Class: Google::Auth::IDTokens::Verifier

Inherits:
Object
  • Object
show all
Defined in:
lib/googleauth/id_tokens/verifier.rb

Overview

An object that can verify ID tokens.

A verifier maintains a set of default settings, including the key source and fields to verify. However, individual verification calls can override any of these settings.

Instance Method Summary collapse

Constructor Details

#initialize(key_source: nil, aud: nil, azp: nil, iss: nil) ⇒ Verifier

Create a verifier.

Parameters:

  • key_source (key source) (defaults to: nil)

    The default key source to use. All verification calls must have a key source, so if no default key source is provided here, then calls to #verify must provide a key source.

  • aud (String, nil) (defaults to: nil)

    The default audience (aud) check, or nil for no check.

  • azp (String, nil) (defaults to: nil)

    The default authorized party (azp) check, or nil for no check.

  • iss (String, nil) (defaults to: nil)

    The default issuer (iss) check, or nil for no check.


44
45
46
47
48
49
50
51
52
# File 'lib/googleauth/id_tokens/verifier.rb', line 44

def initialize key_source: nil,
               aud:        nil,
               azp:        nil,
               iss:        nil
  @key_source = key_source
  @aud = aud
  @azp = azp
  @iss = iss
end

Instance Method Details

#verify(token, key_source: :default, aud: :default, azp: :default, iss: :default) ⇒ Hash

Verify the given token.

Parameters:

  • token (String)

    the ID token to verify.

  • key_source (key source) (defaults to: :default)

    If given, override the key source.

  • aud (String, nil) (defaults to: :default)

    If given, override the aud check.

  • azp (String, nil) (defaults to: :default)

    If given, override the azp check.

  • iss (String, nil) (defaults to: :default)

    If given, override the iss check.

Returns:

  • (Hash)

    the decoded payload, if verification succeeded.

Raises:

  • (KeySourceError)

    if the key source failed to obtain public keys

  • (VerificationError)

    if the token verification failed. Additional data may be available in the error subclass and message.


68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# File 'lib/googleauth/id_tokens/verifier.rb', line 68

def verify token,
           key_source: :default,
           aud:        :default,
           azp:        :default,
           iss:        :default
  key_source = @key_source if key_source == :default
  aud = @aud if aud == :default
  azp = @azp if azp == :default
  iss = @iss if iss == :default

  raise KeySourceError, "No key sources" unless key_source
  keys = key_source.current_keys
  payload = decode_token token, keys, aud, azp, iss
  unless payload
    keys = key_source.refresh_keys
    payload = decode_token token, keys, aud, azp, iss
  end
  raise SignatureError, "Token not verified as issued by Google" unless payload
  payload
end