signet 0.11.0 → 0.14.1

data/spec/signet/oauth_2/client_spec.rb

@@ -11,446 +11,440 @@
 #    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
-require 'spec_helper'
-require 'signet/oauth_2/client'
-require 'openssl'
-require 'jwt'
-require 'date'
+require "spec_helper"
+require "signet/oauth_2/client"
+require "openssl"
+require "jwt"
+require "date"
 
 conn = Faraday.default_connection
 
-def build_json_response(payload)
+def build_json_response payload
   [200, { "Content-Type" => "application/json; charset=utf-8" }, MultiJson.dump(payload)]
 end
 
-def build_form_encoded_response(payload)
+def build_form_encoded_response payload
   [200, { "Content-Type" => "application/json; charset=utf-8" }, Addressable::URI.form_encode(payload)]
 end
 
-describe Signet::OAuth2::Client, 'unconfigured' do
+describe Signet::OAuth2::Client, "unconfigured" do
   before do
     @client = Signet::OAuth2::Client.new
   end
-  it 'should allow additional paraemters to be set.' do
-    @client.additional_parameters['type'] = 'web_server'
-    expect(@client.additional_parameters).to eq({'type' => 'web_server'})
+  it "should allow additional paraemters to be set." do
+    @client.additional_parameters["type"] = "web_server"
+    expect(@client.additional_parameters).to eq({ "type" => "web_server" })
   end
-  it 'should raise an error if a bogus scope is provided' do
+  it "should raise an error if a bogus scope is provided" do
     expect(lambda do
-      @client = Signet::OAuth2::Client.new(:scope => :bogus)
+      @client = Signet::OAuth2::Client.new scope: :bogus
     end).to raise_error(TypeError)
   end
 
-  it 'should raise an error if a scope array is provided with spaces' do
+  it "should raise an error if a scope array is provided with spaces" do
     expect(lambda do
-      @client = Signet::OAuth2::Client.new(:scope => [
-        'legit',
-        'bogus bogus'
-      ])
+      @client = Signet::OAuth2::Client.new(
+        scope: ["legit", "bogus bogus"]
+      )
     end).to raise_error(ArgumentError)
   end
 
-  it 'should allow the scope to be set to a String' do
-    @client.scope = 'legit'
-    expect(@client.scope).to eq ['legit']
-    @client.scope = 'legit alsolegit'
-    expect(@client.scope).to eq ['legit', 'alsolegit']
+  it "should allow the scope to be set to a String" do
+    @client.scope = "legit"
+    expect(@client.scope).to eq ["legit"]
+    @client.scope = "legit alsolegit"
+    expect(@client.scope).to eq ["legit", "alsolegit"]
   end
 
-  it 'should allow the scope to be set to an Array' do
-    @client.scope = ['legit']
-    expect(@client.scope).to eq ['legit']
-    @client.scope = ['legit', 'alsolegit']
-    expect(@client.scope).to eq ['legit', 'alsolegit']
+  it "should allow the scope to be set to an Array" do
+    @client.scope = ["legit"]
+    expect(@client.scope).to eq ["legit"]
+    @client.scope = ["legit", "alsolegit"]
+    expect(@client.scope).to eq ["legit", "alsolegit"]
   end
 
-  it 'should raise an error if a bogus redirect URI is provided' do
+  it "should raise an error if a bogus redirect URI is provided" do
     expect(lambda do
-      @client = Signet::OAuth2::Client.new(:redirect_uri => :bogus)
+      @client = Signet::OAuth2::Client.new redirect_uri: :bogus
     end).to raise_error(TypeError)
   end
 
-  it 'should raise an error if a relative redirect URI is provided' do
+  it "should raise an error if a relative redirect URI is provided" do
     expect(lambda do
-      @client = Signet::OAuth2::Client.new(:redirect_uri => '/relative/path')
+      @client = Signet::OAuth2::Client.new redirect_uri: "/relative/path"
     end).to raise_error(ArgumentError)
   end
 
   it 'should allow "postmessage" as a redirect URI (Google hack)' do
-    @client.authorization_uri = 'https://example.com/authorize'
-    @client.client_id = 's6BhdRkqt3'
-    @client.redirect_uri = 'postmessage'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq 'postmessage'
+    @client.authorization_uri = "https://example.com/authorize"
+    @client.client_id = "s6BhdRkqt3"
+    @client.redirect_uri = "postmessage"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "postmessage"
   end
 
-  it 'should allow oob values as a redirect URI (for installed apps)' do
-    @client.authorization_uri = 'https://example.com/authorize'
-    @client.client_id = 's6BhdRkqt3'
-    @client.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq 'urn:ietf:wg:oauth:2.0:oob'
-    @client.redirect_uri = 'oob'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq 'oob'
+  it "should allow oob values as a redirect URI (for installed apps)" do
+    @client.authorization_uri = "https://example.com/authorize"
+    @client.client_id = "s6BhdRkqt3"
+    @client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "urn:ietf:wg:oauth:2.0:oob"
+    @client.redirect_uri = "oob"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "oob"
   end
 
-  it 'should have no authorization_uri' do
+  it "should have no authorization_uri" do
     expect(@client.authorization_uri).to eq nil
   end
 
-  it 'should allow the authorization_uri to be set to a String' do
-    @client.authorization_uri = 'https://example.com/authorize'
-    @client.client_id = 's6BhdRkqt3'
-    @client.redirect_uri = 'https://example.client.com/callback'
+  it "should allow the authorization_uri to be set to a String" do
+    @client.authorization_uri = "https://example.com/authorize"
+    @client.client_id = "s6BhdRkqt3"
+    @client.redirect_uri = "https://example.client.com/callback"
     expect(@client.authorization_uri.to_s).to include(
-      'https://example.com/authorize'
+      "https://example.com/authorize"
     )
-    expect(@client.authorization_uri.query_values['client_id']).to eq 's6BhdRkqt3'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq (
-      'https://example.client.com/callback'
+    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq(
+      "https://example.client.com/callback"
     )
   end
 
-  it 'should allow the authorization_uri to be set to a Hash' do
+  it "should allow the authorization_uri to be set to a Hash" do
     @client.authorization_uri = {
-      :scheme => 'https', :host => 'example.com', :path => '/authorize'
+      scheme: "https", host: "example.com", path: "/authorize"
     }
-    @client.client_id = 's6BhdRkqt3'
-    @client.redirect_uri = 'https://example.client.com/callback'
+    @client.client_id = "s6BhdRkqt3"
+    @client.redirect_uri = "https://example.client.com/callback"
     expect(@client.authorization_uri.to_s).to include(
-      'https://example.com/authorize'
+      "https://example.com/authorize"
     )
-    expect(@client.authorization_uri.query_values['client_id']).to eq 's6BhdRkqt3'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq (
-      'https://example.client.com/callback'
+    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq( 
+      "https://example.client.com/callback"
     )
   end
 
-  it 'should allow the authorization_uri to be set to a URI' do
+  it "should allow the authorization_uri to be set to a URI" do
     @client.authorization_uri =
-      Addressable::URI.parse('https://example.com/authorize')
-    @client.client_id = 's6BhdRkqt3'
+      Addressable::URI.parse "https://example.com/authorize"
+    @client.client_id = "s6BhdRkqt3"
     @client.redirect_uri =
-      Addressable::URI.parse('https://example.client.com/callback')
+      Addressable::URI.parse "https://example.client.com/callback"
     expect(@client.authorization_uri.to_s).to include(
-      'https://example.com/authorize'
+      "https://example.com/authorize"
     )
-    expect(@client.authorization_uri.query_values['client_id']).to eq 's6BhdRkqt3'
-    expect(@client.authorization_uri.query_values['redirect_uri']).to eq (
-      'https://example.client.com/callback'
+    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
+    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq(
+      "https://example.client.com/callback"
     )
   end
 
-  it 'should require a redirect URI when getting the authorization_uri' do
+  it "should require a redirect URI when getting the authorization_uri" do
     @client.authorization_uri =
-      Addressable::URI.parse('https://example.com/authorize')
-    @client.client_id = 's6BhdRkqt3'
+      Addressable::URI.parse "https://example.com/authorize"
+    @client.client_id = "s6BhdRkqt3"
     expect(lambda do
       @client.authorization_uri
     end).to raise_error(ArgumentError)
   end
 
-  it 'should require a client ID when getting the authorization_uri' do
+  it "should require a client ID when getting the authorization_uri" do
     @client.authorization_uri =
-      Addressable::URI.parse('https://example.com/authorize')
+      Addressable::URI.parse "https://example.com/authorize"
     @client.redirect_uri =
-      Addressable::URI.parse('https://example.client.com/callback')
+      Addressable::URI.parse "https://example.client.com/callback"
     expect(lambda do
       @client.authorization_uri
     end).to raise_error(ArgumentError)
   end
 
-  it 'should have no token_credential_uri' do
+  it "should have no token_credential_uri" do
     expect(@client.token_credential_uri).to eq nil
   end
 
-  it 'should allow the token_credential_uri to be set to a String' do
+  it "should allow the token_credential_uri to be set to a String" do
     @client.token_credential_uri = "https://example.com/token"
     expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
   end
 
-  it 'should allow the token_credential_uri to be set to a Hash' do
+  it "should allow the token_credential_uri to be set to a Hash" do
     @client.token_credential_uri = {
-      :scheme => 'https', :host => 'example.com', :path => '/token'
+      scheme: "https", host: "example.com", path: "/token"
     }
-    expect(@client.token_credential_uri.to_s).to eq 'https://example.com/token'
+    expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
   end
 
-  it 'should allow the token_credential_uri to be set to a URI' do
+  it "should allow the token_credential_uri to be set to a URI" do
     @client.token_credential_uri =
-      Addressable::URI.parse("https://example.com/token")
+      Addressable::URI.parse "https://example.com/token"
     expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
   end
 end
 
-describe Signet::OAuth2::Client, 'configured for assertions profile' do
-
-  describe 'when using RSA keys' do
+describe Signet::OAuth2::Client, "configured for assertions profile" do
+  describe "when using RSA keys" do
     before do
       @key = OpenSSL::PKey::RSA.new 2048
       @client = Signet::OAuth2::Client.new(
-        :token_credential_uri =>
-          'https://oauth2.googleapis.com/token',
-        :scope => 'https://www.googleapis.com/auth/userinfo.profile',
-        :issuer => 'app@example.com',
-        :audience => 'https://oauth2.googleapis.com/token',
-        :signing_key => @key
+        token_credential_uri: "https://oauth2.googleapis.com/token",
+        scope:                "https://www.googleapis.com/auth/userinfo.profile",
+        issuer:               "app@example.com",
+        audience:             "https://oauth2.googleapis.com/token",
+        signing_key:          @key
       )
     end
 
-    it 'should generate valid JWTs' do
+    it "should generate valid JWTs" do
       jwt = @client.to_jwt
       expect(jwt).not_to be_nil
 
-      claim, header = JWT.decode(jwt, @key.public_key, true, algorithm: 'RS256')
-      expect(claim["iss"]).to eq 'app@example.com'
-      expect(claim["scope"]).to eq 'https://www.googleapis.com/auth/userinfo.profile'
-      expect(claim["aud"]).to eq 'https://oauth2.googleapis.com/token'
+      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
+      expect(claim["iss"]).to eq "app@example.com"
+      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
+      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
     end
 
-    it 'should generate valid JWTs for impersonation' do
-      @client.principal = 'user@example.com'
+    it "should generate valid JWTs for impersonation" do
+      @client.principal = "user@example.com"
       jwt = @client.to_jwt
       expect(jwt).not_to be_nil
 
-      claim, header = JWT.decode(jwt, @key.public_key, true, algorithm: 'RS256')
-      expect(claim["iss"]).to eq 'app@example.com'
-      expect(claim["prn"]).to eq 'user@example.com'
-      expect(claim["scope"]).to eq 'https://www.googleapis.com/auth/userinfo.profile'
-      expect(claim["aud"]).to eq 'https://oauth2.googleapis.com/token'
+      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
+      expect(claim["iss"]).to eq "app@example.com"
+      expect(claim["prn"]).to eq "user@example.com"
+      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
+      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
     end
 
-    it 'should generate valid JWTs for impersonation using deprecated person attribute' do
-      @client.person = 'user@example.com'
+    it "should generate valid JWTs for impersonation using deprecated person attribute" do
+      @client.person = "user@example.com"
       jwt = @client.to_jwt
       expect(jwt).not_to be_nil
 
-      claim, header = JWT.decode(jwt, @key.public_key, true, algorithm: 'RS256')
-      expect(claim["iss"]).to eq 'app@example.com'
-      expect(claim["prn"]).to eq 'user@example.com'
-      expect(claim["scope"]).to eq 'https://www.googleapis.com/auth/userinfo.profile'
-      expect(claim["aud"]).to eq 'https://oauth2.googleapis.com/token'
+      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
+      expect(claim["iss"]).to eq "app@example.com"
+      expect(claim["prn"]).to eq "user@example.com"
+      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
+      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
     end
 
-    it 'should generate valid JWTs for impersonation using the sub attribute' do
-      @client.sub = 'user@example.com'
+    it "should generate valid JWTs for impersonation using the sub attribute" do
+      @client.sub = "user@example.com"
       jwt = @client.to_jwt
       expect(jwt).not_to be_nil
 
-      claim, header = JWT.decode(jwt, @key.public_key, true, algorithm: 'RS256')
-      expect(claim["iss"]).to eq 'app@example.com'
-      expect(claim["sub"]).to eq 'user@example.com'
-      expect(claim["scope"]).to eq 'https://www.googleapis.com/auth/userinfo.profile'
-      expect(claim["aud"]).to eq 'https://oauth2.googleapis.com/token'
+      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
+      expect(claim["iss"]).to eq "app@example.com"
+      expect(claim["sub"]).to eq "user@example.com"
+      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
+      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
     end
 
-    it 'should generate a JSON representation of the client' do
-      @client.principal = 'user@example.com'
+    it "should generate a JSON representation of the client" do
+      @client.principal = "user@example.com"
       json = @client.to_json
       expect(json).not_to be_nil
 
-      deserialized = MultiJson.load(json)
-      expect(deserialized["token_credential_uri"]).to eq 'https://oauth2.googleapis.com/token'
-      expect(deserialized["scope"]).to eq ['https://www.googleapis.com/auth/userinfo.profile']
-      expect(deserialized["issuer"]).to eq 'app@example.com'
-      expect(deserialized["audience"]).to eq 'https://oauth2.googleapis.com/token'
+      deserialized = MultiJson.load json
+      expect(deserialized["token_credential_uri"]).to eq "https://oauth2.googleapis.com/token"
+      expect(deserialized["scope"]).to eq ["https://www.googleapis.com/auth/userinfo.profile"]
+      expect(deserialized["issuer"]).to eq "app@example.com"
+      expect(deserialized["audience"]).to eq "https://oauth2.googleapis.com/token"
       expect(deserialized["signing_key"]).to eq @key.to_s
     end
 
-    it 'should send valid access token request' do
+    it "should send valid access token request" do
       stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-        stub.post('/token') do |env|
-          params = Addressable::URI.form_unencode(env[:body])
-          claim, header = JWT.decode(params.assoc("assertion").last, @key.public_key, true, algorithm: 'RS256')
-          expect(params.assoc("grant_type")).to eq ['grant_type','urn:ietf:params:oauth:grant-type:jwt-bearer']
-          build_json_response({
+        stub.post "/token" do |env|
+          params = Addressable::URI.form_unencode env[:body]
+          claim, header = JWT.decode params.assoc("assertion").last, @key.public_key, true, algorithm: "RS256"
+          expect(params.assoc("grant_type")).to eq ["grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"]
+          build_json_response(
             "access_token" => "1/abcdef1234567890",
-            "token_type" => "Bearer",
-            "expires_in" => 3600
-          })
+            "token_type"   => "Bearer",
+            "expires_in"   => 3600
+          )
         end
       end
-      connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-        builder.adapter(:test, stubs)
+      connection = Faraday.new url: "https://www.google.com" do |builder|
+        builder.adapter :test, stubs
       end
 
-      @client.fetch_access_token!(:connection => connection)
+      @client.fetch_access_token! connection: connection
       expect(@client.access_token).to eq "1/abcdef1234567890"
       stubs.verify_stubbed_calls
     end
   end
 
-  describe 'when using shared secrets' do
+  describe "when using shared secrets" do
     before do
-      @key = 'my secret key'
+      @key = "my secret key"
       @client = Signet::OAuth2::Client.new(
-        :token_credential_uri =>
-          'https://oauth2.googleapis.com/token',
-        :scope => 'https://www.googleapis.com/auth/userinfo.profile',
-        :issuer => 'app@example.com',
-        :audience => 'https://oauth2.googleapis.com/token',
-        :signing_key => @key
+        token_credential_uri: "https://oauth2.googleapis.com/token",
+        scope:                "https://www.googleapis.com/auth/userinfo.profile",
+        issuer:               "app@example.com",
+        audience:             "https://oauth2.googleapis.com/token",
+        signing_key:          @key
       )
     end
 
-    it 'should generate valid JWTs' do
+    it "should generate valid JWTs" do
       jwt = @client.to_jwt
       expect(jwt).not_to be_nil
 
-      claim, header = JWT.decode(jwt, @key, true, algorithm: 'HS256')
-      expect(claim["iss"]).to eq 'app@example.com'
-      expect(claim["scope"]).to eq 'https://www.googleapis.com/auth/userinfo.profile'
-      expect(claim["aud"]).to eq 'https://oauth2.googleapis.com/token'
+      claim, header = JWT.decode jwt, @key, true, algorithm: "HS256"
+      expect(claim["iss"]).to eq "app@example.com"
+      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
+      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
     end
   end
 end
 
-describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
+describe Signet::OAuth2::Client, "configured for Google userinfo API" do
   before do
     @client = Signet::OAuth2::Client.new(
-      :authorization_uri =>
-        'https://accounts.google.com/o/oauth2/auth',
-      :token_credential_uri =>
-        'https://oauth2.googleapis.com/token',
-      :scope => 'https://www.googleapis.com/auth/userinfo.profile'
+      authorization_uri:    "https://accounts.google.com/o/oauth2/auth",
+      token_credential_uri: "https://oauth2.googleapis.com/token",
+      scope:                "https://www.googleapis.com/auth/userinfo.profile"
     )
   end
 
-  it 'should not have a grant type by default' do
+  it "should not have a grant type by default" do
     expect(@client.grant_type).to eq nil
   end
 
-  it 'should use the authorization_code grant type if given code' do
-    @client.code = '00000'
-    @client.redirect_uri = 'http://www.example.com/'
-    expect(@client.grant_type).to eq 'authorization_code'
+  it "should use the authorization_code grant type if given code" do
+    @client.code = "00000"
+    @client.redirect_uri = "http://www.example.com/"
+    expect(@client.grant_type).to eq "authorization_code"
   end
 
-  it 'should use the refresh_token grant type if given refresh token' do
-    @client.refresh_token = '54321'
-    expect(@client.grant_type).to eq 'refresh_token'
+  it "should use the refresh_token grant type if given refresh token" do
+    @client.refresh_token = "54321"
+    expect(@client.grant_type).to eq "refresh_token"
   end
 
-  it 'should use the password grant type if given username and password' do
-    @client.username = 'johndoe'
-    @client.password = 'incognito'
-    expect(@client.grant_type).to eq 'password'
+  it "should use the password grant type if given username and password" do
+    @client.username = "johndoe"
+    @client.password = "incognito"
+    expect(@client.grant_type).to eq "password"
   end
 
-  it 'should allow the grant type to be set manually' do
-    @client.grant_type = 'authorization_code'
-    expect(@client.grant_type).to eq 'authorization_code'
-    @client.grant_type = 'refresh_token'
-    expect(@client.grant_type).to eq 'refresh_token'
-    @client.grant_type = 'password'
-    expect(@client.grant_type).to eq 'password'
+  it "should allow the grant type to be set manually" do
+    @client.grant_type = "authorization_code"
+    expect(@client.grant_type).to eq "authorization_code"
+    @client.grant_type = "refresh_token"
+    expect(@client.grant_type).to eq "refresh_token"
+    @client.grant_type = "password"
+    expect(@client.grant_type).to eq "password"
   end
 
-  it 'should allow the grant type to be set to an extension' do
-    @client.grant_type = 'urn:ietf:params:oauth:grant-type:saml2-bearer'
-    @client.extension_parameters['assertion'] =
-      'PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU'
+  it "should allow the grant type to be set to an extension" do
+    @client.grant_type = "urn:ietf:params:oauth:grant-type:saml2-bearer"
+    @client.extension_parameters["assertion"] =
+      "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU"
 
-    expect(@client.grant_type).to eq Addressable::URI.parse('urn:ietf:params:oauth:grant-type:saml2-bearer')
-    expect(@client.extension_parameters).to eq ({'assertion' => 'PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU'})
+    expect(@client.grant_type).to eq Addressable::URI.parse("urn:ietf:params:oauth:grant-type:saml2-bearer")
+    expect(@client.extension_parameters).to eq ({ "assertion" => "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU" })
   end
 
-  it 'should raise an error if extension parameters are bogus' do
+  it "should raise an error if extension parameters are bogus" do
     expect(lambda do
       @client.extension_parameters = :bogus
     end).to raise_error(TypeError)
   end
 
-  it 'should include extension parameters in token request' do
-    @client.grant_type = 'urn:ietf:params:oauth:grant-type:saml2-bearer'
-    @client.extension_parameters['assertion'] =
-      'PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU'
+  it "should include extension parameters in token request" do
+    @client.grant_type = "urn:ietf:params:oauth:grant-type:saml2-bearer"
+    @client.extension_parameters["assertion"] =
+      "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU"
 
     request = @client.generate_access_token_request
-    expect(request).to include('assertion' => 'PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU')
+    expect(request).to include("assertion" => "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU")
   end
 
-  it 'should include the scope in token request' do
-    @client.scope = ['https://www.googleapis.com/auth/userinfo.profile']
+  it "should include the scope in token request" do
+    @client.scope = ["https://www.googleapis.com/auth/userinfo.profile"]
 
-    request = @client.generate_access_token_request(:use_configured_scope => true)
-    expect(request).to include('scope' => ['https://www.googleapis.com/auth/userinfo.profile'])
+    request = @client.generate_access_token_request use_configured_scope: true
+    expect(request).to include("scope" => ["https://www.googleapis.com/auth/userinfo.profile"])
   end
 
-  it 'should allow the token to be updated' do
+  it "should allow the token to be updated" do
     issued_at = Time.now
     @client.update_token!(
-      :access_token => '12345',
-      :refresh_token => '54321',
-      :expires_in => 3600,
-      :issued_at => issued_at
+      :access_token  => "12345",
+      refresh_token: "54321",
+      :expires_in    => 3600,
+      :issued_at     => issued_at
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     expect(@client.issued_at).to eq issued_at
     expect(@client).to_not be_expired
   end
 
-  it 'should handle expires as equivalent to expires_in' do
+  it "should handle expires as equivalent to expires_in" do
     issued_at = Time.now
     @client.update_token!(
-      :access_token => '12345',
-      :refresh_token => '54321',
-      :expires => 600,
-      :issued_at => issued_at
+      :access_token  => "12345",
+      refresh_token: "54321",
+      :expires       => 600,
+      :issued_at     => issued_at
     )
     expect(@client.expires_in).to eq 600
   end
 
-  it 'should allow the token to be updated without an expiration' do
+  it "should allow the token to be updated without an expiration" do
     @client.update_token!(
-      :access_token => '12345',
-      :refresh_token => '54321'
+      :access_token  => "12345",
+      refresh_token: "54321"
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq nil
     expect(@client.issued_at).to eq nil
     expect(@client).to_not be_expired
   end
 
-  it 'should allow the token expiration to be cleared' do
+  it "should allow the token expiration to be cleared" do
     issued_at = Time.now
     @client.update_token!(
-      :access_token => '12345',
-      :refresh_token => '54321',
-      :expires_in => 3600,
-      :issued_at => issued_at
+      :access_token  => "12345",
+      refresh_token: "54321",
+      :expires_in    => 3600,
+      :issued_at     => issued_at
     )
     @client.expires_in = nil
     @client.issued_at = nil
     expect(@client).to_not be_expired
   end
 
-  it 'should allow the expires_at time to be updated' do
+  it "should allow the expires_at time to be updated" do
     expires_at = Time.now
     @client.update_token!(
-      :expires_at => expires_at.to_i,
-      :expires_in => nil
+      expires_at: expires_at.to_i,
+      expires_in: nil
     )
     expect(@client.expires_at).to be_within(1).of(expires_at)
     expect(@client).to be_expired
   end
 
-  it 'should calculate the expires_at from issued_at when issued_at is set' do
+  it "should calculate the expires_at from issued_at when issued_at is set" do
     expires_in = 3600
     issued_at = Time.now - expires_in
     @client.update_token!(
-      :issued_at => issued_at,
-      :expires_in => expires_in
+      :issued_at  => issued_at,
+      expires_in: expires_in
     )
     expect(@client.expires_at).to eq issued_at + expires_in
     expect(@client).to be_expired
   end
 
-  it 'should calculate expires_at from Time.now when issed_at is NOT set' do
+  it "should calculate expires_at from Time.now when issed_at is NOT set" do
     expires_in = 3600
     expires_at = Time.now + expires_in
-    @client.update_token! :expires_in => expires_in
+    @client.update_token! expires_in: expires_in
     expect(@client.expires_at).to be_within(1).of(expires_at)
     expect(@client).to_not be_expired
   end
@@ -458,7 +452,7 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
   # This test is to document the way that expires_in has always been used:
   # If expires_in is set on the client, it always resets the issued_at time
   # to Time.now
-  it 'sets issued_at to Time.now when expires_in is not set through update_token!' do
+  it "sets issued_at to Time.now when expires_in is not set through update_token!" do
     one_hour = 3600
     issued_at = Time.now - (2 * one_hour)
     current_time = Time.now
@@ -471,14 +465,14 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
     expect(@client).to_not be_expired
   end
 
-  it 'should allow setting expires_at manually' do
-    expires_at = Time.now+100
+  it "should allow setting expires_at manually" do
+    expires_at = Time.now + 100
     @client.expires_at = expires_at.to_i
     expect(@client.expires_at).to be_within(1).of(expires_at)
     expect(@client).to_not be_expired
   end
 
-  it 'should normalize values of expires_at to instances of time' do
+  it "should normalize values of expires_at to instances of time" do
     time_formats = [DateTime.new, "12:00", 100, Time.new]
     normalized_time_formats = []
     time_formats.each do |time|
@@ -490,9 +484,9 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
     end
   end
 
-  it 'should set expires_in when expires_at is set' do
+  it "should set expires_in when expires_at is set" do
     issued_at = Time.now
-    expires_at = Time.now+100
+    expires_at = Time.now + 100
     @client.expires_at = expires_at.to_i
     @client.issued_at = issued_at
     expect(@client.expires_in).to be_within(1).of (expires_at - issued_at).to_i
@@ -500,12 +494,12 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
     expect(@client.expires_in).to be_nil
   end
 
-  it 'should set expires_in to nil when expires_at is set to nil' do
+  it "should set expires_in to nil when expires_at is set to nil" do
     @client.expires_at = nil
     expect(@client.expires_in).to be_nil
   end
 
-  it 'should set expires_at when expires_in is set' do
+  it "should set expires_at when expires_in is set" do
     expires_in = 100
     @client.expires_in = expires_in
     expect(@client.expires_at).to eq (@client.issued_at + expires_in)
@@ -513,194 +507,194 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
     expect(@client.expires_at).to be_nil
   end
 
-  it 'should set expires_at to nil when expires_in is set to nil' do
+  it "should set expires_at to nil when expires_in is set to nil" do
     @client.expires_in = nil
     expect(@client.expires_at).to be_nil
   end
 
-  it 'should indicate the token is not expired if expired_at nil' do
+  it "should indicate the token is not expired if expired_at nil" do
     @client.expires_at = nil
     expect(@client.expires_within?(60)).to be false
     expect(@client.expired?).to be false
   end
 
-  it 'should indicate the token is not expiring when expiry beyond window' do
-    @client.expires_at = Time.now+100
+  it "should indicate the token is not expiring when expiry beyond window" do
+    @client.expires_at = Time.now + 100
     expect(@client.expires_within?(60)).to be false
   end
 
-  it 'should indicate the token is expiring soon when expiry within window' do
-    @client.expires_at = Time.now+30
+  it "should indicate the token is expiring soon when expiry within window" do
+    @client.expires_at = Time.now + 30
     expect(@client.expires_within?(60)).to be true
   end
 
-  it 'should raise an error if the authorization endpoint is not secure' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.redirect_uri = 'http://www.example.com/'
-    @client.authorization_uri = 'http://accounts.google.com/o/oauth2/auth'
+  it "should raise an error if the authorization endpoint is not secure" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.redirect_uri = "http://www.example.com/"
+    @client.authorization_uri = "http://accounts.google.com/o/oauth2/auth"
     expect(lambda do
       @client.authorization_uri
     end).to raise_error(Signet::UnsafeOperationError)
   end
 
-  it 'should raise an error if token credential URI is missing' do
+  it "should raise an error if token credential URI is missing" do
     @client.token_credential_uri = nil
     expect(lambda do
       @client.fetch_access_token!
     end).to raise_error(ArgumentError)
   end
 
-  it 'should raise an error if unauthorized' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should raise an error if unauthorized" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        [401, {}, 'User authorization failed or something.']
+      stub.post "/token" do
+        [401, {}, "User authorization failed or something."]
       end
     end
     expect(lambda do
-      connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-        builder.adapter(:test, stubs)
+      connection = Faraday.new url: "https://www.google.com" do |builder|
+        builder.adapter :test, stubs
       end
       @client.fetch_access_token!(
-        :connection => connection
+        connection: connection
       )
     end).to raise_error(Signet::AuthorizationError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should raise a remote server error if the server gives a 5xx status' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should raise a remote server error if the server gives a 5xx status" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        [509, {}, 'Rate limit hit or something.']
+      stub.post "/token" do
+        [509, {}, "Rate limit hit or something."]
       end
     end
     expect(lambda do
-      connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-        builder.adapter(:test, stubs)
+      connection = Faraday.new url: "https://www.google.com" do |builder|
+        builder.adapter :test, stubs
       end
       @client.fetch_access_token!(
-        :connection => connection
+        connection: connection
       )
     end).to raise_error(Signet::RemoteServerError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should raise an unexpected error if the token server gives an unexpected status' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should raise an unexpected error if the token server gives an unexpected status" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        [309, {}, 'Rate limit hit or something.']
+      stub.post "/token" do
+        [309, {}, "Rate limit hit or something."]
       end
     end
     expect(lambda do
-      connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-        builder.adapter(:test, stubs)
+      connection = Faraday.new url: "https://www.google.com" do |builder|
+        builder.adapter :test, stubs
       end
       @client.fetch_access_token!(
-        :connection => connection
+        connection: connection
       )
     end).to raise_error(Signet::UnexpectedStatusError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should correctly fetch an access token' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.code = '00000'
-    @client.redirect_uri = 'https://www.example.com/'
+  it "should correctly fetch an access token" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.code = "00000"
+    @client.redirect_uri = "https://www.example.com/"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600'
-        })
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600"
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     stubs.verify_stubbed_calls
   end
 
-  it 'should correctly fetch an access token with a password' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.username = 'johndoe'
-    @client.password = 'incognito'
+  it "should correctly fetch an access token with a password" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.username = "johndoe"
+    @client.password = "incognito"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600'
-        })
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600"
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     stubs.verify_stubbed_calls
   end
 
-  it 'should correctly refresh an access token' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.refresh_token = '54321'
+  it "should correctly refresh an access token" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.refresh_token = "54321"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600'
-        })
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600"
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     stubs.verify_stubbed_calls
   end
 
-  it 'should detect unintential grant type of none' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.redirect_uri = 'https://www.example.com/'
+  it "should detect unintential grant type of none" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.redirect_uri = "https://www.example.com/"
     expect(lambda do
       @client.fetch_access_token!
     end).to raise_error(ArgumentError)
   end
 
-  it 'should correctly fetch protected resources' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
+  it "should correctly fetch protected resources" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get('/oauth2/v1/userinfo?alt=json') do
-        [200, {}, <<-JSON]
+      stub.get "/oauth2/v1/userinfo?alt=json" do
+        [200, {}, <<~JSON]
 {
   "id": "116452824309856782163",
   "name": "Bob Aman",
@@ -708,18 +702,18 @@ describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
   "family_name": "Aman",
   "link": "https://plus.google.com/116452824309856782163"
 }
-JSON
+        JSON
       end
     end
-    connection = Faraday.new(:url => 'https://www.googleapis.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
+      builder.adapter :test, stubs
     end
     response = @client.fetch_protected_resource(
-      :connection => connection,
-      :uri => 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json'
+      connection: connection,
+      uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
     )
     expect(response.status).to eq 200
-    expect(response.body).to eq <<-JSON
+    expect(response.body).to eq <<~JSON
 {
   "id": "116452824309856782163",
   "name": "Bob Aman",
@@ -727,269 +721,309 @@ JSON
   "family_name": "Aman",
   "link": "https://plus.google.com/116452824309856782163"
 }
-JSON
+    JSON
     stubs.verify_stubbed_calls
   end
 
-  it 'should correctly send the realm in the Authorization header' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
-    connection = Faraday.new(:url => 'https://www.googleapis.com') do |builder|
-      builder.adapter(:test)
+  it "should correctly send the realm in the Authorization header" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
+    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
+      builder.adapter :test
     end
     request = @client.generate_authenticated_request(
-      :connection => connection,
-      :realm => 'Example',
-      :request => conn.build_request(:get) do |req|
-        req.url('https://www.googleapis.com/oauth2/v1/userinfo?alt=json')
+      connection: connection,
+      realm:      "Example",
+      request:    conn.build_request(:get) do |req|
+        req.url "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
       end
     )
-    expect(request.headers['Authorization']).to eq 'Bearer 12345, realm="Example"'
+    expect(request.headers["Authorization"]).to eq 'Bearer 12345, realm="Example"'
   end
 
-  it 'should correctly send the realm in the Authorization header' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
-    connection = Faraday.new(:url => 'https://www.googleapis.com') do |builder|
-      builder.adapter(:test)
+  it "should correctly send the realm in the Authorization header" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
+    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
+      builder.adapter :test
     end
     request = @client.generate_authenticated_request(
-      :connection => connection,
-      :realm => 'Example',
-      :request => [
-        'GET',
-        'https://www.googleapis.com/oauth2/v1/userinfo?alt=json',
+      connection: connection,
+      realm:      "Example",
+      request:    [
+        "GET",
+        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
         {},
-        ['']
+        [""]
       ]
     )
-    expect(request.headers['Authorization']).to eq 'Bearer 12345, realm="Example"'
+    expect(request.headers["Authorization"]).to eq 'Bearer 12345, realm="Example"'
   end
 
-  it 'should not raise an error if a request is ' +
-      'provided without a connection' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
+  it "should not raise an error if a request is " \
+     "provided without a connection" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
     request = @client.generate_authenticated_request(
-      :realm => 'Example',
-      :request => conn.build_request(:get) do |req|
-        req.url('https://www.googleapis.com/oauth2/v1/userinfo?alt=json')
+      realm:   "Example",
+      request: conn.build_request(:get) do |req|
+        req.url "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
       end
     )
   end
 
-  it 'should raise an error if not enough information ' +
-      'is supplied to create a request' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
+  it "should raise an error if not enough information " \
+     "is supplied to create a request" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
     expect(lambda do
       @client.generate_authenticated_request(
-        :realm => 'Example',
-        :method => 'POST'
+        realm:  "Example",
+        method: "POST"
       )
     end).to raise_error(ArgumentError)
   end
 
-  it 'should raise an error if the client does not have an access token' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should raise an error if the client does not have an access token" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     expect(lambda do
       @client.fetch_protected_resource
     end).to raise_error(ArgumentError)
   end
 
-  it 'should not raise an error if the API server gives an error status' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
+  it "should not raise an error if the API server gives an error status" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get('/oauth2/v1/userinfo?alt=json') do
-        [509, {}, 'Rate limit hit or something.']
+      stub.get "/oauth2/v1/userinfo?alt=json" do
+        [509, {}, "Rate limit hit or something."]
       end
     end
-    connection = Faraday.new(:url => 'https://www.googleapis.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
+      builder.adapter :test, stubs
     end
     response = @client.fetch_protected_resource(
-      :connection => connection,
-      :uri => 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json'
+      connection: connection,
+      uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
     )
     expect(response.status).to eq 509
-    expect(response.body).to eq 'Rate limit hit or something.'
+    expect(response.body).to eq "Rate limit hit or something."
     stubs.verify_stubbed_calls
   end
 
-  it 'should only raise an error if the API server ' +
-      'gives an authorization failed status' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
-    @client.access_token = '12345'
+  it "should only raise an error if the API server " \
+     "gives an authorization failed status" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
+    @client.access_token = "12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get('/oauth2/v1/userinfo?alt=json') do
-        [401, {}, 'User authorization failed or something.']
+      stub.get "/oauth2/v1/userinfo?alt=json" do
+        [401, {}, "User authorization failed or something."]
       end
     end
     expect(lambda do
       connection = Faraday.new(
-        :url => 'https://www.googleapis.com'
+        url: "https://www.googleapis.com"
       ) do |builder|
-        builder.adapter(:test, stubs)
+        builder.adapter :test, stubs
       end
       @client.fetch_protected_resource(
-        :connection => connection,
-        :uri => 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json'
+        connection: connection,
+        uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
       )
     end).to raise_error(Signet::AuthorizationError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should correctly handle an ID token' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should correctly handle an ID token" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600',
-          'id_token' => (
-            'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD' +
-            'lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM' +
-            'TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi' +
-            'Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U' +
-            'wfRrHSA3-jwnvOw6MMsQ6sO4kjc'
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600",
+          "id_token"      => (
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
+            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM" \
+            "TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi" \
+            "Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U" \
+            "wfRrHSA3-jwnvOw6MMsQ6sO4kjc"
           )
-        })
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
-    expect(@client.decoded_id_token(nil, :verify_expiration => false)).to eq ({
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
+    expect(@client.decoded_id_token(nil, verify_expiration: false)).to eq ({
       "token_hash" => "tghD9J7n8V0N2vcw6eMijg",
-      "id" => "12345",
-      "aud" => "client-12345",
-      "iat" => 1320670978,
-      "exp" => 1320674878,
-      "cid" => "client-12345",
-      "iss" => "example.com"
+      "id"         => "12345",
+      "aud"        => "client-12345",
+      "iat"        => 1_320_670_978,
+      "exp"        => 1_320_674_878,
+      "cid"        => "client-12345",
+      "iss"        => "example.com"
     })
     expect(@client.expires_in).to eq 3600
     stubs.verify_stubbed_calls
   end
 
-  it 'should raise an error decoding an ID token if ' +
-      'audience does not match client ID' do
-    @client.client_id = 'client-54321'
-    @client.client_secret = 'secret-12345'
+  it "should correctly handle an ID token with `aud` array" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600',
-          'id_token' => (
-            'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD' +
-            'lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM' +
-            'TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi' +
-            'Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U' +
-            'wfRrHSA3-jwnvOw6MMsQ6sO4kjc'
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600",
+          "id_token"      => (
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
+            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6WyJjbGllbnQtMTIzNDUiXSwiaWQiO" \
+            "iIxMjM0NSIsImlhdCI6MTMyMDY3MDk3OCwiZXhwIjoxMzIwNjc0ODc4LCJjaWQi" \
+            "OiJjbGllbnQtMTIzNDUiLCJpc3MiOiJleGFtcGxlLmNvbSJ9.rSaY-M9YlB4pcU" \
+            "uNf21FeEtOM9pBGr_a7xe9fZrpWWU"
           )
-        })
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
+    expect(@client.decoded_id_token(nil, verify_expiration: false)).to eq ({
+      "token_hash" => "tghD9J7n8V0N2vcw6eMijg",
+      "id"         => "12345",
+      "aud"        => ["client-12345"],
+      "iat"        => 1_320_670_978,
+      "exp"        => 1_320_674_878,
+      "cid"        => "client-12345",
+      "iss"        => "example.com"
+    })
+    expect(@client.expires_in).to eq 3600
+    stubs.verify_stubbed_calls
+  end
+
+  it "should raise an error decoding an ID token if " \
+     "audience does not match client ID" do
+    @client.client_id = "client-54321"
+    @client.client_secret = "secret-12345"
+    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600",
+          "id_token"      => (
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
+            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM" \
+            "TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi" \
+            "Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U" \
+            "wfRrHSA3-jwnvOw6MMsQ6sO4kjc"
+          )
+        )
+      end
+    end
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
+    end
+    @client.fetch_access_token!(
+      connection: connection
+    )
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     expect(lambda do
-      @client.decoded_id_token(nil, :verify_expiration => false)
+      @client.decoded_id_token nil, verify_expiration: false
     end).to raise_error(Signet::UnsafeOperationError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should raise an error decoding an ID token if ' +
-      'audience is missing' do
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+  it "should raise an error decoding an ID token if " \
+     "audience is missing" do
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600',
-          'id_token' => (
-            'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD' +
-            'lKN244VjBOMnZjdzZlTWlqZyIsImlkIjoiMTIzNDUiLCJpYXQiOjEzMjA2NzA5N' +
-            'zgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoiY2xpZW50LTEyMzQ1IiwiaXNzIjoi' +
-            'ZXhhbXBsZS5jb20ifQ.7qj85CKbQyVdDe5y2ScdJAZNkEeKMPW9LIonLxG1vu8'
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600",
+          "id_token"      => (
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
+            "lKN244VjBOMnZjdzZlTWlqZyIsImlkIjoiMTIzNDUiLCJpYXQiOjEzMjA2NzA5N" \
+            "zgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoiY2xpZW50LTEyMzQ1IiwiaXNzIjoi" \
+            "ZXhhbXBsZS5jb20ifQ.7qj85CKbQyVdDe5y2ScdJAZNkEeKMPW9LIonLxG1vu8"
           )
-        })
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     expect(lambda do
-      @client.decoded_id_token(nil, :verify_expiration => false)
+      @client.decoded_id_token nil, verify_expiration: false
     end).to raise_error(Signet::UnsafeOperationError)
     stubs.verify_stubbed_calls
   end
 
-  it 'should raise an error if the id token cannot be verified' do
+  it "should raise an error if the id token cannot be verified" do
     pending "Need to set test data"
-    @client.client_id = 'client-12345'
-    @client.client_secret = 'secret-12345'
+    @client.client_id = "client-12345"
+    @client.client_secret = "secret-12345"
     stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post('/token') do
-        build_json_response({
-          'access_token' => '12345',
-          'refresh_token' => '54321',
-          'expires_in' => '3600',
-          'id_token' => (
-            'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY' +
-            'XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI' +
-            'sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb' +
-            '20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ' +
-            '0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO' +
-            'jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7' +
-            'wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl' +
-            '6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4'
+      stub.post "/token" do
+        build_json_response(
+          "access_token"  => "12345",
+          "refresh_token" => "54321",
+          "expires_in"    => "3600",
+          "id_token"      => (
+            "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY" \
+            "XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI" \
+            "sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb" \
+            "20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ" \
+            "0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO" \
+            "jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7" \
+            "wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl" \
+            "6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4"
           )
-        })
+        )
       end
     end
-    connection = Faraday.new(:url => 'https://www.google.com') do |builder|
-      builder.adapter(:test, stubs)
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
     end
     @client.fetch_access_token!(
-      :connection => connection
+      connection: connection
     )
-    expect(@client.access_token).to eq '12345'
-    expect(@client.refresh_token).to eq '54321'
+    expect(@client.access_token).to eq "12345"
+    expect(@client.refresh_token).to eq "54321"
     expect(@client.expires_in).to eq 3600
     expect(lambda do
-      pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
+      pubkey = OpenSSL::PKey::RSA.new <<~PUBKEY
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCaY7425h964bjaoLeUm
 SlZ8sK7VtVk9zHbGmZh2ygGYwfuUf2bmMye2Ofv99yDE/rd4loVIAcu7RVvDRgHq
@@ -999,180 +1033,222 @@ SvbWhCDa/LMOWxHdmrcJi6XoSg1vnOyCoKbyAoauTt/XqdkHbkDdQ6HFbJieu9il
 LDZZNliPhfENuKeC2MCGVXTEu8Cqhy1w6e4axavLlXoYf4laJIZ/e7au8SqDbY0B
 xwIDAQAB
 -----END PUBLIC KEY-----
-PUBKEY
-      @client.decoded_id_token(pubkey)
+      PUBKEY
+      @client.decoded_id_token pubkey
     end).to raise_error(JWT::ExpiredSignature)
     stubs.verify_stubbed_calls
   end
 end
 
-describe Signet::OAuth2::Client, 'authorization_uri' do
+describe Signet::OAuth2::Client, "authorization_uri" do
   before do
     @client = Signet::OAuth2::Client.new(
-      :client_id => 's6BhdRkqt3',
-      :redirect_uri => 'https://example.client.com/callback',
-      :authorization_uri => 'https://example.com/authorize'
+      client_id:         "s6BhdRkqt3",
+      redirect_uri:      "https://example.client.com/callback",
+      authorization_uri: "https://example.com/authorize"
     )
   end
 
-  it 'should set access_type to offline by default' do
-    expect(@client.authorization_uri.query_values['access_type']).to eq 'offline'
+  it "should set access_type to offline by default" do
+    expect(@client.authorization_uri.query_values["access_type"]).to eq "offline"
   end
 
-  it 'should set response_type to code by default' do
-    expect(@client.authorization_uri.query_values['response_type']).to eq 'code'
+  it "should set response_type to code by default" do
+    expect(@client.authorization_uri.query_values["response_type"]).to eq "code"
   end
 
-  it 'should raise an error when setting both prompt and approval_prompt' do
+  it "should raise an error when setting both prompt and approval_prompt" do
     expect(lambda do
-      @client.authorization_uri(:approval_prompt => 'force', :prompt => 'consent')
+      @client.authorization_uri approval_prompt: "force", prompt: "consent"
     end).to raise_error(ArgumentError)
   end
 end
 
-describe Signet::OAuth2::Client, 'configured with custom parameters' do
+describe Signet::OAuth2::Client, "configured with custom parameters" do
   before do
     @client = Signet::OAuth2::Client.new(
-        :client_id => 's6BhdRkqt3',
-        :redirect_uri => 'https://example.client.com/callback',
-        :authorization_uri => 'https://example.com/authorize',
-        :token_credential_uri => 'https://example.com/token',
-        :additional_parameters =>{'type' => 'web_server'}
+      client_id:             "s6BhdRkqt3",
+      redirect_uri:          "https://example.client.com/callback",
+      authorization_uri:     "https://example.com/authorize",
+      token_credential_uri:  "https://example.com/token",
+      additional_parameters: { "type" => "web_server" }
     )
   end
 
   # Normalizing to symbols - good test case example here for changes to normalized input.
   # Also tests Addressable's output.
   # Note: The only changes made here are to testing the **INTERNAL** representation of options.
-  it 'should allow custom parameters to be set on init' do
-    expect(@client.additional_parameters).to eq({:type => 'web_server'})
+  it "should allow custom parameters to be set on init" do
+    expect(@client.additional_parameters).to eq({ type: "web_server" })
   end
 
-  it 'should allow custom parameters to be updated' do
-    @client.update!(:additional_parameters => {:type => 'new_type'})
-    expect(@client.additional_parameters).to eq ({ :type => 'new_type'})
+  it "should allow custom parameters to be updated" do
+    @client.update! additional_parameters: { type: "new_type" }
+    expect(@client.additional_parameters).to eq ({ type: "new_type" })
   end
 
-  it 'should use custom parameters when generating authorization_uri' do
-    expect(@client.authorization_uri().query_values).to eq ({
-      "access_type"=>"offline",
-      "client_id"=>"s6BhdRkqt3",
-      "redirect_uri"=>"https://example.client.com/callback",
-      "response_type"=>"code",
-      "type"=>"web_server"})
+  it "should use custom parameters when generating authorization_uri" do
+    expect(@client.authorization_uri.query_values).to eq ({
+      "access_type"   => "offline",
+      "client_id"     => "s6BhdRkqt3",
+      "redirect_uri"  => "https://example.client.com/callback",
+      "response_type" => "code",
+      "type"          => "web_server"
+ })
   end
 
-  it 'should merge new authorization_uri custom parameters' do
-    expect(@client.authorization_uri(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'}).query_values).to eql({"access_type"=>"offline", "client_id"=>"s6BhdRkqt3", "new_param"=>"new_val",  "response_type"=>"code","redirect_uri"=>"https://example.client.com/callback", "type"=>"new_type"})
+  it "should merge new authorization_uri custom parameters" do
+    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eql({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "new_param" => "new_val", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback", "type" => "new_type" })
   end
 
-  it 'should merge new generate_access_token_request custom parameters' do
-    @client.update!(:code=>'12345')
-    params = @client.generate_access_token_request(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'})
-    expect(params).to include('type' => 'new_type')
-    expect(params).to include('new_param' => 'new_val')
+  it "should merge new generate_access_token_request custom parameters" do
+    @client.update! code: "12345"
+    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
+    expect(params).to include("type" => "new_type")
+    expect(params).to include("new_param" => "new_val")
   end
 end
 
-describe Signet::OAuth2::Client, 'configured with custom parameters' do
+describe Signet::OAuth2::Client, "configured with custom parameters" do
   before do
     @client = Signet::OAuth2::Client.new(
-        "client_id" => 's6BhdRkqt3',
-        "redirect_uri" => 'https://example.client.com/callback',
-        "authorization_uri" => 'https://example.com/authorize',
-        "token_credential_uri" => 'https://example.com/token',
-        "additional_parameters" => {'type' => 'web_server'}
-    )
+      "client_id"             => "s6BhdRkqt3",
+      "redirect_uri"          => "https://example.client.com/callback",
+      "authorization_uri"     => "https://example.com/authorize",
+      "token_credential_uri"  => "https://example.com/token",
+      "additional_parameters" => { "type" => "web_server" }
+      )
   end
 
   # Normalizing to symbols - good test case example here for changes to normalized input.
   # Also tests Addressable's output.
   # Note: The only changes made here are to testing the **INTERNAL** representation of options.
-  it 'should allow custom parameters to be set on init' do
-    expect(@client.additional_parameters).to eq ({ :type => 'web_server'})
+  it "should allow custom parameters to be set on init" do
+    expect(@client.additional_parameters).to eq ({ type: "web_server" })
   end
 
-  it 'should allow custom parameters to be updated' do
-    @client.update!(:additional_parameters => {'type' => 'new_type'})
-    expect(@client.additional_parameters).to eql ({ :type => 'new_type'})
+  it "should allow custom parameters to be updated" do
+    @client.update! additional_parameters: { "type" => "new_type" }
+    expect(@client.additional_parameters).to eql ({ type: "new_type" })
   end
 
-  it 'should use custom parameters when generating authorization_uri' do
-    expect(@client.authorization_uri().query_values).to eq ({"access_type"=>"offline", "client_id"=>"s6BhdRkqt3", "redirect_uri"=>"https://example.client.com/callback", "response_type"=>"code", "type"=>"web_server"})
+  it "should use custom parameters when generating authorization_uri" do
+    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "redirect_uri" => "https://example.client.com/callback", "response_type" => "code", "type" => "web_server" })
   end
 
-  it 'should have the correct authorization_uri' do
-    expect(@client.authorization_uri.host).to eq 'example.com'
-    expect(@client.authorization_uri.path).to eq '/authorize'
+  it "should have the correct authorization_uri" do
+    expect(@client.authorization_uri.host).to eq "example.com"
+    expect(@client.authorization_uri.path).to eq "/authorize"
   end
 
-  it 'should merge new authorization_uri custom parameters' do
-    expect(@client.authorization_uri(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'}).query_values).to eq ({"access_type"=>"offline", "client_id"=>"s6BhdRkqt3", "new_param"=>"new_val",  "response_type"=>"code","redirect_uri"=>"https://example.client.com/callback", "type"=>"new_type"})
+  it "should merge new authorization_uri custom parameters" do
+    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "new_param" => "new_val", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback", "type" => "new_type" })
   end
 
-  it 'should not have access_type parameter in authorization_uri when we set it to nil in client' do
-    @client.update!(:access_type=>nil)
-    expect(@client.authorization_uri().query_values).to eq ({"client_id"=>"s6BhdRkqt3", "response_type"=>"code", "redirect_uri"=>"https://example.client.com/callback"})
+  it "should not have access_type parameter in authorization_uri when we set it to nil in client" do
+    @client.update! access_type: nil
+    expect(@client.authorization_uri.query_values).to eq ({ "client_id" => "s6BhdRkqt3", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback" })
   end
 
-  it 'should use new access_type parameter as default for authorization_uri' do
-    @client.update!(:access_type=>:online)
-    expect(@client.authorization_uri().query_values).to eq ({"access_type"=>"online", "client_id"=>"s6BhdRkqt3", "response_type"=>"code", "redirect_uri"=>"https://example.client.com/callback"})
+  it "should use new access_type parameter as default for authorization_uri" do
+    @client.update! access_type: :online
+    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "online", "client_id" => "s6BhdRkqt3", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback" })
   end
 
-  it 'should merge new generate_access_token_request custom parameters' do
-    @client.update!(:code=>'12345')
-    params = @client.generate_access_token_request(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'})
+  it "should merge new generate_access_token_request custom parameters" do
+    @client.update! code: "12345"
+    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
     expect(params).to include("type" => "new_type")
     expect(params).to include("new_param" => "new_val")
   end
 end
 
-describe Signet::OAuth2::Client, 'configured with custom parameters a la JSON.load(credentials_file)' do
+describe Signet::OAuth2::Client, "configured with custom parameters a la JSON.load(credentials_file)" do
   before do
     @client = Signet::OAuth2::Client.new(
-        "client_id" => 's6BhdRkqt3',
-        "redirect_uri" => 'https://example.client.com/callback',
-        "authorization_uri" => {"scheme"=>"https", "user"=>nil, "password"=>nil, "host"=>"accounts.google.com", "port"=>nil, "path"=>"/o/oauth2/auth", "query"=>nil, "fragment"=>nil},
-        "token_credential_uri" => 'https://example.com/token',
-        "additional_parameters" => {'type' => 'web_server'}
-    )
+      "client_id"             => "s6BhdRkqt3",
+      "redirect_uri"          => "https://example.client.com/callback",
+      "authorization_uri"     => { "scheme" => "https", "user" => nil, "password" => nil, "host" => "accounts.google.com", "port" => nil, "path" => "/o/oauth2/auth", "query" => nil, "fragment" => nil },
+      "token_credential_uri"  => "https://example.com/token",
+      "additional_parameters" => { "type" => "web_server" }
+      )
   end
 
-  it 'should allow custom parameters to be set on init' do
-    expect(@client.additional_parameters).to eq ({:type => 'web_server'})
+  it "should allow custom parameters to be set on init" do
+    expect(@client.additional_parameters).to eq ({ type: "web_server" })
   end
 
-  it 'should allow custom parameters to be updated' do
-    @client.update!(:additional_parameters => {'type' => 'new_type'})
-    expect(@client.additional_parameters).to eql ({:type => 'new_type'})
+  it "should allow custom parameters to be updated" do
+    @client.update! additional_parameters: { "type" => "new_type" }
+    expect(@client.additional_parameters).to eql ({ type: "new_type" })
   end
 
-  it 'should have correct authorization_uri hash options' do
+  it "should have correct authorization_uri hash options" do
     expect(@client.authorization_uri.host).to eq "accounts.google.com"
     expect(@client.authorization_uri.path).to eq "/o/oauth2/auth"
   end
 
-  it 'should use custom parameters when generating authorization_uri' do
-    expect(@client.authorization_uri().query_values).to eq ({"access_type"=>"offline", "client_id"=>"s6BhdRkqt3", "redirect_uri"=>"https://example.client.com/callback", "response_type"=>"code", "type"=>"web_server"})
+  it "should use custom parameters when generating authorization_uri" do
+    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "redirect_uri" => "https://example.client.com/callback", "response_type" => "code", "type" => "web_server" })
   end
 
   # , "path" => "/o/oauth2/oauth", "host" => "accounts.google.com"
 
-  it 'should merge new authorization_uri custom parameters' do
-    expect(@client.authorization_uri(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'}).query_values).to eq ({
-      "access_type"=>"offline",
-      "client_id"=>"s6BhdRkqt3",
-      "new_param"=>"new_val",
-      "response_type"=>"code",
-      "redirect_uri"=>"https://example.client.com/callback",
-      "type"=>"new_type"})
+  it "should merge new authorization_uri custom parameters" do
+    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eq ({
+      "access_type"   => "offline",
+      "client_id"     => "s6BhdRkqt3",
+      "new_param"     => "new_val",
+      "response_type" => "code",
+      "redirect_uri"  => "https://example.client.com/callback",
+      "type"          => "new_type"
+ })
   end
 
-  it 'should merge new generate_access_token_request custom parameters' do
-    @client.update!(:code=>'12345')
-    params = @client.generate_access_token_request(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'})
+  it "should merge new generate_access_token_request custom parameters" do
+    @client.update! code: "12345"
+    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
     expect(params).to include("type" => "new_type")
     expect(params).to include("new_param" => "new_val")
   end
 end
+
+describe Signet::OAuth2::Client, "configured for id tokens" do
+  before do
+    @key = OpenSSL::PKey::RSA.new 2048
+    @client = Signet::OAuth2::Client.new(
+      token_credential_uri: "https://oauth2.googleapis.com/token",
+      target_audience:      "https://api.example.com",
+      issuer:               "app@example.com",
+      audience:             "https://hello.googleapis.com",
+      signing_key:          @key
+    )
+  end
+
+  it "should set target_audience" do
+    expect(@client.target_audience).to eq "https://api.example.com"
+  end
+
+  it "should send a valid id token request" do
+    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+      stub.post "/token" do |env|
+        params = Addressable::URI.form_unencode env[:body]
+        claim, header = JWT.decode params.assoc("assertion").last, @key.public_key, true, algorithm: "RS256"
+        expect(params.assoc("grant_type")).to eq ["grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"]
+        expect(claim["target_audience"]).to eq "https://api.example.com"
+        expect(claim["iss"]).to eq "app@example.com"
+        expect(claim["aud"]).to eq "https://hello.googleapis.com"
+        build_json_response(
+          "id_token"  => "12345id",
+          "refresh_token" => "54321refresh",
+          "expires_in"    => "3600"
+        )
+      end
+    end
+    connection = Faraday.new url: "https://www.google.com" do |builder|
+      builder.adapter :test, stubs
+    end
+    @client.fetch_access_token! connection: connection
+    expect(@client.id_token).to eq "12345id"
+  end
+end