Class: IntuitOAuth::Flow::OpenID

Inherits:

Base

• Object
• Base
• IntuitOAuth::Flow::OpenID

Defined in:

lib/intuit-oauth/flow/openid.rb

Instance Attribute Summary

Attributes inherited from Base

#client

Instance Method Summary

• #get_user_info(access_token) ⇒ Response

  Get the User Info.

• #validate_id_token(id_token) ⇒ Boolean

  If the token can be correctly validated, returns True.

Methods inherited from Base

#initialize

Constructor Details

This class inherits a constructor from IntuitOAuth::Base

Instance Method Details

#get_user_info(access_token) ⇒ Response

Get the User Info

Parameters:

• the (access_token) —

  access token needs to access the user info

Returns:

• (Response) —

  the response object

# File 'lib/intuit-oauth/flow/openid.rb', line 28

def get_user_info(access_token)
  headers = {
    Authorization: "Bearer #{access_token}"
  }

  IntuitOAuth::Transport.request('GET', @client.user_info_url, headers=headers)
end

#validate_id_token(id_token) ⇒ Boolean

If the token can be correctly validated, returns True. Otherwise, return false

The validation rules are:
1.You have to provide the client_id value, which must match the
token's aud field
2.The payload issuer is from Intuit
3.The expire time is not expired.
4.The signature is correct

If something fails, raises an error

Parameters:

• id_token (String) —

  The string form of the token

Returns:

• (Boolean)

# File 'lib/intuit-oauth/flow/openid.rb', line 52

def validate_id_token(id_token)

id_token_header_raw, id_token_payload_raw, id_token_signature_raw = id_token.split(".")

# base 64 decode
id_token_header_json = JSON.parse(Base64.decode64(id_token_header_raw.strip))
id_token_payload_json = JSON.parse(Base64.decode64(id_token_payload_raw.strip))
id_token_signature = Base64.decode64(id_token_signature_raw.strip)

# 1. check if payload's issuer is from Intuit
issue = id_token_payload_json.fetch('iss')
unless issue.eql? @client.issuer_uri
  return false
end

# 2. check if the aud matches the client id
aud = id_token_payload_json.fetch('aud').first
unless aud.eql? @client.id
  return false
end

# 3. check if the expire time is not expired
exp = id_token_payload_json.fetch('exp')
if exp < Time.now.to_i
  return false
end

# 4. check if the signature is correct
response = IntuitOAuth::Transport.request('GET', @client.jwks_uri, nil, nil, false)
body = response.body

keys = JSON.parse(body).fetch('keys').first
standard_kid = keys.fetch('kid')
kid_in_id_token = id_token_header_json.fetch('kid')

unless standard_kid.eql? kid_in_id_token
  return false
end

return true

end