googleauth 1.6.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 146d1c41b29049fb35b0cc5c4934a811eb547f3d3000a95e3fbd8a24fc2b86bb
-  data.tar.gz: cb613b51160da7a51c545728ce03dac8977fee8f1806b72eca97997d28645450
+  metadata.gz: 888e57705b33e87158d060b7b1569e54e00000428de35f979e7ffc9456cbb7b3
+  data.tar.gz: ac341b6c481df125091c1465b56642173591f5698baff6f4806b05216eca8802
 SHA512:
-  metadata.gz: 39289ca31ac785dffbb151a71c6b8337d442db75e3d2d3fcfa94a4c5656076c5965c3beb09e55cc80996c189af170f9208dbb84df6adbb9b385ede36850ea6aa
-  data.tar.gz: 442083ee198a5ae04f8924f2360b1512eff862d12f66327d22195dbd75c5475b8d912701d7e41ab21b7c6ceae8f196b229b1f376cf69cb36846f5787f52eeb37
+  metadata.gz: 0e9d2fd50c39bf83e86f9f31bbddb897d28ce908be1214849926c45ce7ad2fa0d8f48d70a01acc84c9fa49ddf1a3a3c0c5a87b9bdf1d3ae1b9430b739e709c67
+  data.tar.gz: f92483b4971ecc9d48a0b3656a76c694974c6b60153d6ea5ff0f1dd6c544da51b924aedbfa71956db2c1dada98a6cdaa632bb6f38c663e384acc8ebb3af8d1d2

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Release History
 
+### 1.8.0 (2023-09-07)
+
+#### Features
+
+* Pass additional parameters to auhtorization url ([#447](https://github.com/googleapis/google-auth-library-ruby/issues/447)) 
+#### Documentation
+
+* improve ADC related error and warning messages ([#449](https://github.com/googleapis/google-auth-library-ruby/issues/449)) 
+
+### 1.7.0 (2023-07-14)
+
+#### Features
+
+* Adding support for pluggable auth credentials ([#437](https://github.com/googleapis/google-auth-library-ruby/issues/437)) 
+#### Documentation
+
+* fixed iss argument and description in comments of IDTokens ([#438](https://github.com/googleapis/google-auth-library-ruby/issues/438)) 
+
 ### 1.6.0 (2023-06-20)
 
 #### Features

data/README.md

@@ -243,6 +243,6 @@ hesitate to
 [ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-ruby)
 about the client or APIs on [StackOverflow](http://stackoverflow.com).
 
-[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
+[application default credentials]: https://cloud.google.com/docs/authentication/provide-credentials-adc
 [contributing]: https://github.com/googleapis/google-auth-library-ruby/tree/main/.github/CONTRIBUTING.md
 [license]: https://github.com/googleapis/google-auth-library-ruby/tree/main/LICENSE

data/lib/googleauth/application_default.rb

@@ -21,7 +21,7 @@ module Google
   module Auth
     NOT_FOUND_ERROR = <<~ERROR_MESSAGE.freeze
       Could not load the default credentials. Browse to
-      https://developers.google.com/accounts/docs/application-default-credentials
+      https://cloud.google.com/docs/authentication/provide-credentials-adc
       for more information
     ERROR_MESSAGE
 
@@ -57,7 +57,7 @@ module Google
       return creds unless creds.nil?
       unless GCECredentials.on_gce? options
         # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.unmemoize_all
+        GCECredentials.reset_cache
         raise NOT_FOUND_ERROR
       end
       GCECredentials.new options.merge(scope: scope)

data/lib/googleauth/client_id.rb

@@ -17,37 +17,52 @@ require "googleauth/credentials_loader"
 
 module Google
   module Auth
-    # Representation of an application's identity for user authorization
-    # flows.
+    ##
+    # Representation of an application's identity for user authorization flows.
+    #
     class ClientId
+      # Toplevel JSON key for the an installed app configuration.
+      # Must include client_id and client_secret subkeys if present.
       INSTALLED_APP = "installed".freeze
+      # Toplevel JSON key for the a webapp configuration.
+      # Must include client_id and client_secret subkeys if present.
       WEB_APP = "web".freeze
+      # JSON key for the client ID within an app configuration.
       CLIENT_ID = "client_id".freeze
+      # JSON key for the client secret within an app configuration.
       CLIENT_SECRET = "client_secret".freeze
+      # An error message raised when none of the expected toplevel properties
+      # can be found.
       MISSING_TOP_LEVEL_ELEMENT_ERROR =
         "Expected top level property 'installed' or 'web' to be present.".freeze
 
+      ##
       # Text identifier of the client ID
       # @return [String]
+      #
       attr_reader :id
 
+      ##
       # Secret associated with the client ID
       # @return [String]
+      #
       attr_reader :secret
 
       class << self
         attr_accessor :default
       end
 
-      # Initialize the Client ID
+      ##
+      # Initialize the Client ID. Both id and secret must be non-nil.
       #
       # @param [String] id
       #  Text identifier of the client ID
       # @param [String] secret
       #  Secret associated with the client ID
-      # @note Direction instantion is discouraged to avoid embedding IDs
-      #       & secrets in source. See {#from_file} to load from
+      # @note Direct instantiation is discouraged to avoid embedding IDs
+      #       and secrets in source. See {#from_file} to load from
       #       `client_secrets.json` files.
+      #
       def initialize id, secret
         CredentialsLoader.warn_if_cloud_sdk_credentials id
         raise "Client id can not be nil" if id.nil?
@@ -56,12 +71,14 @@ module Google
         @secret = secret
       end
 
+      ##
       # Constructs a Client ID from a JSON file downloaded from the
       # Google Developers Console.
       #
       # @param [String, File] file
       #  Path of file to read from
       # @return [Google::Auth::ClientID]
+      #
       def self.from_file file
         raise "File can not be nil." if file.nil?
         File.open file.to_s do |f|
@@ -71,13 +88,14 @@ module Google
         end
       end
 
+      ##
       # Constructs a Client ID from a previously loaded JSON file. The hash
-      # structure should
-      # match the expected JSON format.
+      # structure should match the expected JSON format.
       #
       # @param [hash] config
       #  Parsed contents of the JSON file
       # @return [Google::Auth::ClientID]
+      #
       def self.from_hash config
         raise "Hash can not be nil." if config.nil?
         raw_detail = config[INSTALLED_APP] || config[WEB_APP]

data/lib/googleauth/compute_engine.rb

@@ -14,7 +14,6 @@
 
 require "faraday"
 require "googleauth/signet"
-require "memoist"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -47,9 +46,9 @@ module Google
       # @private Unused and deprecated
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
-      class << self
-        extend Memoist
+      @on_gce_cache = {}
 
+      class << self
         def metadata_host
           ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
         end
@@ -68,21 +67,30 @@ module Google
 
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
-        def on_gce? options = {}
-          # TODO: This should use google-cloud-env instead.
-          c = options[:connection] || Faraday.default_connection
-          headers = { "Metadata-Flavor" => "Google" }
-          resp = c.get compute_check_uri, nil, headers do |req|
-            req.options.timeout = 1.0
-            req.options.open_timeout = 0.1
+        def on_gce? options = {}, reload = false # rubocop:disable Style/OptionalBooleanParameter
+          # We can follow OptionalBooleanParameter here because it's a public interface, we can't change it.
+          @on_gce_cache.delete options if reload
+          @on_gce_cache.fetch options do
+            @on_gce_cache[options] = begin
+              # TODO: This should use google-cloud-env instead.
+              c = options[:connection] || Faraday.default_connection
+              headers = { "Metadata-Flavor" => "Google" }
+              resp = c.get compute_check_uri, nil, headers do |req|
+                req.options.timeout = 1.0
+                req.options.open_timeout = 0.1
+              end
+              return false unless resp.status == 200
+              resp.headers["Metadata-Flavor"] == "Google"
+            rescue Faraday::TimeoutError, Faraday::ConnectionFailed
+              false
+            end
           end
-          return false unless resp.status == 200
-          resp.headers["Metadata-Flavor"] == "Google"
-        rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-          false
         end
 
-        memoize :on_gce?
+        def reset_cache
+          @on_gce_cache.clear
+        end
+        alias unmemoize_all reset_cache
       end
 
       # Overrides the super class method to change how access tokens are

data/lib/googleauth/credentials_loader.rb

@@ -50,10 +50,11 @@ module Google
                             "s.googleusercontent.com".freeze
 
       CLOUD_SDK_CREDENTIALS_WARNING =
-        "Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most " \
-        "server applications use service accounts instead. If your application continues to use end user credentials " \
-        'from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about ' \
-        "service accounts, see https://cloud.google.com/docs/authentication/. To suppress this message, set the " \
+        "You are authenticating using user credentials." \
+        "For production, we recommend using service account credentials." \
+        "To learn more about service account credentials, see" \
+        "http://cloud.google.com/docs/authentication/external/set-up-adc-on-cloud " \
+        "To suppress this message, set the " \
         "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
 
       # make_creds proxies the construction of a credentials instance

data/lib/googleauth/external_account/external_account_utils.rb

@@ -86,6 +86,17 @@ module Google
             raise "Invalid time value #{time}"
           end
         end
+
+        def service_account_email
+          return nil if @service_account_impersonation_url.nil?
+          start_idx = @service_account_impersonation_url.rindex "/"
+          end_idx = @service_account_impersonation_url.index ":generateAccessToken"
+          if start_idx != -1 && end_idx != -1 && start_idx < end_idx
+            start_idx += 1
+            return @service_account_impersonation_url[start_idx..end_idx]
+          end
+          nil
+        end
       end
     end
   end

data/lib/googleauth/external_account/pluggable_credentials.rb

@@ -0,0 +1,156 @@
+# Copyright 2023 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "open3"
+require "time"
+require "googleauth/external_account/base_credentials"
+require "googleauth/external_account/external_account_utils"
+
+module Google
+  # Module Auth provides classes that provide Google-specific authorization used to access Google APIs.
+  module Auth
+    module ExternalAccount
+      # This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI
+      # provider then exchanging the credentials for a short-lived Google Cloud access token.
+      class PluggableAuthCredentials
+        # constant for pluggable auth enablement in environment variable.
+        ENABLE_PLUGGABLE_ENV = "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
+        EXECUTABLE_SUPPORTED_MAX_VERSION = 1
+        EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 30 * 1000
+        EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 5 * 1000
+        EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 120 * 1000
+        ID_TOKEN_TYPE = ["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze
+
+        include Google::Auth::ExternalAccount::BaseCredentials
+        include Google::Auth::ExternalAccount::ExternalAccountUtils
+        extend CredentialsLoader
+
+        # Will always be nil, but method still gets used.
+        attr_reader :client_id
+
+        # Initialize from options map.
+        #
+        # @param [string] audience
+        # @param [hash{symbol => value}] credential_source
+        #     credential_source is a hash that contains either source file or url.
+        #     credential_source_format is either text or json. To define how we parse the credential response.
+        #
+        def initialize options = {}
+          base_setup options
+
+          @audience = options[:audience]
+          @credential_source = options[:credential_source] || {}
+          @credential_source_executable = @credential_source[:executable]
+          raise "Missing excutable source. An 'executable' must be provided" if @credential_source_executable.nil?
+          @credential_source_executable_command = @credential_source_executable[:command]
+          if @credential_source_executable_command.nil?
+            raise "Missing command field. Executable command must be provided."
+          end
+          @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
+                                                         EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
+          if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
+             @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
+            raise "Timeout must be between 5 and 120 seconds."
+          end
+          @credential_source_executable_output_file = @credential_source_executable[:output_file]
+        end
+
+        def retrieve_subject_token!
+          unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
+            raise "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
+                  "to run."
+          end
+          # check output file first
+          subject_token = load_subject_token_from_output_file
+          return subject_token unless subject_token.nil?
+          # environment variable injection
+          env = inject_environment_variables
+          output = subprocess_with_timeout env, @credential_source_executable_command,
+                                           @credential_source_executable_timeout_millis
+          response = MultiJson.load output, symbolize_keys: true
+          parse_subject_token response
+        end
+
+        private
+
+        def load_subject_token_from_output_file
+          return nil if @credential_source_executable_output_file.nil?
+          return nil unless File.exist? @credential_source_executable_output_file
+          begin
+            content = File.read @credential_source_executable_output_file, encoding: "utf-8"
+            response = MultiJson.load content, symbolize_keys: true
+          rescue StandardError
+            return nil
+          end
+          begin
+            subject_token = parse_subject_token response
+          rescue StandardError => e
+            return nil if e.message.match(/The token returned by the executable is expired/)
+            raise e
+          end
+          subject_token
+        end
+
+        def parse_subject_token response
+          validate_response_schema response
+          unless response[:success]
+            if response[:code].nil? || response[:message].nil?
+              raise "Error code and message fields are required in the response."
+            end
+            raise "Executable returned unsuccessful response: code: #{response[:code]}, message: #{response[:message]}."
+          end
+          if response[:expiration_time] && response[:expiration_time] < Time.now.to_i
+            raise "The token returned by the executable is expired."
+          end
+          raise "The executable response is missing the token_type field." if response[:token_type].nil?
+          return response[:id_token] if ID_TOKEN_TYPE.include? response[:token_type]
+          return response[:saml_response] if response[:token_type] == "urn:ietf:params:oauth:token-type:saml2"
+          raise "Executable returned unsupported token type."
+        end
+
+        def validate_response_schema response
+          raise "The executable response is missing the version field." if response[:version].nil?
+          if response[:version] > EXECUTABLE_SUPPORTED_MAX_VERSION
+            raise "Executable returned unsupported version #{response[:version]}."
+          end
+          raise "The executable response is missing the success field." if response[:success].nil?
+        end
+
+        def inject_environment_variables
+          env = ENV.to_h
+          env["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = @audience
+          env["GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE"] = @subject_token_type
+          env["GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE"] = "0" # only non-interactive mode we support.
+          unless @service_account_impersonation_url.nil?
+            env["GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL"] = service_account_email
+          end
+          unless @credential_source_executable_output_file.nil?
+            env["GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE"] = @credential_source_executable_output_file
+          end
+          env
+        end
+
+        def subprocess_with_timeout environment_vars, command, timeout_seconds
+          Timeout.timeout timeout_seconds do
+            output, error, status = Open3.capture3 environment_vars, command
+            unless status.success?
+              raise "Executable exited with non-zero return code #{status.exitstatus}. Error: #{output}, #{error}"
+            end
+            output
+          end
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/external_account.rb

@@ -17,6 +17,7 @@ require "uri"
 require "googleauth/credentials_loader"
 require "googleauth/external_account/aws_credentials"
 require "googleauth/external_account/identity_pool_credentials"
+require "googleauth/external_account/pluggable_credentials"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -80,6 +81,9 @@ module Google
             unless user_creds[:credential_source][:file].nil? && user_creds[:credential_source][:url].nil?
               return Google::Auth::ExternalAccount::IdentityPoolCredentials.new user_creds
             end
+            unless user_creds[:credential_source][:executable].nil?
+              return Google::Auth::ExternalAccount::PluggableAuthCredentials.new user_creds
+            end
             raise INVALID_EXTERNAL_ACCOUNT_TYPE
           end
         end

data/lib/googleauth/id_tokens.rb

@@ -153,7 +153,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer
@@ -191,7 +191,7 @@ module Google
         #     one of the provided values, or the verification will fail with
         #     {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil`
         #     (the default), no azp checking is performed.
-        # @param aud [String,Array<String>,nil] The expected audience. At least
+        # @param iss [String,Array<String>,nil] The expected issuer. At least
         #     one `iss` field in the token must match at least one of the
         #     provided issuers, or the verification will fail with
         #     {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer

data/lib/googleauth/scope_util.rb

@@ -18,27 +18,60 @@ require "multi_json"
 
 module Google
   module Auth
-    # Small utility for normalizing scopes into canonical form
+    ##
+    # Small utility for normalizing scopes into canonical form.
+    #
+    # The canonical form of scopes is as an array of strings, each in the form
+    # of a full URL. This utility converts space-delimited scope strings into
+    # this form, and handles a small number of common aliases.
+    #
+    # This is used by UserRefreshCredentials to verify that a credential grants
+    # a requested scope.
+    #
     module ScopeUtil
+      ##
+      # Aliases understood by this utility
+      #
       ALIASES = {
         "email"   => "https://www.googleapis.com/auth/userinfo.email",
         "profile" => "https://www.googleapis.com/auth/userinfo.profile",
         "openid"  => "https://www.googleapis.com/auth/plus.me"
       }.freeze
 
+      ##
+      # Normalize the input, which may be an array of scopes or a whitespace-
+      # delimited scope string. The output is always an array, even if a single
+      # scope is input.
+      #
+      # @param scope [String,Array<String>] Input scope(s)
+      # @return [Array<String>] An array of scopes in canonical form.
+      #
       def self.normalize scope
         list = as_array scope
         list.map { |item| ALIASES[item] || item }
       end
 
+      ##
+      # Ensure the input is an array. If a single string is passed in, splits
+      # it via whitespace. Does not interpret aliases.
+      #
+      # @param scope [String,Array<String>] Input scope(s)
+      # @return [Array<String>] Always an array of strings
+      # @raise ArgumentError If the input is not a string or array of strings
+      #
       def self.as_array scope
         case scope
         when Array
+          scope.each do |item|
+            unless item.is_a? String
+              raise ArgumentError, "Invalid scope value: #{item.inspect}. Must be string or array"
+            end
+          end
           scope
         when String
           scope.split
         else
-          raise "Invalid scope value. Must be string or array"
+          raise ArgumentError, "Invalid scope value: #{scope.inspect}. Must be string or array"
         end
       end
     end

data/lib/googleauth/user_authorizer.rb

@@ -80,6 +80,8 @@ module Google
       # @param [String, Array<String>] scope
       #  Authorization scope to request. Overrides the instance scopes if not
       #  nil.
+      # @param [Hash] additional_parameters
+      #  Additional query parameters to be added to the authorization URL.
       # @return [String]
       #  Authorization url
       def get_authorization_url options = {}
@@ -87,7 +89,8 @@ module Google
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
-          scope:         scope
+          scope:         scope,
+          additional_parameters: options[:additional_parameters]
         )
         redirect_uri = redirect_uri_for options[:base_url]
         url = credentials.authorization_uri(access_type:            "offline",
@@ -144,6 +147,9 @@ module Google
       #  Absolute URL to resolve the configured callback uri against.
       #  Required if the configured
       #  callback uri is a relative.
+      # @param [Hash] additional_parameters
+      #  Additional parameters to be added to the post body of token
+      #  endpoint request.
       # @return [Google::Auth::UserRefreshCredentials]
       #  Credentials if exchange is successful
       def get_credentials_from_code options = {}
@@ -152,10 +158,11 @@ module Google
         scope = options[:scope] || @scope
         base_url = options[:base_url]
         credentials = UserRefreshCredentials.new(
-          client_id:     @client_id.id,
-          client_secret: @client_id.secret,
-          redirect_uri:  redirect_uri_for(base_url),
-          scope:         scope
+          client_id:             @client_id.id,
+          client_secret:         @client_id.secret,
+          redirect_uri:          redirect_uri_for(base_url),
+          scope:                 scope,
+          additional_parameters: options[:additional_parameters]
         )
         credentials.code = code
         credentials.fetch_access_token!({})

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.6.0".freeze
+    VERSION = "1.8.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-23 00:00:00.000000000 Z
+date: 2023-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -50,20 +50,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: memoist
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
 - !ruby/object:Gem::Dependency
   name: multi_json
   requirement: !ruby/object:Gem::Requirement
@@ -145,6 +131,7 @@ files:
 - lib/googleauth/external_account/base_credentials.rb
 - lib/googleauth/external_account/external_account_utils.rb
 - lib/googleauth/external_account/identity_pool_credentials.rb
+- lib/googleauth/external_account/pluggable_credentials.rb
 - lib/googleauth/helpers/connection.rb
 - lib/googleauth/iam.rb
 - lib/googleauth/id_tokens.rb
@@ -185,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.2
+rubygems_version: 3.4.19
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby