Class: OpenIDConnect::ResponseObject::IdToken
- Inherits:
-
ConnectObject
- Object
- ConnectObject
- OpenIDConnect::ResponseObject::IdToken
- Includes:
- JWTnizable
- Defined in:
- lib/openid_connect/response_object/id_token.rb
Defined Under Namespace
Classes: ExpiredToken, InvalidAudience, InvalidIssuer, InvalidNonce, InvalidToken
Instance Attribute Summary collapse
-
#access_token ⇒ Object
Returns the value of attribute access_token.
-
#code ⇒ Object
Returns the value of attribute code.
Attributes inherited from ConnectObject
Class Method Summary collapse
- .decode(jwt_string, key) ⇒ Object
- .decode_self_issued(jwt_string) ⇒ Object
- .self_issued(attributes = {}) ⇒ Object
Instance Method Summary collapse
-
#initialize(attributes = {}) ⇒ IdToken
constructor
A new instance of IdToken.
- #to_jwt(key, algorithm = :RS256, &block) ⇒ Object
- #verify!(expected = {}) ⇒ Object
Methods included from JWTnizable
Methods inherited from ConnectObject
all_attributes, #all_attributes, #as_json, #require_at_least_one_attributes, #validate!
Constructor Details
#initialize(attributes = {}) ⇒ IdToken
Returns a new instance of IdToken.
18 19 20 21 22 23 24 |
# File 'lib/openid_connect/response_object/id_token.rb', line 18 def initialize(attributes = {}) super (all_attributes - [:aud, :exp, :iat, :auth_time, :sub_jwk]).each do |key| self.send "#{key}=", self.send(key).try(:to_s) end self.auth_time = auth_time.to_i unless auth_time.nil? end |
Instance Attribute Details
#access_token ⇒ Object
Returns the value of attribute access_token.
14 15 16 |
# File 'lib/openid_connect/response_object/id_token.rb', line 14 def access_token @access_token end |
#code ⇒ Object
Returns the value of attribute code.
14 15 16 |
# File 'lib/openid_connect/response_object/id_token.rb', line 14 def code @code end |
Class Method Details
.decode(jwt_string, key) ⇒ Object
65 66 67 68 69 70 71 |
# File 'lib/openid_connect/response_object/id_token.rb', line 65 def decode(jwt_string, key) if key == :self_issued decode_self_issued jwt_string else new JSON::JWT.decode jwt_string, key end end |
.decode_self_issued(jwt_string) ⇒ Object
73 74 75 76 77 78 79 80 |
# File 'lib/openid_connect/response_object/id_token.rb', line 73 def decode_self_issued(jwt_string) jwt = JSON::JWT.decode jwt_string, :skip_verification jwk = JSON::JWK.new jwt[:sub_jwk] raise InvalidToken.new('Missing sub_jwk') if jwk.blank? raise InvalidToken.new('Invalid subject') unless jwt[:sub] == jwk.thumbprint jwt.verify! jwk new jwt end |
.self_issued(attributes = {}) ⇒ Object
82 83 84 85 86 87 88 89 |
# File 'lib/openid_connect/response_object/id_token.rb', line 82 def self_issued(attributes = {}) attributes[:sub_jwk] ||= JSON::JWK.new attributes.delete(:public_key) _attributes_ = { iss: 'https://self-issued.me', sub: JSON::JWK.new(attributes[:sub_jwk]).thumbprint }.merge(attributes) new _attributes_ end |
Instance Method Details
#to_jwt(key, algorithm = :RS256, &block) ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'lib/openid_connect/response_object/id_token.rb', line 40 def to_jwt(key, algorithm = :RS256, &block) hash_length = algorithm.to_s[2, 3].to_i if access_token token = case access_token when Rack::OAuth2::AccessToken access_token.access_token else access_token end self.at_hash = left_half_hash_of token, hash_length end if code self.c_hash = left_half_hash_of code, hash_length end super end |
#verify!(expected = {}) ⇒ Object
26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'lib/openid_connect/response_object/id_token.rb', line 26 def verify!(expected = {}) raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer] raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce] # aud(ience) can be a string or an array of strings unless Array(aud).include?(expected[:audience] || expected[:client_id]) raise InvalidAudience.new('Invalid ID token: Audience does not match') end true end |