feat: check 'iss' in `verify_oauth2_token` (#500)

Co-authored-by: Tianzi Cai <tianzi@google.com>
diff --git a/google/oauth2/id_token.py b/google/oauth2/id_token.py
index e78add4..bf6bf2c 100644
--- a/google/oauth2/id_token.py
+++ b/google/oauth2/id_token.py
@@ -80,6 +80,8 @@
     "/securetoken@system.gserviceaccount.com"
 )
 
+_GOOGLE_ISSUERS = ["accounts.google.com", "https://accounts.google.com"]
+
 
 def _fetch_certs(request, certs_url):
     """Fetches certificates.
@@ -140,11 +142,23 @@
 
     Returns:
         Mapping[str, Any]: The decoded token.
+
+    Raises:
+        exceptions.GoogleAuthError: If the issuer is invalid.
     """
-    return verify_token(
+    idinfo = verify_token(
         id_token, request, audience=audience, certs_url=_GOOGLE_OAUTH2_CERTS_URL
     )
 
+    if idinfo["iss"] not in _GOOGLE_ISSUERS:
+        raise exceptions.GoogleAuthError(
+            "Wrong issuer. 'iss' should be one of the following: {}".format(
+                _GOOGLE_ISSUERS
+            )
+        )
+
+    return idinfo
+
 
 def verify_firebase_token(id_token, request, audience=None):
     """Verifies an ID Token issued by Firebase Authentication.