googleauth 1.8.0 → 1.15.0

data/lib/googleauth/credentials.rb

@@ -14,9 +14,11 @@
 
 require "forwardable"
 require "json"
+require "pathname"
 require "signet/oauth_2/client"
 
 require "googleauth/credentials_loader"
+require "googleauth/errors"
 
 module Google
   module Auth
@@ -26,6 +28,14 @@ module Google
     # In most cases, it is subclassed by API-specific credential classes that
     # can be instantiated by clients.
     #
+    # **Important:** If you accept a credential configuration (credential
+    # JSON/File/Stream) from an external source for authentication to Google
+    # Cloud, you must validate it before providing it to any Google API or
+    # library. Providing an unvalidated credential configuration to Google APIs
+    # can compromise the security of your systems and data. For more
+    # information, refer to [Validate credential configurations from external
+    # sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+    #
     # ## Options
     #
     # Credentials classes are configured with options that dictate default
@@ -259,7 +269,7 @@ module Google
       # @return [Object] The value
       #
       def self.lookup_auth_param name, method_name = name
-        val = instance_variable_get "@#{name}".to_sym
+        val = instance_variable_get :"@#{name}"
         val = yield if val.nil? && block_given?
         return val unless val.nil?
         return superclass.send method_name if superclass.respond_to? method_name
@@ -299,6 +309,12 @@ module Google
       #
       attr_reader :quota_project_id
 
+      # @private Temporary; remove when universe domain metadata endpoint is stable (see b/349488459).
+      def disable_universe_domain_check
+        return false unless @client.respond_to? :disable_universe_domain_check
+        @client.disable_universe_domain_check
+      end
+
       # @private Delegate client methods to the client object.
       extend Forwardable
 
@@ -315,9 +331,6 @@ module Google
       #   @return [String, Array<String>] The scope for this client. A scope is an access range
       #     defined by the authorization server. The scope can be a single value or a list of values.
       #
-      # @!attribute [r] target_audience
-      #   @return [String] The final target audience for ID tokens returned by this credential.
-      #
       # @!attribute [r] issuer
       #   @return [String] The issuer ID associated with this client.
       #
@@ -328,43 +341,81 @@ module Google
       #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
       #     suitable for passing as a closure.
       #
+      # @!attribute [r] target_audience
+      #   @return [String] The final target audience for ID tokens returned by this credential.
+      #
+      # @!attribute [rw] universe_domain
+      #   @return [String] The universe domain issuing these credentials.
+      #
+      # @!attribute [rw] logger
+      #   @return [Logger] The logger used to log credential operations such as token refresh.
+      #
       def_delegators :@client,
                      :token_credential_uri, :audience,
-                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience,
+                     :universe_domain, :universe_domain=, :logger, :logger=
 
       ##
       # Creates a new Credentials instance with the provided auth credentials, and with the default
       # values configured on the class.
       #
-      # @param [String, Hash, Signet::OAuth2::Client] keyfile
-      #   The keyfile can be provided as one of the following:
+      # @param [String, Pathname, Hash, Google::Auth::BaseClient] source_creds
+      #   The source of credentials. It can be provided as one of the following:
+      #
+      #   * The path to a JSON keyfile (as a `String` or a `Pathname`)
+      #   * The contents of a JSON keyfile (as a `Hash`)
+      #   * A `Google::Auth::BaseClient` credentials object, including but not limited to
+      #       a `Signet::OAuth2::Client` object.
+      #   * Any credentials object that supports the methods this wrapper delegates to an inner client.
+      #
+      #   If this parameter is an object (`Signet::OAuth2::Client` or other) it will be used as an inner client.
+      #   Otherwise the inner client will be constructed from the JSON keyfile or the contens of the hash.
       #
-      #   * The path to a JSON keyfile (as a +String+)
-      #   * The contents of a JSON keyfile (as a +Hash+)
-      #   * A +Signet::OAuth2::Client+ object
       # @param [Hash] options
-      #   The options for configuring the credentials instance. The following is supported:
+      #   The options for configuring this wrapper credentials object and the inner client.
+      #   The options hash is used in two ways:
       #
-      #   * +:scope+ - the scope for the client
-      #   * +"project_id"+ (and optionally +"project"+) - the project identifier for the client
-      #   * +:connection_builder+ - the connection builder to use for the client
-      #   * +:default_connection+ - the default connection to use for the client
+      #   1. **Configuring the wrapper object:** Some options are used to directly
+      #      configure the wrapper `Credentials` instance. These include:
+      #
+      #     * `:project_id` (and optionally `:project`) - the project identifier for the client
+      #     * `:quota_project_id` - the quota project identifier for the client
+      #     * `:logger` - the logger used to log credential operations such as token refresh.
+      #
+      #   2. **Configuring the inner client:** When the `source_creds` parameter
+      #      is a `String` or `Hash`, a new `Signet::OAuth2::Client` is created
+      #      internally. The following options are used to configure this inner client:
+      #
+      #     * `:scope` - the scope for the client
+      #     * `:target_audience` - the target audience for the client
       #
-      def initialize keyfile, options = {}
-        verify_keyfile_provided! keyfile
-        @project_id = options["project_id"] || options["project"]
-        @quota_project_id = options["quota_project_id"]
-        case keyfile
-        when Google::Auth::BaseClient
-          update_from_signet keyfile
+      #   Any other options in the `options` hash are passed directly to the
+      #   inner client constructor. This allows you to configure additional
+      #   parameters of the `Signet::OAuth2::Client`, such as connection parameters,
+      #   timeouts, etc.
+      #
+      # @raise [Google::Auth::InitializationError] If source_creds is nil
+      # @raise [ArgumentError] If both scope and target_audience are specified
+      #
+      def initialize source_creds, options = {}
+        if source_creds.nil?
+          raise InitializationError,
+                "The source credentials passed to Google::Auth::Credentials.new were nil."
+        end
+
+        options = symbolize_hash_keys options
+        @project_id = options[:project_id] || options[:project]
+        @quota_project_id = options[:quota_project_id]
+        case source_creds
+        when String, Pathname
+          update_from_filepath source_creds, options
         when Hash
-          update_from_hash keyfile, options
+          update_from_hash source_creds, options
         else
-          update_from_filepath keyfile, options
+          update_from_client source_creds
         end
-        CredentialsLoader.warn_if_cloud_sdk_credentials @client.client_id
+        setup_logging logger: options.fetch(:logger, :default)
         @project_id ||= CredentialsLoader.load_gcloud_project_id
-        @client.fetch_access_token! if @client.needs_access_token?
         @env_vars = nil
         @paths = nil
         @scope = nil
@@ -458,7 +509,8 @@ module Google
           audience:               options[:audience] || audience
         }
         client = Google::Auth::DefaultCredentials.make_creds creds_input
-        new client
+        options = options.select { |k, _v| k == :logger }
+        new client, options
       end
 
       private_class_method :from_env_vars,
@@ -466,25 +518,65 @@ module Google
                            :from_application_default,
                            :from_io
 
-      protected
 
-      # Verify that the keyfile argument is provided.
-      def verify_keyfile_provided! keyfile
-        return unless keyfile.nil?
-        raise "The keyfile passed to Google::Auth::Credentials.new was nil."
+      # Creates a duplicate of these credentials. This method tries to create the duplicate of the
+      # wrapped credentials if they support duplication and use them as is if they don't.
+      #
+      # The wrapped credentials are typically `Signet::OAuth2::Client` objects and they keep
+      # the transient state (token, refresh token, etc). The duplication discards that state,
+      # allowing e.g. to get the token with a different scope.
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #
+      #   The options hash is used in two ways:
+      #
+      #   1. **Configuring the duplicate of the wrapper object:** Some options are used to directly
+      #      configure the wrapper `Credentials` instance. These include:
+      #
+      #     * `:project_id` (and optionally `:project`) - the project identifier for the credentials
+      #     * `:quota_project_id` - the quota project identifier for the credentials
+      #
+      #   2. **Configuring the duplicate of the inner client:** If the inner client supports duplication
+      #   the options hash is passed to it. This allows for configuration of additional parameters,
+      #   most importantly (but not limited to) the following:
+      #
+      #     * `:scope` - the scope for the client
+      #
+      # @return [Credentials]
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          project_id: @project_id,
+          quota_project_id: @quota_project_id
+        }.merge(options)
+
+        new_client = if @client.respond_to? :duplicate
+                       @client.duplicate options
+                     else
+                       @client
+                     end
+
+        self.class.new new_client, options
       end
 
+      protected
+
       # Verify that the keyfile argument is a file.
+      #
+      # @param [String] keyfile Path to the keyfile
+      # @raise [Google::Auth::InitializationError] If the keyfile does not exist
       def verify_keyfile_exists! keyfile
         exists = ::File.file? keyfile
-        raise "The keyfile '#{keyfile}' is not a valid file." unless exists
+        raise InitializationError, "The keyfile '#{keyfile}' is not a valid file." unless exists
       end
 
       # Initializes the Signet client.
-      def init_client keyfile, connection_options = {}
-        client_opts = client_options keyfile
-        Signet::OAuth2::Client.new(client_opts)
-                              .configure_connection(connection_options)
+      def init_client hash, options = {}
+        options = update_client_options options
+        io = StringIO.new JSON.generate hash
+        options.merge! json_key_io: io
+        Google::Auth::DefaultCredentials.make_creds options
       end
 
       # returns a new Hash with string keys instead of symbol keys.
@@ -492,42 +584,45 @@ module Google
         hash.to_h.transform_keys(&:to_s)
       end
 
-      # rubocop:disable Metrics/AbcSize
+      # returns a new Hash with symbol keys instead of string keys.
+      def symbolize_hash_keys hash
+        hash.to_h.transform_keys(&:to_sym)
+      end
+
+      # Updates client options with defaults from the credential class
+      #
+      # @param [Hash] options Options to update
+      # @return [Hash] Updated options hash
+      # @raise [ArgumentError] If both scope and target_audience are specified
+      def update_client_options options
+        options = options.dup
 
-      def client_options options
-        # Keyfile options have higher priority over constructor defaults
-        options["token_credential_uri"] ||= self.class.token_credential_uri
-        options["audience"] ||= self.class.audience
-        options["scope"] ||= self.class.scope
-        options["target_audience"] ||= self.class.target_audience
+        # options have higher priority over constructor defaults
+        options[:token_credential_uri] ||= self.class.token_credential_uri
+        options[:audience] ||= self.class.audience
+        options[:scope] ||= self.class.scope
+        options[:target_audience] ||= self.class.target_audience
 
-        if !Array(options["scope"]).empty? && options["target_audience"]
+        if !Array(options[:scope]).empty? && options[:target_audience]
           raise ArgumentError, "Cannot specify both scope and target_audience"
         end
+        options.delete :scope unless options[:target_audience].nil?
 
-        needs_scope = options["target_audience"].nil?
-        # client options for initializing signet client
-        { token_credential_uri: options["token_credential_uri"],
-          audience:             options["audience"],
-          scope:                (needs_scope ? Array(options["scope"]) : nil),
-          target_audience:      options["target_audience"],
-          issuer:               options["client_email"],
-          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+        options
       end
 
-      # rubocop:enable Metrics/AbcSize
-
-      def update_from_signet client
+      def update_from_client client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
         @client = client
       end
+      alias update_from_signet update_from_client
 
       def update_from_hash hash, options
         hash = stringify_hash_keys hash
         hash["scope"] ||= options[:scope]
         hash["target_audience"] ||= options[:target_audience]
-        @project_id ||= (hash["project_id"] || hash["project"])
+        @project_id ||= hash["project_id"] || hash["project"]
         @quota_project_id ||= hash["quota_project_id"]
         @client = init_client hash, options
       end
@@ -537,10 +632,44 @@ module Google
         json = JSON.parse ::File.read(path)
         json["scope"] ||= options[:scope]
         json["target_audience"] ||= options[:target_audience]
-        @project_id ||= (json["project_id"] || json["project"])
+        @project_id ||= json["project_id"] || json["project"]
         @quota_project_id ||= json["quota_project_id"]
         @client = init_client json, options
       end
+
+      def setup_logging logger: :default
+        return unless @client.respond_to? :logger=
+        logging_env = ENV["GOOGLE_SDK_RUBY_LOGGING_GEMS"].to_s.downcase
+        if ["false", "none"].include? logging_env
+          logger = nil
+        elsif @client.logger
+          logger = @client.logger
+        elsif logger == :default
+          logger = nil
+          if ["true", "all"].include?(logging_env) || logging_env.split(",").include?("googleauth")
+            formatter = Google::Logging::StructuredFormatter.new if Google::Cloud::Env.get.logging_agent_expected?
+            logger = Logger.new $stderr, progname: "googleauth", formatter: formatter
+          end
+        end
+        @client.logger = logger
+      end
+
+      private
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
     end
   end
 end

data/lib/googleauth/credentials_loader.rb

@@ -15,6 +15,8 @@
 require "os"
 require "rbconfig"
 
+require "googleauth/errors"
+
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
@@ -37,7 +39,7 @@ module Google
       AWS_SESSION_TOKEN_VAR     = "AWS_SESSION_TOKEN".freeze
       GCLOUD_POSIX_COMMAND      = "gcloud".freeze
       GCLOUD_WINDOWS_COMMAND    = "gcloud.cmd".freeze
-      GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none".freeze
+      GCLOUD_CONFIG_COMMAND     = "config config-helper --format json --verbosity none --quiet".freeze
 
       CREDENTIALS_FILE_NAME = "application_default_credentials.json".freeze
       NOT_FOUND_ERROR = "Unable to read the credential file specified by #{ENV_VAR}".freeze
@@ -49,14 +51,6 @@ module Google
       CLOUD_SDK_CLIENT_ID = "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.app" \
                             "s.googleusercontent.com".freeze
 
-      CLOUD_SDK_CREDENTIALS_WARNING =
-        "You are authenticating using user credentials." \
-        "For production, we recommend using service account credentials." \
-        "To learn more about service account credentials, see" \
-        "http://cloud.google.com/docs/authentication/external/set-up-adc-on-cloud " \
-        "To suppress this message, set the " \
-        "GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS environment variable.".freeze
-
       # make_creds proxies the construction of a credentials instance
       #
       # By default, it calls #new on the current class, but this behaviour can
@@ -79,11 +73,12 @@ module Google
       #     The following keys are recognized:
       #     * `:default_connection` The connection object to use.
       #     * `:connection_builder` A `Proc` that returns a connection.
+      # @raise [Google::Auth::InitializationError] If the credentials file cannot be read
       def from_env scope = nil, options = {}
         options = interpret_options scope, options
         if ENV.key?(ENV_VAR) && !ENV[ENV_VAR].empty?
           path = ENV[ENV_VAR]
-          raise "file #{path} does not exist" unless File.exist? path
+          raise InitializationError, "file #{path} does not exist" unless File.exist? path
           File.open path do |f|
             return make_creds options.merge(json_key_io: f)
           end
@@ -91,7 +86,7 @@ module Google
           make_creds options
         end
       rescue StandardError => e
-        raise "#{NOT_FOUND_ERROR}: #{e}"
+        raise InitializationError, "#{NOT_FOUND_ERROR}: #{e}"
       end
 
       # Creates an instance from a well known path.
@@ -105,6 +100,7 @@ module Google
       #     The following keys are recognized:
       #     * `:default_connection` The connection object to use.
       #     * `:connection_builder` A `Proc` that returns a connection.
+      # @raise [Google::Auth::InitializationError] If the credentials file cannot be read
       def from_well_known_path scope = nil, options = {}
         options = interpret_options scope, options
         home_var = OS.windows? ? "APPDATA" : "HOME"
@@ -117,7 +113,7 @@ module Google
           return make_creds options.merge(json_key_io: f)
         end
       rescue StandardError => e
-        raise "#{WELL_KNOWN_ERROR}: #{e}"
+        raise InitializationError, "#{WELL_KNOWN_ERROR}: #{e}"
       end
 
       # Creates an instance from the system default path
@@ -131,6 +127,7 @@ module Google
       #     The following keys are recognized:
       #     * `:default_connection` The connection object to use.
       #     * `:connection_builder` A `Proc` that returns a connection.
+      # @raise [Google::Auth::InitializationError] If the credentials file cannot be read or is invalid
       def from_system_default_path scope = nil, options = {}
         options = interpret_options scope, options
         if OS.windows?
@@ -145,22 +142,16 @@ module Google
           return make_creds options.merge(json_key_io: f)
         end
       rescue StandardError => e
-        raise "#{SYSTEM_DEFAULT_ERROR}: #{e}"
+        raise InitializationError, "#{SYSTEM_DEFAULT_ERROR}: #{e}"
       end
 
       module_function
 
-      # Issues warning if cloud sdk client id is used
-      def warn_if_cloud_sdk_credentials client_id
-        return if ENV["GOOGLE_AUTH_SUPPRESS_CREDENTIALS_WARNINGS"]
-        warn CLOUD_SDK_CREDENTIALS_WARNING if client_id == CLOUD_SDK_CLIENT_ID
-      end
-
       # Finds project_id from gcloud CLI configuration
       def load_gcloud_project_id
         gcloud = GCLOUD_WINDOWS_COMMAND if OS.windows?
         gcloud = GCLOUD_POSIX_COMMAND unless OS.windows?
-        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", in: :close, err: :close, &:read)
+        gcloud_json = IO.popen("#{gcloud} #{GCLOUD_CONFIG_COMMAND}", err: :close, &:read)
         config = MultiJson.load gcloud_json
         config["configuration"]["properties"]["core"]["project"]
       rescue StandardError

data/lib/googleauth/default_credentials.rb

@@ -16,9 +16,11 @@ require "multi_json"
 require "stringio"
 
 require "googleauth/credentials_loader"
+require "googleauth/errors"
+require "googleauth/external_account"
 require "googleauth/service_account"
+require "googleauth/service_account_jwt_header"
 require "googleauth/user_refresh"
-require "googleauth/external_account"
 
 module Google
   # Module Auth provides classes that provide Google-specific authorization
@@ -29,26 +31,41 @@ module Google
     class DefaultCredentials
       extend CredentialsLoader
 
-      # override CredentialsLoader#make_creds to use the class determined by
+      ##
+      # Override CredentialsLoader#make_creds to use the class determined by
       # loading the json.
+      #
+      # **Important:** If you accept a credential configuration (credential
+      # JSON/File/Stream) from an external source for authentication to Google
+      # Cloud, you must validate it before providing it to any Google API or
+      # library. Providing an unvalidated credential configuration to Google
+      # APIs can compromise the security of your systems and data. For more
+      # information, refer to [Validate credential configurations from external
+      # sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+      #
+      # @param options [Hash] Options for creating the credentials
+      # @return [Google::Auth::Credentials] The credentials instance
+      # @raise [Google::Auth::InitializationError] If the credentials cannot be determined
       def self.make_creds options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
           json_key, clz = determine_creds_class json_key_io
-          warn_if_cloud_sdk_credentials json_key["client_id"]
           io = StringIO.new MultiJson.dump(json_key)
           clz.make_creds options.merge(json_key_io: io)
         else
-          warn_if_cloud_sdk_credentials ENV[CredentialsLoader::CLIENT_ID_VAR]
           clz = read_creds
           clz.make_creds options
         end
       end
 
+      # Reads the credential type from environment and returns the appropriate class
+      #
+      # @return [Class] The credential class to use
+      # @raise [Google::Auth::InitializationError] If the credentials type is undefined or unsupported
       def self.read_creds
         env_var = CredentialsLoader::ACCOUNT_TYPE_VAR
         type = ENV[env_var]
-        raise "#{env_var} is undefined in env" unless type
+        raise InitializationError, "#{env_var} is undefined in env" unless type
         case type
         when "service_account"
           ServiceAccountCredentials
@@ -57,15 +74,19 @@ module Google
         when "external_account"
           ExternalAccount::Credentials
         else
-          raise "credentials type '#{type}' is not supported"
+          raise InitializationError, "credentials type '#{type}' is not supported"
         end
       end
 
       # Reads the input json and determines which creds class to use.
+      #
+      # @param json_key_io [IO] An IO object containing the JSON key
+      # @return [Array(Hash, Class)] The JSON key and the credential class to use
+      # @raise [Google::Auth::InitializationError] If the JSON is missing the type field or has an unsupported type
       def self.determine_creds_class json_key_io
         json_key = MultiJson.load json_key_io.read
         key = "type"
-        raise "the json is missing the '#{key}' field" unless json_key.key? key
+        raise InitializationError, "the json is missing the '#{key}' field" unless json_key.key? key
         type = json_key[key]
         case type
         when "service_account"
@@ -75,7 +96,7 @@ module Google
         when "external_account"
           [json_key, ExternalAccount::Credentials]
         else
-          raise "credentials type '#{type}' is not supported"
+          raise InitializationError, "credentials type '#{type}' is not supported"
         end
       end
     end

data/lib/googleauth/errors.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require "signet/oauth_2/client"
+
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Google
+  module Auth
+    ##
+    # Error mixin module for Google Auth errors
+    # All Google Auth errors should include this module
+    #
+    module Error; end
+
+    ##
+    # Mixin module that contains detailed error information
+    # typically this is available if credentials initialization
+    # succeeds and credentials object is valid
+    #
+    module DetailedError
+      include Error
+
+      # The type of the credentials that the error was originated from
+      # @return [String, nil] The class name of the credential that raised the error
+      attr_reader :credential_type_name
+
+      # The principal for the authentication flow. Typically obtained from credentials
+      # @return [String, Symbol, nil] The principal identifier associated with the credentials
+      attr_reader :principal
+
+      # All details passed in the options hash when creating the error
+      # @return [Hash] Additional details about the error
+      attr_reader :details
+
+      # @private
+      def self.included base
+        base.extend ClassMethods
+      end
+
+      # Class methods to be added to including classes
+      module ClassMethods
+        # Creates a new error with detailed information
+        # @param message [String] The error message
+        # @param credential_type_name [String] The credential type that raised the error
+        # @param principal [String, Symbol] The principal for the authentication flow
+        # @return [Error] The new error with details
+        def with_details message, credential_type_name:, principal:
+          new(message).tap do |error|
+            error.instance_variable_set :@credential_type_name, credential_type_name
+            error.instance_variable_set :@principal, principal
+          end
+        end
+      end
+    end
+
+    ##
+    # Error raised during Credentials initialization.
+    # All new code should use this instead of ArgumentError during initializtion.
+    #
+    class InitializationError < StandardError
+      include Error
+    end
+
+    ##
+    # Generic error raised during operation of Credentials
+    # This should be used for all purposes not covered by other errors.
+    #
+    class CredentialsError < StandardError
+      include DetailedError
+    end
+
+    ##
+    # An error indicating the remote server refused to authorize the client.
+    # Maintains backward compatibility with Signet.
+    #
+    # Should not be used in the new code, even when wrapping `Signet::AuthorizationError`.
+    # New code should use CredentialsError instead.
+    #
+    class AuthorizationError < Signet::AuthorizationError
+      include DetailedError
+    end
+
+    ##
+    # An error indicating that the server sent an unexpected http status.
+    # Maintains backward compatibility with Signet.
+    #
+    # Should not be used in the new code, even when wrapping `Signet::UnexpectedStatusError`.
+    # New code should use CredentialsError instead.
+    #
+    class UnexpectedStatusError < Signet::UnexpectedStatusError
+      include DetailedError
+    end
+
+    ##
+    # An error indicating the client failed to parse a value.
+    # Maintains backward compatibility with Signet.
+    #
+    # Should not be used in the new code, even when wrapping `Signet::ParseError`.
+    # New code should use CredentialsError instead.
+    #
+    class ParseError < Signet::ParseError
+      include DetailedError
+    end
+  end
+end