zquestz · nevans · Oct 3, 2024
diff --git a/lib/omniauth/strategies/google_oauth2.rb b/lib/omniauth/strategies/google_oauth2.rb
@@ -76,17 +76,11 @@ def authorize_params
 
           # We have to manually verify the claims because the third parameter to
           # JWT.decode is false since no verification key is provided.
-          ::JWT::Claims.verify!(decoded,
-                                verify_iss: true,
-                                iss: ALLOWED_ISSUERS,
-                                verify_aud: true,
-                                aud: options.client_id,
-                                verify_sub: false,
-                                verify_expiration: true,
-                                verify_not_before: true,
-                                verify_iat: false,
-                                verify_jti: false,
-                                leeway: options[:jwt_leeway])
+          ::JWT::Claims.verify_payload!(decoded,
+                                        iss: ALLOWED_ISSUERS,
+                                        aud: options.client_id,
+                                        exp: { leeway: options.jwt_leeway },
+                                        nbf: { leeway: options.jwt_leeway })
 
           hash[:id_info] = decoded
         end

diff --git a/omniauth-google-oauth2.gemspec b/omniauth-google-oauth2.gemspec
@@ -20,7 +20,7 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 2.5'
 
-  gem.add_runtime_dependency 'jwt', '>= 2.9'
+  gem.add_runtime_dependency 'jwt', '>= 2.9.2'
   gem.add_runtime_dependency 'oauth2', '~> 2.0'
   gem.add_runtime_dependency 'omniauth', '~> 2.0'
   gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.8'