signet 0.15.0 → 0.16.0

data/spec/signet/oauth_2/client_spec.rb

@@ -1,1254 +0,0 @@
-# Copyright (C) 2010 Google Inc.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License");
-#    you may not use this file except in compliance with the License.
-#    You may obtain a copy of the License at
-#
-#        http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS,
-#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#    See the License for the specific language governing permissions and
-#    limitations under the License.
-require "spec_helper"
-require "signet/oauth_2/client"
-require "openssl"
-require "jwt"
-require "date"
-
-conn = Faraday.default_connection
-
-def build_json_response payload
-  [200, { "Content-Type" => "application/json; charset=utf-8" }, MultiJson.dump(payload)]
-end
-
-def build_form_encoded_response payload
-  [200, { "Content-Type" => "application/json; charset=utf-8" }, Addressable::URI.form_encode(payload)]
-end
-
-describe Signet::OAuth2::Client, "unconfigured" do
-  before do
-    @client = Signet::OAuth2::Client.new
-  end
-  it "should allow additional paraemters to be set." do
-    @client.additional_parameters["type"] = "web_server"
-    expect(@client.additional_parameters).to eq({ "type" => "web_server" })
-  end
-  it "should raise an error if a bogus scope is provided" do
-    expect(lambda do
-      @client = Signet::OAuth2::Client.new scope: :bogus
-    end).to raise_error(TypeError)
-  end
-
-  it "should raise an error if a scope array is provided with spaces" do
-    expect(lambda do
-      @client = Signet::OAuth2::Client.new(
-        scope: ["legit", "bogus bogus"]
-      )
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should allow the scope to be set to a String" do
-    @client.scope = "legit"
-    expect(@client.scope).to eq ["legit"]
-    @client.scope = "legit alsolegit"
-    expect(@client.scope).to eq ["legit", "alsolegit"]
-  end
-
-  it "should allow the scope to be set to an Array" do
-    @client.scope = ["legit"]
-    expect(@client.scope).to eq ["legit"]
-    @client.scope = ["legit", "alsolegit"]
-    expect(@client.scope).to eq ["legit", "alsolegit"]
-  end
-
-  it "should raise an error if a bogus redirect URI is provided" do
-    expect(lambda do
-      @client = Signet::OAuth2::Client.new redirect_uri: :bogus
-    end).to raise_error(TypeError)
-  end
-
-  it "should raise an error if a relative redirect URI is provided" do
-    expect(lambda do
-      @client = Signet::OAuth2::Client.new redirect_uri: "/relative/path"
-    end).to raise_error(ArgumentError)
-  end
-
-  it 'should allow "postmessage" as a redirect URI (Google hack)' do
-    @client.authorization_uri = "https://example.com/authorize"
-    @client.client_id = "s6BhdRkqt3"
-    @client.redirect_uri = "postmessage"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "postmessage"
-  end
-
-  it "should allow oob values as a redirect URI (for installed apps)" do
-    @client.authorization_uri = "https://example.com/authorize"
-    @client.client_id = "s6BhdRkqt3"
-    @client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "urn:ietf:wg:oauth:2.0:oob"
-    @client.redirect_uri = "oob"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq "oob"
-  end
-
-  it "should have no authorization_uri" do
-    expect(@client.authorization_uri).to eq nil
-  end
-
-  it "should allow the authorization_uri to be set to a String" do
-    @client.authorization_uri = "https://example.com/authorize"
-    @client.client_id = "s6BhdRkqt3"
-    @client.redirect_uri = "https://example.client.com/callback"
-    expect(@client.authorization_uri.to_s).to include(
-      "https://example.com/authorize"
-    )
-    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq(
-      "https://example.client.com/callback"
-    )
-  end
-
-  it "should allow the authorization_uri to be set to a Hash" do
-    @client.authorization_uri = {
-      scheme: "https", host: "example.com", path: "/authorize"
-    }
-    @client.client_id = "s6BhdRkqt3"
-    @client.redirect_uri = "https://example.client.com/callback"
-    expect(@client.authorization_uri.to_s).to include(
-      "https://example.com/authorize"
-    )
-    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq( 
-      "https://example.client.com/callback"
-    )
-  end
-
-  it "should allow the authorization_uri to be set to a URI" do
-    @client.authorization_uri =
-      Addressable::URI.parse "https://example.com/authorize"
-    @client.client_id = "s6BhdRkqt3"
-    @client.redirect_uri =
-      Addressable::URI.parse "https://example.client.com/callback"
-    expect(@client.authorization_uri.to_s).to include(
-      "https://example.com/authorize"
-    )
-    expect(@client.authorization_uri.query_values["client_id"]).to eq "s6BhdRkqt3"
-    expect(@client.authorization_uri.query_values["redirect_uri"]).to eq(
-      "https://example.client.com/callback"
-    )
-  end
-
-  it "should require a redirect URI when getting the authorization_uri" do
-    @client.authorization_uri =
-      Addressable::URI.parse "https://example.com/authorize"
-    @client.client_id = "s6BhdRkqt3"
-    expect(lambda do
-      @client.authorization_uri
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should require a client ID when getting the authorization_uri" do
-    @client.authorization_uri =
-      Addressable::URI.parse "https://example.com/authorize"
-    @client.redirect_uri =
-      Addressable::URI.parse "https://example.client.com/callback"
-    expect(lambda do
-      @client.authorization_uri
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should have no token_credential_uri" do
-    expect(@client.token_credential_uri).to eq nil
-  end
-
-  it "should allow the token_credential_uri to be set to a String" do
-    @client.token_credential_uri = "https://example.com/token"
-    expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
-  end
-
-  it "should allow the token_credential_uri to be set to a Hash" do
-    @client.token_credential_uri = {
-      scheme: "https", host: "example.com", path: "/token"
-    }
-    expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
-  end
-
-  it "should allow the token_credential_uri to be set to a URI" do
-    @client.token_credential_uri =
-      Addressable::URI.parse "https://example.com/token"
-    expect(@client.token_credential_uri.to_s).to eq "https://example.com/token"
-  end
-end
-
-describe Signet::OAuth2::Client, "configured for assertions profile" do
-  describe "when using RSA keys" do
-    before do
-      @key = OpenSSL::PKey::RSA.new 2048
-      @client = Signet::OAuth2::Client.new(
-        token_credential_uri: "https://oauth2.googleapis.com/token",
-        scope:                "https://www.googleapis.com/auth/userinfo.profile",
-        issuer:               "app@example.com",
-        audience:             "https://oauth2.googleapis.com/token",
-        signing_key:          @key
-      )
-    end
-
-    it "should generate valid JWTs" do
-      jwt = @client.to_jwt
-      expect(jwt).not_to be_nil
-
-      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
-      expect(claim["iss"]).to eq "app@example.com"
-      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
-      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
-    end
-
-    it "should generate valid JWTs for impersonation" do
-      @client.principal = "user@example.com"
-      jwt = @client.to_jwt
-      expect(jwt).not_to be_nil
-
-      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
-      expect(claim["iss"]).to eq "app@example.com"
-      expect(claim["prn"]).to eq "user@example.com"
-      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
-      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
-    end
-
-    it "should generate valid JWTs for impersonation using deprecated person attribute" do
-      @client.person = "user@example.com"
-      jwt = @client.to_jwt
-      expect(jwt).not_to be_nil
-
-      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
-      expect(claim["iss"]).to eq "app@example.com"
-      expect(claim["prn"]).to eq "user@example.com"
-      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
-      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
-    end
-
-    it "should generate valid JWTs for impersonation using the sub attribute" do
-      @client.sub = "user@example.com"
-      jwt = @client.to_jwt
-      expect(jwt).not_to be_nil
-
-      claim, header = JWT.decode jwt, @key.public_key, true, algorithm: "RS256"
-      expect(claim["iss"]).to eq "app@example.com"
-      expect(claim["sub"]).to eq "user@example.com"
-      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
-      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
-    end
-
-    it "should generate a JSON representation of the client" do
-      @client.principal = "user@example.com"
-      json = @client.to_json
-      expect(json).not_to be_nil
-
-      deserialized = MultiJson.load json
-      expect(deserialized["token_credential_uri"]).to eq "https://oauth2.googleapis.com/token"
-      expect(deserialized["scope"]).to eq ["https://www.googleapis.com/auth/userinfo.profile"]
-      expect(deserialized["issuer"]).to eq "app@example.com"
-      expect(deserialized["audience"]).to eq "https://oauth2.googleapis.com/token"
-      expect(deserialized["signing_key"]).to eq @key.to_s
-    end
-
-    it "should send valid access token request" do
-      stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-        stub.post "/token" do |env|
-          params = Addressable::URI.form_unencode env[:body]
-          claim, header = JWT.decode params.assoc("assertion").last, @key.public_key, true, algorithm: "RS256"
-          expect(params.assoc("grant_type")).to eq ["grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"]
-          build_json_response(
-            "access_token" => "1/abcdef1234567890",
-            "token_type"   => "Bearer",
-            "expires_in"   => 3600
-          )
-        end
-      end
-      connection = Faraday.new url: "https://www.google.com" do |builder|
-        builder.adapter :test, stubs
-      end
-
-      @client.fetch_access_token! connection: connection
-      expect(@client.access_token).to eq "1/abcdef1234567890"
-      stubs.verify_stubbed_calls
-    end
-  end
-
-  describe "when using shared secrets" do
-    before do
-      @key = "my secret key"
-      @client = Signet::OAuth2::Client.new(
-        token_credential_uri: "https://oauth2.googleapis.com/token",
-        scope:                "https://www.googleapis.com/auth/userinfo.profile",
-        issuer:               "app@example.com",
-        audience:             "https://oauth2.googleapis.com/token",
-        signing_key:          @key
-      )
-    end
-
-    it "should generate valid JWTs" do
-      jwt = @client.to_jwt
-      expect(jwt).not_to be_nil
-
-      claim, header = JWT.decode jwt, @key, true, algorithm: "HS256"
-      expect(claim["iss"]).to eq "app@example.com"
-      expect(claim["scope"]).to eq "https://www.googleapis.com/auth/userinfo.profile"
-      expect(claim["aud"]).to eq "https://oauth2.googleapis.com/token"
-    end
-  end
-end
-
-describe Signet::OAuth2::Client, "configured for Google userinfo API" do
-  before do
-    @client = Signet::OAuth2::Client.new(
-      authorization_uri:    "https://accounts.google.com/o/oauth2/auth",
-      token_credential_uri: "https://oauth2.googleapis.com/token",
-      scope:                "https://www.googleapis.com/auth/userinfo.profile"
-    )
-  end
-
-  it "should not have a grant type by default" do
-    expect(@client.grant_type).to eq nil
-  end
-
-  it "should use the authorization_code grant type if given code" do
-    @client.code = "00000"
-    @client.redirect_uri = "http://www.example.com/"
-    expect(@client.grant_type).to eq "authorization_code"
-  end
-
-  it "should use the refresh_token grant type if given refresh token" do
-    @client.refresh_token = "54321"
-    expect(@client.grant_type).to eq "refresh_token"
-  end
-
-  it "should use the password grant type if given username and password" do
-    @client.username = "johndoe"
-    @client.password = "incognito"
-    expect(@client.grant_type).to eq "password"
-  end
-
-  it "should allow the grant type to be set manually" do
-    @client.grant_type = "authorization_code"
-    expect(@client.grant_type).to eq "authorization_code"
-    @client.grant_type = "refresh_token"
-    expect(@client.grant_type).to eq "refresh_token"
-    @client.grant_type = "password"
-    expect(@client.grant_type).to eq "password"
-  end
-
-  it "should allow the grant type to be set to an extension" do
-    @client.grant_type = "urn:ietf:params:oauth:grant-type:saml2-bearer"
-    @client.extension_parameters["assertion"] =
-      "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU"
-
-    expect(@client.grant_type).to eq Addressable::URI.parse("urn:ietf:params:oauth:grant-type:saml2-bearer")
-    expect(@client.extension_parameters).to eq ({ "assertion" => "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU" })
-  end
-
-  it "should raise an error if extension parameters are bogus" do
-    expect(lambda do
-      @client.extension_parameters = :bogus
-    end).to raise_error(TypeError)
-  end
-
-  it "should include extension parameters in token request" do
-    @client.grant_type = "urn:ietf:params:oauth:grant-type:saml2-bearer"
-    @client.extension_parameters["assertion"] =
-      "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU"
-
-    request = @client.generate_access_token_request
-    expect(request).to include("assertion" => "PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU")
-  end
-
-  it "should include the scope in token request" do
-    @client.scope = ["https://www.googleapis.com/auth/userinfo.profile"]
-
-    request = @client.generate_access_token_request use_configured_scope: true
-    expect(request).to include("scope" => ["https://www.googleapis.com/auth/userinfo.profile"])
-  end
-
-  it "should allow the token to be updated" do
-    issued_at = Time.now
-    @client.update_token!(
-      :access_token  => "12345",
-      refresh_token: "54321",
-      :expires_in    => 3600,
-      :issued_at     => issued_at
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    expect(@client.issued_at).to eq issued_at
-    expect(@client).to_not be_expired
-  end
-
-  it "should handle expires as equivalent to expires_in" do
-    issued_at = Time.now
-    @client.update_token!(
-      :access_token  => "12345",
-      refresh_token: "54321",
-      :expires       => 600,
-      :issued_at     => issued_at
-    )
-    expect(@client.expires_in).to eq 600
-  end
-
-  it "should allow the token to be updated without an expiration" do
-    @client.update_token!(
-      :access_token  => "12345",
-      refresh_token: "54321"
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq nil
-    expect(@client.issued_at).to eq nil
-    expect(@client).to_not be_expired
-  end
-
-  it "should allow the token expiration to be cleared" do
-    issued_at = Time.now
-    @client.update_token!(
-      :access_token  => "12345",
-      refresh_token: "54321",
-      :expires_in    => 3600,
-      :issued_at     => issued_at
-    )
-    @client.expires_in = nil
-    @client.issued_at = nil
-    expect(@client).to_not be_expired
-  end
-
-  it "should allow the expires_at time to be updated" do
-    expires_at = Time.now
-    @client.update_token!(
-      expires_at: expires_at.to_i,
-      expires_in: nil
-    )
-    expect(@client.expires_at).to be_within(1).of(expires_at)
-    expect(@client).to be_expired
-  end
-
-  it "should calculate the expires_at from issued_at when issued_at is set" do
-    expires_in = 3600
-    issued_at = Time.now - expires_in
-    @client.update_token!(
-      :issued_at  => issued_at,
-      expires_in: expires_in
-    )
-    expect(@client.expires_at).to eq issued_at + expires_in
-    expect(@client).to be_expired
-  end
-
-  it "should calculate expires_at from Time.now when issed_at is NOT set" do
-    expires_in = 3600
-    expires_at = Time.now + expires_in
-    @client.update_token! expires_in: expires_in
-    expect(@client.expires_at).to be_within(1).of(expires_at)
-    expect(@client).to_not be_expired
-  end
-
-  # This test is to document the way that expires_in has always been used:
-  # If expires_in is set on the client, it always resets the issued_at time
-  # to Time.now
-  it "sets issued_at to Time.now when expires_in is not set through update_token!" do
-    one_hour = 3600
-    issued_at = Time.now - (2 * one_hour)
-    current_time = Time.now
-
-    @client.issued_at = issued_at
-    @client.expires_in = one_hour
-
-    expect(@client.issued_at).to_not eq issued_at
-    expect(@client.issued_at).to be_within(1).of(current_time)
-    expect(@client).to_not be_expired
-  end
-
-  it "should allow setting expires_at manually" do
-    expires_at = Time.now + 100
-    @client.expires_at = expires_at.to_i
-    expect(@client.expires_at).to be_within(1).of(expires_at)
-    expect(@client).to_not be_expired
-  end
-
-  it "should normalize values of expires_at to instances of time" do
-    time_formats = [DateTime.new, "12:00", 100, Time.new]
-    normalized_time_formats = []
-    time_formats.each do |time|
-      @client.expires_at = time
-      normalized_time_formats << @client.expires_at
-    end
-    normalized_time_formats.each do |time|
-      expect(time).to be_an_instance_of(Time)
-    end
-  end
-
-  it "should set expires_in when expires_at is set" do
-    issued_at = Time.now
-    expires_at = Time.now + 100
-    @client.expires_at = expires_at.to_i
-    @client.issued_at = issued_at
-    expect(@client.expires_in).to be_within(1).of (expires_at - issued_at).to_i
-    @client.expires_at = nil
-    expect(@client.expires_in).to be_nil
-  end
-
-  it "should set expires_in to nil when expires_at is set to nil" do
-    @client.expires_at = nil
-    expect(@client.expires_in).to be_nil
-  end
-
-  it "should set expires_at when expires_in is set" do
-    expires_in = 100
-    @client.expires_in = expires_in
-    expect(@client.expires_at).to eq (@client.issued_at + expires_in)
-    @client.expires_in = nil
-    expect(@client.expires_at).to be_nil
-  end
-
-  it "should set expires_at to nil when expires_in is set to nil" do
-    @client.expires_in = nil
-    expect(@client.expires_at).to be_nil
-  end
-
-  it "should indicate the token is not expired if expired_at nil" do
-    @client.expires_at = nil
-    expect(@client.expires_within?(60)).to be false
-    expect(@client.expired?).to be false
-  end
-
-  it "should indicate the token is not expiring when expiry beyond window" do
-    @client.expires_at = Time.now + 100
-    expect(@client.expires_within?(60)).to be false
-  end
-
-  it "should indicate the token is expiring soon when expiry within window" do
-    @client.expires_at = Time.now + 30
-    expect(@client.expires_within?(60)).to be true
-  end
-
-  it "should raise an error if the authorization endpoint is not secure" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.redirect_uri = "http://www.example.com/"
-    @client.authorization_uri = "http://accounts.google.com/o/oauth2/auth"
-    expect(lambda do
-      @client.authorization_uri
-    end).to raise_error(Signet::UnsafeOperationError)
-  end
-
-  it "should raise an error if token credential URI is missing" do
-    @client.token_credential_uri = nil
-    expect(lambda do
-      @client.fetch_access_token!
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should raise an error if unauthorized" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        [401, {}, "User authorization failed or something."]
-      end
-    end
-    expect(lambda do
-      connection = Faraday.new url: "https://www.google.com" do |builder|
-        builder.adapter :test, stubs
-      end
-      @client.fetch_access_token!(
-        connection: connection
-      )
-    end).to raise_error(Signet::AuthorizationError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should raise a remote server error if the server gives a 5xx status" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        [509, {}, "Rate limit hit or something."]
-      end
-    end
-    expect(lambda do
-      connection = Faraday.new url: "https://www.google.com" do |builder|
-        builder.adapter :test, stubs
-      end
-      @client.fetch_access_token!(
-        connection: connection
-      )
-    end).to raise_error(Signet::RemoteServerError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should raise an unexpected error if the token server gives an unexpected status" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        [309, {}, "Rate limit hit or something."]
-      end
-    end
-    expect(lambda do
-      connection = Faraday.new url: "https://www.google.com" do |builder|
-        builder.adapter :test, stubs
-      end
-      @client.fetch_access_token!(
-        connection: connection
-      )
-    end).to raise_error(Signet::UnexpectedStatusError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly fetch an access token" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.code = "00000"
-    @client.redirect_uri = "https://www.example.com/"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600"
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly fetch an access token with a password" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.username = "johndoe"
-    @client.password = "incognito"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600"
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly refresh an access token" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.refresh_token = "54321"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600"
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    stubs.verify_stubbed_calls
-  end
-
-  it "should detect unintential grant type of none" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.redirect_uri = "https://www.example.com/"
-    expect(lambda do
-      @client.fetch_access_token!
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should correctly fetch protected resources" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get "/oauth2/v1/userinfo?alt=json" do
-        [200, {}, <<~JSON]
-{
-  "id": "116452824309856782163",
-  "name": "Bob Aman",
-  "given_name": "Bob",
-  "family_name": "Aman",
-  "link": "https://plus.google.com/116452824309856782163"
-}
-        JSON
-      end
-    end
-    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    response = @client.fetch_protected_resource(
-      connection: connection,
-      uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
-    )
-    expect(response.status).to eq 200
-    expect(response.body).to eq <<~JSON
-{
-  "id": "116452824309856782163",
-  "name": "Bob Aman",
-  "given_name": "Bob",
-  "family_name": "Aman",
-  "link": "https://plus.google.com/116452824309856782163"
-}
-    JSON
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly send the realm in the Authorization header" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
-      builder.adapter :test
-    end
-    request = @client.generate_authenticated_request(
-      connection: connection,
-      realm:      "Example",
-      request:    conn.build_request(:get) do |req|
-        req.url "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
-      end
-    )
-    expect(request.headers["Authorization"]).to eq 'Bearer 12345, realm="Example"'
-  end
-
-  it "should correctly send the realm in the Authorization header" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
-      builder.adapter :test
-    end
-    request = @client.generate_authenticated_request(
-      connection: connection,
-      realm:      "Example",
-      request:    [
-        "GET",
-        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
-        {},
-        [""]
-      ]
-    )
-    expect(request.headers["Authorization"]).to eq 'Bearer 12345, realm="Example"'
-  end
-
-  it "should not raise an error if a request is " \
-     "provided without a connection" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    request = @client.generate_authenticated_request(
-      realm:   "Example",
-      request: conn.build_request(:get) do |req|
-        req.url "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
-      end
-    )
-  end
-
-  it "should raise an error if not enough information " \
-     "is supplied to create a request" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    expect(lambda do
-      @client.generate_authenticated_request(
-        realm:  "Example",
-        method: "POST"
-      )
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should raise an error if the client does not have an access token" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    expect(lambda do
-      @client.fetch_protected_resource
-    end).to raise_error(ArgumentError)
-  end
-
-  it "should not raise an error if the API server gives an error status" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get "/oauth2/v1/userinfo?alt=json" do
-        [509, {}, "Rate limit hit or something."]
-      end
-    end
-    connection = Faraday.new url: "https://www.googleapis.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    response = @client.fetch_protected_resource(
-      connection: connection,
-      uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
-    )
-    expect(response.status).to eq 509
-    expect(response.body).to eq "Rate limit hit or something."
-    stubs.verify_stubbed_calls
-  end
-
-  it "should only raise an error if the API server " \
-     "gives an authorization failed status" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    @client.access_token = "12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.get "/oauth2/v1/userinfo?alt=json" do
-        [401, {}, "User authorization failed or something."]
-      end
-    end
-    expect(lambda do
-      connection = Faraday.new(
-        url: "https://www.googleapis.com"
-      ) do |builder|
-        builder.adapter :test, stubs
-      end
-      @client.fetch_protected_resource(
-        connection: connection,
-        uri:        "https://www.googleapis.com/oauth2/v1/userinfo?alt=json"
-      )
-    end).to raise_error(Signet::AuthorizationError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly handle an ID token" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600",
-          "id_token"      => (
-            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
-            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM" \
-            "TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi" \
-            "Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U" \
-            "wfRrHSA3-jwnvOw6MMsQ6sO4kjc"
-          )
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.decoded_id_token(nil, verify_expiration: false)).to eq ({
-      "token_hash" => "tghD9J7n8V0N2vcw6eMijg",
-      "id"         => "12345",
-      "aud"        => "client-12345",
-      "iat"        => 1_320_670_978,
-      "exp"        => 1_320_674_878,
-      "cid"        => "client-12345",
-      "iss"        => "example.com"
-    })
-    expect(@client.expires_in).to eq 3600
-    stubs.verify_stubbed_calls
-  end
-
-  it "should correctly handle an ID token with `aud` array" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600",
-          "id_token"      => (
-            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
-            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6WyJjbGllbnQtMTIzNDUiXSwiaWQiO" \
-            "iIxMjM0NSIsImlhdCI6MTMyMDY3MDk3OCwiZXhwIjoxMzIwNjc0ODc4LCJjaWQi" \
-            "OiJjbGllbnQtMTIzNDUiLCJpc3MiOiJleGFtcGxlLmNvbSJ9.rSaY-M9YlB4pcU" \
-            "uNf21FeEtOM9pBGr_a7xe9fZrpWWU"
-          )
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.decoded_id_token(nil, verify_expiration: false)).to eq ({
-      "token_hash" => "tghD9J7n8V0N2vcw6eMijg",
-      "id"         => "12345",
-      "aud"        => ["client-12345"],
-      "iat"        => 1_320_670_978,
-      "exp"        => 1_320_674_878,
-      "cid"        => "client-12345",
-      "iss"        => "example.com"
-    })
-    expect(@client.expires_in).to eq 3600
-    stubs.verify_stubbed_calls
-  end
-
-  it "should raise an error decoding an ID token if " \
-     "audience does not match client ID" do
-    @client.client_id = "client-54321"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600",
-          "id_token"      => (
-            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
-            "lKN244VjBOMnZjdzZlTWlqZyIsImF1ZCI6ImNsaWVudC0xMjM0NSIsImlkIjoiM" \
-            "TIzNDUiLCJpYXQiOjEzMjA2NzA5NzgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoi" \
-            "Y2xpZW50LTEyMzQ1IiwiaXNzIjoiZXhhbXBsZS5jb20ifQ.tsF3srlBaAh6pV3U" \
-            "wfRrHSA3-jwnvOw6MMsQ6sO4kjc"
-          )
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    expect(lambda do
-      @client.decoded_id_token nil, verify_expiration: false
-    end).to raise_error(Signet::UnsafeOperationError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should raise an error decoding an ID token if " \
-     "audience is missing" do
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600",
-          "id_token"      => (
-            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9oYXNoIjoidGdoRD" \
-            "lKN244VjBOMnZjdzZlTWlqZyIsImlkIjoiMTIzNDUiLCJpYXQiOjEzMjA2NzA5N" \
-            "zgsImV4cCI6MTMyMDY3NDg3OCwiY2lkIjoiY2xpZW50LTEyMzQ1IiwiaXNzIjoi" \
-            "ZXhhbXBsZS5jb20ifQ.7qj85CKbQyVdDe5y2ScdJAZNkEeKMPW9LIonLxG1vu8"
-          )
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    expect(lambda do
-      @client.decoded_id_token nil, verify_expiration: false
-    end).to raise_error(Signet::UnsafeOperationError)
-    stubs.verify_stubbed_calls
-  end
-
-  it "should raise an error if the id token cannot be verified" do
-    pending "Need to set test data"
-    @client.client_id = "client-12345"
-    @client.client_secret = "secret-12345"
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do
-        build_json_response(
-          "access_token"  => "12345",
-          "refresh_token" => "54321",
-          "expires_in"    => "3600",
-          "id_token"      => (
-            "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY" \
-            "XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI" \
-            "sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb" \
-            "20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ" \
-            "0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO" \
-            "jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7" \
-            "wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl" \
-            "6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4"
-          )
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token!(
-      connection: connection
-    )
-    expect(@client.access_token).to eq "12345"
-    expect(@client.refresh_token).to eq "54321"
-    expect(@client.expires_in).to eq 3600
-    expect(lambda do
-      pubkey = OpenSSL::PKey::RSA.new <<~PUBKEY
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCaY7425h964bjaoLeUm
-SlZ8sK7VtVk9zHbGmZh2ygGYwfuUf2bmMye2Ofv99yDE/rd4loVIAcu7RVvDRgHq
-3/CZTnIrSvHsiJQsHBNa3d+F1ihPfzURzf1M5k7CFReBj2SBXhDXd57oRfBQj12w
-CVhhwP6kGTAWuoppbIIIBfNF2lE/Nvm7lVVYQqL9xOrP/AQ4xRbpQlB8Ll9sO9Or
-SvbWhCDa/LMOWxHdmrcJi6XoSg1vnOyCoKbyAoauTt/XqdkHbkDdQ6HFbJieu9il
-LDZZNliPhfENuKeC2MCGVXTEu8Cqhy1w6e4axavLlXoYf4laJIZ/e7au8SqDbY0B
-xwIDAQAB
------END PUBLIC KEY-----
-      PUBKEY
-      @client.decoded_id_token pubkey
-    end).to raise_error(JWT::ExpiredSignature)
-    stubs.verify_stubbed_calls
-  end
-end
-
-describe Signet::OAuth2::Client, "authorization_uri" do
-  before do
-    @client = Signet::OAuth2::Client.new(
-      client_id:         "s6BhdRkqt3",
-      redirect_uri:      "https://example.client.com/callback",
-      authorization_uri: "https://example.com/authorize"
-    )
-  end
-
-  it "should set access_type to offline by default" do
-    expect(@client.authorization_uri.query_values["access_type"]).to eq "offline"
-  end
-
-  it "should set response_type to code by default" do
-    expect(@client.authorization_uri.query_values["response_type"]).to eq "code"
-  end
-
-  it "should raise an error when setting both prompt and approval_prompt" do
-    expect(lambda do
-      @client.authorization_uri approval_prompt: "force", prompt: "consent"
-    end).to raise_error(ArgumentError)
-  end
-end
-
-describe Signet::OAuth2::Client, "configured with custom parameters" do
-  before do
-    @client = Signet::OAuth2::Client.new(
-      client_id:             "s6BhdRkqt3",
-      redirect_uri:          "https://example.client.com/callback",
-      authorization_uri:     "https://example.com/authorize",
-      token_credential_uri:  "https://example.com/token",
-      additional_parameters: { "type" => "web_server" }
-    )
-  end
-
-  # Normalizing to symbols - good test case example here for changes to normalized input.
-  # Also tests Addressable's output.
-  # Note: The only changes made here are to testing the **INTERNAL** representation of options.
-  it "should allow custom parameters to be set on init" do
-    expect(@client.additional_parameters).to eq({ type: "web_server" })
-  end
-
-  it "should allow custom parameters to be updated" do
-    @client.update! additional_parameters: { type: "new_type" }
-    expect(@client.additional_parameters).to eq ({ type: "new_type" })
-  end
-
-  it "should use custom parameters when generating authorization_uri" do
-    expect(@client.authorization_uri.query_values).to eq ({
-      "access_type"   => "offline",
-      "client_id"     => "s6BhdRkqt3",
-      "redirect_uri"  => "https://example.client.com/callback",
-      "response_type" => "code",
-      "type"          => "web_server"
- })
-  end
-
-  it "should merge new authorization_uri custom parameters" do
-    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eql({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "new_param" => "new_val", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback", "type" => "new_type" })
-  end
-
-  it "should merge new generate_access_token_request custom parameters" do
-    @client.update! code: "12345"
-    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
-    expect(params).to include("type" => "new_type")
-    expect(params).to include("new_param" => "new_val")
-  end
-end
-
-describe Signet::OAuth2::Client, "configured with custom parameters" do
-  before do
-    @client = Signet::OAuth2::Client.new(
-      "client_id"             => "s6BhdRkqt3",
-      "redirect_uri"          => "https://example.client.com/callback",
-      "authorization_uri"     => "https://example.com/authorize",
-      "token_credential_uri"  => "https://example.com/token",
-      "additional_parameters" => { "type" => "web_server" }
-      )
-  end
-
-  # Normalizing to symbols - good test case example here for changes to normalized input.
-  # Also tests Addressable's output.
-  # Note: The only changes made here are to testing the **INTERNAL** representation of options.
-  it "should allow custom parameters to be set on init" do
-    expect(@client.additional_parameters).to eq ({ type: "web_server" })
-  end
-
-  it "should allow custom parameters to be updated" do
-    @client.update! additional_parameters: { "type" => "new_type" }
-    expect(@client.additional_parameters).to eql ({ type: "new_type" })
-  end
-
-  it "should use custom parameters when generating authorization_uri" do
-    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "redirect_uri" => "https://example.client.com/callback", "response_type" => "code", "type" => "web_server" })
-  end
-
-  it "should have the correct authorization_uri" do
-    expect(@client.authorization_uri.host).to eq "example.com"
-    expect(@client.authorization_uri.path).to eq "/authorize"
-  end
-
-  it "should merge new authorization_uri custom parameters" do
-    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "new_param" => "new_val", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback", "type" => "new_type" })
-  end
-
-  it "should not have access_type parameter in authorization_uri when we set it to nil in client" do
-    @client.update! access_type: nil
-    expect(@client.authorization_uri.query_values).to eq ({ "client_id" => "s6BhdRkqt3", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback" })
-  end
-
-  it "should use new access_type parameter as default for authorization_uri" do
-    @client.update! access_type: :online
-    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "online", "client_id" => "s6BhdRkqt3", "response_type" => "code", "redirect_uri" => "https://example.client.com/callback" })
-  end
-
-  it "should merge new generate_access_token_request custom parameters" do
-    @client.update! code: "12345"
-    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
-    expect(params).to include("type" => "new_type")
-    expect(params).to include("new_param" => "new_val")
-  end
-end
-
-describe Signet::OAuth2::Client, "configured with custom parameters a la JSON.load(credentials_file)" do
-  before do
-    @client = Signet::OAuth2::Client.new(
-      "client_id"             => "s6BhdRkqt3",
-      "redirect_uri"          => "https://example.client.com/callback",
-      "authorization_uri"     => { "scheme" => "https", "user" => nil, "password" => nil, "host" => "accounts.google.com", "port" => nil, "path" => "/o/oauth2/auth", "query" => nil, "fragment" => nil },
-      "token_credential_uri"  => "https://example.com/token",
-      "additional_parameters" => { "type" => "web_server" }
-      )
-  end
-
-  it "should allow custom parameters to be set on init" do
-    expect(@client.additional_parameters).to eq ({ type: "web_server" })
-  end
-
-  it "should allow custom parameters to be updated" do
-    @client.update! additional_parameters: { "type" => "new_type" }
-    expect(@client.additional_parameters).to eql ({ type: "new_type" })
-  end
-
-  it "should have correct authorization_uri hash options" do
-    expect(@client.authorization_uri.host).to eq "accounts.google.com"
-    expect(@client.authorization_uri.path).to eq "/o/oauth2/auth"
-  end
-
-  it "should use custom parameters when generating authorization_uri" do
-    expect(@client.authorization_uri.query_values).to eq ({ "access_type" => "offline", "client_id" => "s6BhdRkqt3", "redirect_uri" => "https://example.client.com/callback", "response_type" => "code", "type" => "web_server" })
-  end
-
-  # , "path" => "/o/oauth2/oauth", "host" => "accounts.google.com"
-
-  it "should merge new authorization_uri custom parameters" do
-    expect(@client.authorization_uri(additional_parameters: { "type" => "new_type", "new_param" => "new_val" }).query_values).to eq ({
-      "access_type"   => "offline",
-      "client_id"     => "s6BhdRkqt3",
-      "new_param"     => "new_val",
-      "response_type" => "code",
-      "redirect_uri"  => "https://example.client.com/callback",
-      "type"          => "new_type"
- })
-  end
-
-  it "should merge new generate_access_token_request custom parameters" do
-    @client.update! code: "12345"
-    params = @client.generate_access_token_request additional_parameters: { "type" => "new_type", "new_param" => "new_val" }
-    expect(params).to include("type" => "new_type")
-    expect(params).to include("new_param" => "new_val")
-  end
-end
-
-describe Signet::OAuth2::Client, "configured for id tokens" do
-  before do
-    @key = OpenSSL::PKey::RSA.new 2048
-    @client = Signet::OAuth2::Client.new(
-      token_credential_uri: "https://oauth2.googleapis.com/token",
-      target_audience:      "https://api.example.com",
-      issuer:               "app@example.com",
-      audience:             "https://hello.googleapis.com",
-      signing_key:          @key
-    )
-  end
-
-  it "should set target_audience" do
-    expect(@client.target_audience).to eq "https://api.example.com"
-  end
-
-  it "should send a valid id token request" do
-    stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-      stub.post "/token" do |env|
-        params = Addressable::URI.form_unencode env[:body]
-        claim, header = JWT.decode params.assoc("assertion").last, @key.public_key, true, algorithm: "RS256"
-        expect(params.assoc("grant_type")).to eq ["grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"]
-        expect(claim["target_audience"]).to eq "https://api.example.com"
-        expect(claim["iss"]).to eq "app@example.com"
-        expect(claim["aud"]).to eq "https://hello.googleapis.com"
-        build_json_response(
-          "id_token"  => "12345id",
-          "refresh_token" => "54321refresh",
-          "expires_in"    => "3600"
-        )
-      end
-    end
-    connection = Faraday.new url: "https://www.google.com" do |builder|
-      builder.adapter :test, stubs
-    end
-    @client.fetch_access_token! connection: connection
-    expect(@client.id_token).to eq "12345id"
-  end
-end