Class: KeycloakRack::DecodedToken

Inherits:
FlexibleStruct show all
Defined in:
lib/keycloak_rack/decoded_token.rb

Overview

PORO that wraps the result of decoding the JWT into something slightly more usable, with some type-safety and role checking features.

Defined Under Namespace

Classes: UnknownAttribute

Constant Summary collapse

Audience =
Types::Coercible::Array.of(Types::String)
ALIAS_MAP =
KEY_MAP.invert.freeze

Token Details collapse

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#allowed_origins<String> (readonly)

Returns:

  • (<String>)

121
# File 'lib/keycloak_rack/decoded_token.rb', line 121

attribute? :allowed_origins, Types::StringList

#audienceString (readonly)

Returns:

  • (String)

90
# File 'lib/keycloak_rack/decoded_token.rb', line 90

attribute :audience, Audience.optional

#authorized_atTime (readonly)

The auth_time value from Keycloak.

Returns:

  • (Time)

82
# File 'lib/keycloak_rack/decoded_token.rb', line 82

attribute? :authorized_at, Types::Timestamp

#authorized_partyString (readonly)

The azp claim

Returns:

  • (String)

100
# File 'lib/keycloak_rack/decoded_token.rb', line 100

attribute? :authorized_party, Types::String

#emailString? (readonly)

Returns:

  • (String, nil)

65
# File 'lib/keycloak_rack/decoded_token.rb', line 65

attribute? :email, Types::String.optional

#email_verifiedBoolean (readonly)

Returns:

  • (Boolean)

45
# File 'lib/keycloak_rack/decoded_token.rb', line 45

attribute? :email_verified, Types::Bool

#expires_atTime (readonly)

The exp claim

Returns:

  • (Time)

72
# File 'lib/keycloak_rack/decoded_token.rb', line 72

attribute? :expires_at, Types::Timestamp

#family_nameString? (readonly) Also known as: last_name

Returns:

  • (String, nil)

61
# File 'lib/keycloak_rack/decoded_token.rb', line 61

attribute? :family_name, Types::String.optional

#given_nameString? (readonly) Also known as: first_name

Returns:

  • (String, nil)

57
# File 'lib/keycloak_rack/decoded_token.rb', line 57

attribute? :given_name, Types::String.optional

#headersActiveSupport::HashWithindifferentAccess (readonly)

The JWT headers, provided for debugging

Returns:

  • (ActiveSupport::HashWithindifferentAccess)

126
# File 'lib/keycloak_rack/decoded_token.rb', line 126

attribute? :headers, Types::IndifferentHash

#issued_atTime (readonly)

The iat claim

Returns:

  • (Time)

77
# File 'lib/keycloak_rack/decoded_token.rb', line 77

attribute? :issued_at, Types::Timestamp

#jtiString (readonly)

Returns:

  • (String)

86
# File 'lib/keycloak_rack/decoded_token.rb', line 86

attribute :jti, Types::String

#localeString? (readonly)

Returns:

  • (String, nil)

117
# File 'lib/keycloak_rack/decoded_token.rb', line 117

attribute? :locale, Types::String.optional

#nameString? (readonly)

Returns:

  • (String, nil)

49
# File 'lib/keycloak_rack/decoded_token.rb', line 49

attribute? :name, Types::String.optional

#nonceString (readonly)

Cryptographic nonce for the token

Returns:

  • (String)

105
# File 'lib/keycloak_rack/decoded_token.rb', line 105

attribute? :nonce, Types::String

#original_payloadActiveSupport::HashWithIndifferentAccess (readonly)

The original JWT payload, unmodified, for extracting potential additional attributes.

Returns:

  • (ActiveSupport::HashWithIndifferentAccess)

131
# File 'lib/keycloak_rack/decoded_token.rb', line 131

attribute? :original_payload, Types::IndifferentHash

#preferred_usernameString? (readonly)

Returns:

  • (String, nil)

53
# File 'lib/keycloak_rack/decoded_token.rb', line 53

attribute? :preferred_username, Types::String.optional

#realm_accessKeycloakRack::RoleMap (readonly)


37
# File 'lib/keycloak_rack/decoded_token.rb', line 37

attribute :realm_access, RoleMap

#resource_access{ String => KeycloakRack::RoleMap } (readonly)

Returns:


41
# File 'lib/keycloak_rack/decoded_token.rb', line 41

attribute :resource_access, ResourceRoleMap

#scopeString (readonly)

Returns:

  • (String)

109
# File 'lib/keycloak_rack/decoded_token.rb', line 109

attribute? :scope, Types::String

#session_stateString (readonly)

Returns:

  • (String)

113
# File 'lib/keycloak_rack/decoded_token.rb', line 113

attribute? :session_state, Types::String

#subString (readonly) Also known as: keycloak_id

The user id / subject for the JWT. Corresponds to user_id in Keycloak's rest API, and suitable for linking your local user records to Keycloak's.

Returns:

  • (String)

33
# File 'lib/keycloak_rack/decoded_token.rb', line 33

attribute :sub, Types::String

#typeString (readonly)

The typ claim in the JWT. Keycloak sets this to "JWT".

Returns:

  • (String)

95
# File 'lib/keycloak_rack/decoded_token.rb', line 95

attribute :type, Types::String

Class Method Details

.maybe_unalias_key(key) ⇒ Symbol

Parameters:

  • key (Symbol)

Returns:

  • (Symbol)

198
199
200
# File 'lib/keycloak_rack/decoded_token.rb', line 198

def maybe_unalias_key(key)
  ALIAS_MAP.fetch(key, key).to_sym
end

Instance Method Details

#fetch(key) ⇒ Object

Parameters:

  • key (#to_sym)

Returns:

  • (Object)

Raises:


150
151
152
153
154
155
156
157
158
159
160
161
162
# File 'lib/keycloak_rack/decoded_token.rb', line 150

def fetch(key)
  key = key.to_sym

  if key.in?(attribute_names)
    self[key]
  elsif key.in?(ALIASES)
    public_send(key)
  elsif key.in?(original_payload)
    original_payload[key]
  else
    raise UnknownAttribute, "Cannot fetch #{key.inspect}"
  end
end

#has_realm_role?(name) ⇒ Boolean

Check if the current user has a certain realm role

Parameters:

  • name (#to_s)

Returns:

  • (Boolean)

167
168
169
# File 'lib/keycloak_rack/decoded_token.rb', line 167

def has_realm_role?(name)
  name.to_s.in? realm_access.roles
end

#has_resource_role?(resource_name, role_name) ⇒ Boolean

Check if the user has a certain role on a certain resource.

Parameters:

  • resource_name (#to_s)
  • role_name (#to_s)

Returns:

  • (Boolean)

175
176
177
# File 'lib/keycloak_rack/decoded_token.rb', line 175

def has_resource_role?(resource_name, role_name)
  resource_access[resource_name.to_s]&.has_role?(role_name)
end

#slice(*keys) ⇒ ActiveSupport::HashWithIndifferentAccess

Extract keys into something hash-like

Parameters:

  • keys (<String, Symbol>)

Returns:

  • (ActiveSupport::HashWithIndifferentAccess)

183
184
185
186
187
188
189
# File 'lib/keycloak_rack/decoded_token.rb', line 183

def slice(*keys)
  keys.flatten!

  keys.each_with_object({}.with_indifferent_access) do |key, h|
    h[key] = fetch(key)
  end
end