil, scope = nil
-        if request && request.session.key?(CALLBACK_STATE_KEY)
+        if request&.session&.key? CALLBACK_STATE_KEY
           # Note - in theory, no need to check required scope as this is
           # expected to be called immediately after a return from authorization
           state_json = request.session.delete CALLBACK_STATE_KEY
@@ -261,7 +258,7 @@ module Google
       #       Google::Auth::WebUserAuthorizer::CallbackApp.call(env)
       #     end
       #
-      # @see {Google::Auth::WebUserAuthorizer}
+      # @see Google::Auth::WebUserAuthorizer
       class CallbackApp
         LOCATION_HEADER = "Location".freeze
         REDIR_STATUS = 302

data/lib/googleauth.rb

@@ -31,5 +31,6 @@ require "googleauth/application_default"
 require "googleauth/client_id"
 require "googleauth/credentials"
 require "googleauth/default_credentials"
+require "googleauth/id_tokens"
 require "googleauth/user_authorizer"
 require "googleauth/web_user_authorizer"