googleauth 1.8.1 → 1.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37795e56189392a97d5941b4982730ffa2ee1dd53ec63593bbb7f5ad50be044e
-  data.tar.gz: 72d6b584c89c321698485bda1e4aef33f361ed35da4762bd22b5dc4634556f8f
+  metadata.gz: 4912a601c0a234fa9faf150d7461cab993f775b715f6ac7d19db017ceae74e6d
+  data.tar.gz: e08da21e12d58260944079d068a04099fa0c812eb486e760a3ab12dd002700f4
 SHA512:
-  metadata.gz: 1dcfc8f1e8e65f9b4b27c4933e71faffd2998d11766307cf464d0551d5f37e41c266e840a340a9aba41d49f44d05005006077526851b1b33e277ce3155d16370
-  data.tar.gz: f036b3403998c93f41eae33c472ad714758e6c6d06e9a1b197b53d118d182c2abb9caf40636ff63c152e2186642430de824e7929dcd2978cd358a5bd03194c1c
+  metadata.gz: b0346fcaf38cb783fd4d22f0734994298d63dfa1a89fd34df4d4f42b87160de410e34c93ab4773c3bbaf03b41160f10e3fd5bc0fa137d1ab6fb5dce15f72ba53
+  data.tar.gz: c5ff10a04491e9f56dff9bcea24c67398e67713efc89c2d378075621da837b59c5fdbd36c0b97d5753fd0358befe8ce2ceacc86af1cce0a1c54d609d916903c6

data/CHANGELOG.md

@@ -1,5 +1,40 @@
 # Release History
 
+### 1.11.0 (2024-02-09)
+
+#### Features
+
+* Deprecate the positional argument for callback_uri, and introduce keyword argument instead ([#475](https://github.com/googleapis/google-auth-library-ruby/issues/475)) 
+
+### 1.10.0 (2024-02-08)
+
+#### Features
+
+* add PKCE to 3 Legged OAuth exchange ([#471](https://github.com/googleapis/google-auth-library-ruby/issues/471)) 
+#### Bug Fixes
+
+* Client library credentials provide correct self-signed JWT and external account behavior when loading from a file path or JSON data ([#474](https://github.com/googleapis/google-auth-library-ruby/issues/474)) 
+* Prioritize universe domain specified in GCECredentials arguments over metadata-fetched value ([#472](https://github.com/googleapis/google-auth-library-ruby/issues/472)) 
+
+### 1.9.2 (2024-01-25)
+
+#### Bug Fixes
+
+* Prevent access tokens from being fetched at service account construction in the self-signed-jwt case ([#467](https://github.com/googleapis/google-auth-library-ruby/issues/467)) 
+
+### 1.9.1 (2023-12-12)
+
+#### Bug Fixes
+
+* update expires_in for cached metadata-retrieved tokens ([#464](https://github.com/googleapis/google-auth-library-ruby/issues/464)) 
+
+### 1.9.0 (2023-12-07)
+
+#### Features
+
+* Include universe_domain in credentials ([#460](https://github.com/googleapis/google-auth-library-ruby/issues/460)) 
+* Use google-cloud-env for more robust Metadata Service access ([#459](https://github.com/googleapis/google-auth-library-ruby/issues/459)) 
+
 ### 1.8.1 (2023-09-19)
 
 #### Documentation

data/README.md

@@ -97,6 +97,45 @@ get('/oauth2callback') do
 end
 ```
 
+### Example (Web with PKCE)
+
+Proof Key for Code Exchange (PKCE) is an [RFC](https://www.rfc-editor.org/rfc/rfc7636) that aims to prevent malicious operating system processes from hijacking an OAUTH 2.0 exchange. PKCE mitigates the above vulnerability by including `code_challenge` and `code_challenge_method` parameters in the Authorization Request and a `code_verifier` parameter in the Access Token Request.
+
+```ruby
+require 'googleauth'
+require 'googleauth/web_user_authorizer'
+require 'googleauth/stores/redis_token_store'
+require 'redis'
+
+client_id = Google::Auth::ClientId.from_file('/path/to/client_secrets.json')
+scope = ['https://www.googleapis.com/auth/drive']
+token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new)
+authorizer = Google::Auth::WebUserAuthorizer.new(
+  client_id, scope, token_store, '/oauth2callback')
+
+
+get('/authorize') do
+  # NOTE: Assumes the user is already authenticated to the app
+  user_id = request.session['user_id']
+  # User needs to take care of generating the code_verifier and storing it in
+  # the session.
+  request.session['code_verifier'] ||= Google::Auth::WebUserAuthorizer.generate_code_verifier
+  authorizer.code_verifier = request.session['code_verifier']
+  credentials = authorizer.get_credentials(user_id, request)
+  if credentials.nil?
+    redirect authorizer.get_authorization_url(login_hint: user_id, request: request)
+  end
+  # Credentials are valid, can call APIs
+  # ...
+end
+
+get('/oauth2callback') do
+  target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(
+    request)
+  redirect target_url
+end
+```
+
 ### Example (Command Line) [Deprecated]
 
 The Google Auth OOB flow has been discontiued on January 31, 2023. The OOB flow is a legacy flow that is no longer considered secure. To continue using Google Auth, please migrate your applications to a more secure flow. For more information on how to do this, please refer to this [OOB Migration](https://developers.google.com/identity/protocols/oauth2/resources/oob-migration) guide.

data/lib/googleauth/application_default.rb

@@ -55,11 +55,7 @@ module Google
               DefaultCredentials.from_well_known_path(scope, options) ||
               DefaultCredentials.from_system_default_path(scope, options)
       return creds unless creds.nil?
-      unless GCECredentials.on_gce? options
-        # Clear cache of the result of GCECredentials.on_gce?
-        GCECredentials.reset_cache
-        raise NOT_FOUND_ERROR
-      end
+      raise NOT_FOUND_ERROR unless GCECredentials.on_gce? options
       GCECredentials.new options.merge(scope: scope)
     end
   end

data/lib/googleauth/compute_engine.rb

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "faraday"
+require "google-cloud-env"
 require "googleauth/signet"
 
 module Google
@@ -33,83 +33,77 @@ module Google
     # Extends Signet::OAuth2::Client so that the auth token is obtained from
     # the GCE metadata server.
     class GCECredentials < Signet::OAuth2::Client
-      # The IP Address is used in the URIs to speed up failures on non-GCE
-      # systems.
+      # @private Unused and deprecated but retained to prevent breaking changes
       DEFAULT_METADATA_HOST = "169.254.169.254".freeze
 
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_AUTH_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_ID_TOKEN_URI =
         "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/identity".freeze
-      # @private Unused and deprecated
+      # @private Unused and deprecated but retained to prevent breaking changes
       COMPUTE_CHECK_URI = "http://169.254.169.254".freeze
 
-      @on_gce_cache = {}
-
       class << self
+        # @private Unused and deprecated
         def metadata_host
           ENV.fetch "GCE_METADATA_HOST", DEFAULT_METADATA_HOST
         end
 
+        # @private Unused and deprecated
         def compute_check_uri
           "http://#{metadata_host}".freeze
         end
 
+        # @private Unused and deprecated
         def compute_auth_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/token".freeze
         end
 
+        # @private Unused and deprecated
         def compute_id_token_uri
           "#{compute_check_uri}/computeMetadata/v1/instance/service-accounts/default/identity".freeze
         end
 
         # Detect if this appear to be a GCE instance, by checking if metadata
         # is available.
-        def on_gce? options = {}, reload = false # rubocop:disable Style/OptionalBooleanParameter
-          # We can follow OptionalBooleanParameter here because it's a public interface, we can't change it.
-          @on_gce_cache.delete options if reload
-          @on_gce_cache.fetch options do
-            @on_gce_cache[options] = begin
-              # TODO: This should use google-cloud-env instead.
-              c = options[:connection] || Faraday.default_connection
-              headers = { "Metadata-Flavor" => "Google" }
-              resp = c.get compute_check_uri, nil, headers do |req|
-                req.options.timeout = 1.0
-                req.options.open_timeout = 0.1
-              end
-              return false unless resp.status == 200
-              resp.headers["Metadata-Flavor"] == "Google"
-            rescue Faraday::TimeoutError, Faraday::ConnectionFailed
-              false
-            end
-          end
+        # The parameters are deprecated and unused.
+        def on_gce? _options = {}, _reload = false # rubocop:disable Style/OptionalBooleanParameter
+          Google::Cloud.env.metadata?
         end
 
         def reset_cache
-          @on_gce_cache.clear
+          Google::Cloud.env.compute_metadata.reset_existence!
+          Google::Cloud.env.compute_metadata.cache.expire_all!
         end
         alias unmemoize_all reset_cache
       end
 
+      # Construct a GCECredentials
+      def initialize options = {}
+        # Override the constructor to remember whether the universe domain was
+        # overridden by a constructor argument.
+        @universe_domain_overridden = options["universe_domain"] || options[:universe_domain] ? true : false
+        super options
+      end
+
       # Overrides the super class method to change how access tokens are
       # fetched.
-      def fetch_access_token options = {}
-        c = options[:connection] || Faraday.default_connection
-        retry_with_error do
-          uri = target_audience ? GCECredentials.compute_id_token_uri : GCECredentials.compute_auth_token_uri
-          query = target_audience ? { "audience" => target_audience, "format" => "full" } : {}
-          query[:scopes] = Array(scope).join "," if scope
-          resp = c.get uri, query, "Metadata-Flavor" => "Google"
+      def fetch_access_token _options = {}
+        if token_type == :id_token
+          query = { "audience" => target_audience, "format" => "full" }
+          entry = "service-accounts/default/identity"
+        else
+          query = {}
+          entry = "service-accounts/default/token"
+        end
+        query[:scopes] = Array(scope).join "," if scope
+        begin
+          resp = Google::Cloud.env.lookup_metadata_response "instance", entry, query: query
           case resp.status
           when 200
-            content_type = resp.headers["content-type"]
-            if ["text/html", "application/text"].include? content_type
-              { (target_audience ? "id_token" : "access_token") => resp.body }
-            else
-              Signet::OAuth2.parse_credentials resp.body, content_type
-            end
+            build_token_hash resp.body, resp.headers["content-type"], resp.retrieval_monotonic_time
           when 403, 500
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::UnexpectedStatusError, msg
@@ -119,7 +113,35 @@ module Google
             msg = "Unexpected error code #{resp.status} #{UNEXPECTED_ERROR_SUFFIX}"
             raise Signet::AuthorizationError, msg
           end
+        rescue Google::Cloud::Env::MetadataServerNotResponding => e
+          raise Signet::AuthorizationError, e.message
+        end
+      end
+
+      private
+
+      def build_token_hash body, content_type, retrieval_time
+        hash =
+          if ["text/html", "application/text"].include? content_type
+            { token_type.to_s => body }
+          else
+            Signet::OAuth2.parse_credentials body, content_type
+          end
+        unless @universe_domain_overridden
+          universe_domain = Google::Cloud.env.lookup_metadata "universe", "universe_domain"
+          universe_domain = "googleapis.com" if !universe_domain || universe_domain.empty?
+          hash["universe_domain"] = universe_domain.strip
+        end
+        # The response might have been cached, which means expires_in might be
+        # stale. Update it based on the time since the data was retrieved.
+        # We also ensure expires_in is conservative; subtracting at least 1
+        # second to offset any skew from metadata server latency.
+        if hash["expires_in"].is_a? Numeric
+          offset = 1 + (Process.clock_gettime(Process::CLOCK_MONOTONIC) - retrieval_time).round
+          hash["expires_in"] -= offset if offset.positive?
+          hash["expires_in"] = 0 if hash["expires_in"].negative?
         end
+        hash
       end
     end
   end

data/lib/googleauth/credentials.rb

@@ -259,7 +259,7 @@ module Google
       # @return [Object] The value
       #
       def self.lookup_auth_param name, method_name = name
-        val = instance_variable_get "@#{name}".to_sym
+        val = instance_variable_get :"@#{name}"
         val = yield if val.nil? && block_given?
         return val unless val.nil?
         return superclass.send method_name if superclass.respond_to? method_name
@@ -328,9 +328,13 @@ module Google
       #   @return [Proc] Returns a reference to the {Signet::OAuth2::Client#apply} method,
       #     suitable for passing as a closure.
       #
+      # @!attribute [rw] universe_domain
+      #   @return [String] The universe domain issuing these credentials.
+      #
       def_delegators :@client,
                      :token_credential_uri, :audience,
-                     :scope, :issuer, :signing_key, :updater_proc, :target_audience
+                     :scope, :issuer, :signing_key, :updater_proc, :target_audience,
+                     :universe_domain, :universe_domain=
 
       ##
       # Creates a new Credentials instance with the provided auth credentials, and with the default
@@ -352,8 +356,9 @@ module Google
       #
       def initialize keyfile, options = {}
         verify_keyfile_provided! keyfile
-        @project_id = options["project_id"] || options["project"]
-        @quota_project_id = options["quota_project_id"]
+        options = symbolize_hash_keys options
+        @project_id = options[:project_id] || options[:project]
+        @quota_project_id = options[:quota_project_id]
         case keyfile
         when Google::Auth::BaseClient
           update_from_signet keyfile
@@ -480,10 +485,11 @@ module Google
       end
 
       # Initializes the Signet client.
-      def init_client keyfile, connection_options = {}
-        client_opts = client_options keyfile
-        Signet::OAuth2::Client.new(client_opts)
-                              .configure_connection(connection_options)
+      def init_client hash, options = {}
+        options = update_client_options options
+        io = StringIO.new JSON.generate hash
+        options.merge! json_key_io: io
+        Google::Auth::DefaultCredentials.make_creds options
       end
 
       # returns a new Hash with string keys instead of symbol keys.
@@ -491,31 +497,28 @@ module Google
         hash.to_h.transform_keys(&:to_s)
       end
 
-      # rubocop:disable Metrics/AbcSize
+      # returns a new Hash with symbol keys instead of string keys.
+      def symbolize_hash_keys hash
+        hash.to_h.transform_keys(&:to_sym)
+      end
+
+      def update_client_options options
+        options = options.dup
 
-      def client_options options
-        # Keyfile options have higher priority over constructor defaults
-        options["token_credential_uri"] ||= self.class.token_credential_uri
-        options["audience"] ||= self.class.audience
-        options["scope"] ||= self.class.scope
-        options["target_audience"] ||= self.class.target_audience
+        # options have higher priority over constructor defaults
+        options[:token_credential_uri] ||= self.class.token_credential_uri
+        options[:audience] ||= self.class.audience
+        options[:scope] ||= self.class.scope
+        options[:target_audience] ||= self.class.target_audience
 
-        if !Array(options["scope"]).empty? && options["target_audience"]
+        if !Array(options[:scope]).empty? && options[:target_audience]
           raise ArgumentError, "Cannot specify both scope and target_audience"
         end
+        options.delete :scope unless options[:target_audience].nil?
 
-        needs_scope = options["target_audience"].nil?
-        # client options for initializing signet client
-        { token_credential_uri: options["token_credential_uri"],
-          audience:             options["audience"],
-          scope:                (needs_scope ? Array(options["scope"]) : nil),
-          target_audience:      options["target_audience"],
-          issuer:               options["client_email"],
-          signing_key:          OpenSSL::PKey::RSA.new(options["private_key"]) }
+        options
       end
 
-      # rubocop:enable Metrics/AbcSize
-
       def update_from_signet client
         @project_id ||= client.project_id if client.respond_to? :project_id
         @quota_project_id ||= client.quota_project_id if client.respond_to? :quota_project_id
@@ -526,7 +529,7 @@ module Google
         hash = stringify_hash_keys hash
         hash["scope"] ||= options[:scope]
         hash["target_audience"] ||= options[:target_audience]
-        @project_id ||= (hash["project_id"] || hash["project"])
+        @project_id ||= hash["project_id"] || hash["project"]
         @quota_project_id ||= hash["quota_project_id"]
         @client = init_client hash, options
       end
@@ -536,7 +539,7 @@ module Google
         json = JSON.parse ::File.read(path)
         json["scope"] ||= options[:scope]
         json["target_audience"] ||= options[:target_audience]
-        @project_id ||= (json["project_id"] || json["project"])
+        @project_id ||= json["project_id"] || json["project"]
         @quota_project_id ||= json["quota_project_id"]
         @client = init_client json, options
       end

data/lib/googleauth/external_account/base_credentials.rb

@@ -42,6 +42,7 @@ module Google
 
         attr_reader :expires_at
         attr_accessor :access_token
+        attr_accessor :universe_domain
 
         def expires_within? seconds
           # This method is needed for BaseClient
@@ -85,8 +86,7 @@ module Google
         #     true if the credentials represent a workforce pool.
         #     false if they represent a workload.
         def is_workforce_pool?
-          pattern = "//iam\.googleapis\.com/locations/[^/]+/workforcePools/"
-          /#{pattern}/.match?(@audience || "")
+          %r{/iam\.googleapis\.com/locations/[^/]+/workforcePools/}.match?(@audience || "")
         end
 
         private
@@ -111,6 +111,7 @@ module Google
           @quota_project_id = options[:quota_project_id]
           @project_id = nil
           @workforce_pool_user_project = options[:workforce_pool_user_project]
+          @universe_domain = options[:universe_domain] || "googleapis.com"
 
           @expires_at = nil
           @access_token = nil

data/lib/googleauth/external_account.rb

@@ -73,7 +73,8 @@ module Google
               subject_token_type: user_creds[:subject_token_type],
               token_url: user_creds[:token_url],
               credential_source: user_creds[:credential_source],
-              service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+              service_account_impersonation_url: user_creds[:service_account_impersonation_url],
+              universe_domain: user_creds[:universe_domain]
             )
           end
 

data/lib/googleauth/json_key_reader.rb

@@ -27,7 +27,8 @@ module Google
           json_key["private_key"],
           json_key["client_email"],
           json_key["project_id"],
-          json_key["quota_project_id"]
+          json_key["quota_project_id"],
+          json_key["universe_domain"]
         ]
       end
     end

data/lib/googleauth/service_account.rb

@@ -39,7 +39,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +57,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,7 +75,8 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
@@ -93,16 +99,18 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -138,6 +146,7 @@ module Google
       extend JsonKeyReader
       attr_reader :project_id
       attr_reader :quota_project_id
+      attr_accessor :universe_domain
 
       # Create a ServiceAccountJwtHeaderCredentials.
       #
@@ -154,14 +163,16 @@ module Google
       def initialize options = {}
         json_key_io = options[:json_key_io]
         if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
+          @private_key, @issuer, @project_id, @quota_project_id, @universe_domain =
             self.class.read_json_key json_key_io
         else
           @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           @quota_project_id = nil
+          @universe_domain = nil
         end
+        @universe_domain ||= "googleapis.com"
         @project_id ||= CredentialsLoader.load_gcloud_project_id
         @signing_key = OpenSSL::PKey::RSA.new @private_key
         @scope = options[:scope]
@@ -210,6 +221,11 @@ module Google
 
         JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
       end
+
+      # Duck-types the corresponding method from BaseClient
+      def needs_access_token?
+        false
+      end
     end
   end
 end

data/lib/googleauth/signet.rb

@@ -25,6 +25,15 @@ module Signet
     class Client
       include Google::Auth::BaseClient
 
+      alias update_token_signet_base update_token!
+
+      def update_token! options = {}
+        options = deep_hash_normalize options
+        update_token_signet_base options
+        self.universe_domain = options[:universe_domain] if options.key? :universe_domain
+        self
+      end
+
       def configure_connection options
         @connection_info =
           options[:connection_builder] || options[:default_connection]
@@ -36,6 +45,9 @@ module Signet
         target_audience ? :id_token : :access_token
       end
 
+      # Set the universe domain
+      attr_accessor :universe_domain
+
       alias orig_fetch_access_token! fetch_access_token!
       def fetch_access_token! options = {}
         unless options[:connection]

data/lib/googleauth/user_authorizer.rb

@@ -16,6 +16,7 @@ require "uri"
 require "multi_json"
 require "googleauth/signet"
 require "googleauth/user_refresh"
+require "securerandom"
 
 module Google
   module Auth
@@ -54,17 +55,26 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback.
-      #  Defaults to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
+      #  Defaults to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
         raise NIL_CLIENT_ID_ERROR if client_id.nil?
         raise NIL_SCOPE_ERROR if scope.nil?
 
         @client_id = client_id
         @scope = Array(scope)
         @token_store = token_store
-        @callback_uri = callback_uri || "/oauth2callback"
+        @callback_uri = legacy_callback_uri || callback_uri || "/oauth2callback"
+        @code_verifier = code_verifier
       end
 
       # Build the URL for requesting authorization.
@@ -86,6 +96,18 @@ module Google
       #  Authorization url
       def get_authorization_url options = {}
         scope = options[:scope] || @scope
+
+        options[:additional_parameters] ||= {}
+
+        if @code_verifier
+          options[:additional_parameters].merge!(
+            {
+              code_challenge: generate_code_challenge(@code_verifier),
+              code_challenge_method: code_challenge_method
+            }
+          )
+        end
+
         credentials = UserRefreshCredentials.new(
           client_id:     @client_id.id,
           client_secret: @client_id.secret,
@@ -157,6 +179,8 @@ module Google
         code = options[:code]
         scope = options[:scope] || @scope
         base_url = options[:base_url]
+        options[:additional_parameters] ||= {}
+        options[:additional_parameters].merge!({ code_verifier: @code_verifier })
         credentials = UserRefreshCredentials.new(
           client_id:             @client_id.id,
           client_secret:         @client_id.secret,
@@ -228,6 +252,23 @@ module Google
         credentials
       end
 
+      # The code verifier for PKCE for OAuth 2.0. When set, the
+      # authorization URI will contain the Code Challenge and Code
+      # Challenge Method querystring parameters, and the token URI will
+      # contain the Code Verifier parameter.
+      #
+      # @param [String|nil] new_code_erifier
+      def code_verifier= new_code_verifier
+        @code_verifier = new_code_verifier
+      end
+
+      # Generate the code verifier needed to be sent while fetching
+      # authorization URL.
+      def self.generate_code_verifier
+        random_number = rand 32..96
+        SecureRandom.alphanumeric random_number
+      end
+
       private
 
       # @private Fetch stored token with given user_id
@@ -272,6 +313,15 @@ module Google
       def uri_is_postmessage? uri
         uri.to_s.casecmp("postmessage").zero?
       end
+
+      def generate_code_challenge code_verifier
+        digest = Digest::SHA256.digest code_verifier
+        Base64.urlsafe_encode64 digest, padding: false
+      end
+
+      def code_challenge_method
+        "S256"
+      end
     end
   end
 end

data/lib/googleauth/user_refresh.rb

@@ -50,7 +50,8 @@ module Google
           "client_secret" => ENV[CredentialsLoader::CLIENT_SECRET_VAR],
           "refresh_token" => ENV[CredentialsLoader::REFRESH_TOKEN_VAR],
           "project_id"    => ENV[CredentialsLoader::PROJECT_ID_VAR],
-          "quota_project_id" => nil
+          "quota_project_id" => nil,
+          "universe_domain" => nil
         }
         new(token_credential_uri: TOKEN_CRED_URI,
             client_id:            user_creds["client_id"],
@@ -58,7 +59,8 @@ module Google
             refresh_token:        user_creds["refresh_token"],
             project_id:           user_creds["project_id"],
             quota_project_id:     user_creds["quota_project_id"],
-            scope:                scope)
+            scope:                scope,
+            universe_domain:      user_creds["universe_domain"] || "googleapis.com")
           .configure_connection(options)
       end
 

data/lib/googleauth/version.rb

@@ -16,6 +16,6 @@ module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
   module Auth
-    VERSION = "1.8.1".freeze
+    VERSION = "1.11.0".freeze
   end
 end

data/lib/googleauth/web_user_authorizer.rb

@@ -93,11 +93,22 @@ module Google
       #  Authorization scope to request
       # @param [Google::Auth::Stores::TokenStore] token_store
       #  Backing storage for persisting user credentials
-      # @param [String] callback_uri
+      # @param [String] legacy_callback_uri
       #  URL (either absolute or relative) of the auth callback. Defaults
-      #  to '/oauth2callback'
-      def initialize client_id, scope, token_store, callback_uri = nil
-        super client_id, scope, token_store, callback_uri
+      #  to '/oauth2callback'.
+      #  @deprecated This field is deprecated. Instead, use the keyword
+      #   argument callback_uri.
+      # @param [String] code_verifier
+      #  Random string of 43-128 chars used to verify the key exchange using
+      #  PKCE.
+      def initialize client_id, scope, token_store,
+                     legacy_callback_uri = nil,
+                     callback_uri: nil,
+                     code_verifier: nil
+        super client_id, scope, token_store,
+              legacy_callback_uri,
+              code_verifier: code_verifier,
+              callback_uri: callback_uri
       end
 
       # Handle the result of the oauth callback. Exchanges the authorization

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: googleauth
 version: !ruby/object:Gem::Version
-  version: 1.8.1
+  version: 1.11.0
 platform: ruby
 authors:
 - Tim Emiola
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-20 00:00:00.000000000 Z
+date: 2024-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.17.3
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.a
@@ -26,10 +26,24 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.17.3
+        version: '1.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.a
+- !ruby/object:Gem::Dependency
+  name: google-cloud-env
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -165,14 +179,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.6'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: Google Auth Library for Ruby