Class: IntuitOAuth::Flow::OpenID
- Defined in:
- lib/intuit-oauth/flow/openid.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#get_user_info(access_token) ⇒ Response
Get the User Info.
-
#validate_id_token(id_token) ⇒ Boolean
If the token can be correctly validated, returns True.
Methods inherited from Base
Constructor Details
This class inherits a constructor from IntuitOAuth::Base
Instance Method Details
#get_user_info(access_token) ⇒ Response
Get the User Info
28 29 30 31 32 33 34 |
# File 'lib/intuit-oauth/flow/openid.rb', line 28 def get_user_info(access_token) headers = { Authorization: "Bearer #{access_token}" } IntuitOAuth::Transport.request('GET', @client.user_info_url, headers=headers) end |
#validate_id_token(id_token) ⇒ Boolean
If the token can be correctly validated, returns True. Otherwise, return false
The validation rules are:
1.You have to provide the client_id value, which must match the
token's aud field
2.The payload issuer is from Intuit
3.The expire time is not expired.
4.The signature is correct
If something fails, raises an error
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/intuit-oauth/flow/openid.rb', line 52 def validate_id_token(id_token) id_token_header_raw, id_token_payload_raw, id_token_signature_raw = id_token.split(".") # base 64 decode id_token_header_json = JSON.parse(Base64.decode64(id_token_header_raw.strip)) id_token_payload_json = JSON.parse(Base64.decode64(id_token_payload_raw.strip)) id_token_signature = Base64.decode64(id_token_signature_raw.strip) # 1. check if payload's issuer is from Intuit issue = id_token_payload_json.fetch('iss') unless issue.eql? @client.issuer_uri return false end # 2. check if the aud matches the client id aud = id_token_payload_json.fetch('aud').first unless aud.eql? @client.id return false end # 3. check if the expire time is not expired exp = id_token_payload_json.fetch('exp') if exp < Time.now.to_i return false end # 4. check if the signature is correct response = IntuitOAuth::Transport.request('GET', @client.jwks_uri, nil, nil, false) body = response.body keys = JSON.parse(body).fetch('keys').first standard_kid = keys.fetch('kid') kid_in_id_token = id_token_header_json.fetch('kid') unless standard_kid.eql? kid_in_id_token return false end return true end |