Class: KeycloakRack::DecodedToken

Inherits:

FlexibleStruct

• Object
• Dry::Struct
• FlexibleStruct
• KeycloakRack::DecodedToken

Defined in:

lib/keycloak_rack/decoded_token.rb

Overview

PORO that wraps the result of decoding the JWT into something slightly more usable, with some type-safety and role checking features.

Defined Under Namespace

Classes: UnknownAttribute

Constant Summary

Audience =

Types::Coercible::Array.of(Types::String)

ALIAS_MAP =

KEY_MAP.invert.freeze

Token Details

• #allowed_origins ⇒ <String> readonly
• #audience ⇒ String readonly
• #authorized_at ⇒ Time readonly

  The auth_time value from Keycloak.

• #authorized_party ⇒ String readonly

  The azp claim.

• #expires_at ⇒ Time readonly

  The exp claim.

• #headers ⇒ ActiveSupport::HashWithindifferentAccess readonly

  The JWT headers, provided for debugging.

• #issued_at ⇒ Time readonly

  The iat claim.

• #jti ⇒ String readonly
• #locale ⇒ String^? readonly
• #nonce ⇒ String readonly

  Cryptographic nonce for the token.

• #original_payload ⇒ ActiveSupport::HashWithIndifferentAccess readonly

  The original JWT payload, unmodified, for extracting potential additional attributes.

• #scope ⇒ String readonly
• #session_state ⇒ String readonly
• #type ⇒ String readonly

  The typ claim in the JWT.

Instance Attribute Summary

• #email ⇒ String^? readonly
• #email_verified ⇒ Boolean readonly
• #family_name ⇒ String^? (also: #last_name) readonly
• #given_name ⇒ String^? (also: #first_name) readonly
• #name ⇒ String^? readonly
• #preferred_username ⇒ String^? readonly
• #realm_access ⇒ KeycloakRack::RoleMap readonly
• #resource_access ⇒ { String => KeycloakRack::RoleMap } readonly
• #sub ⇒ String (also: #keycloak_id) readonly

  The user id / subject for the JWT.

Class Method Summary

• .maybe_unalias_key(key) ⇒ Symbol

Instance Method Summary

• #fetch(key) ⇒ Object
• #has_realm_role?(name) ⇒ Boolean

  Check if the current user has a certain realm role.

• #has_resource_role?(resource_name, role_name) ⇒ Boolean

  Check if the user has a certain role on a certain resource.

• #slice(*keys) ⇒ ActiveSupport::HashWithIndifferentAccess

  Extract keys into something hash-like.

Instance Attribute Details

#allowed_origins ⇒ <String> (readonly)

Returns:

• (<String>)

# File 'lib/keycloak_rack/decoded_token.rb', line 121

attribute? :allowed_origins, Types::StringList

#audience ⇒ String (readonly)

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 90

attribute :audience, Audience.optional

#authorized_at ⇒ Time (readonly)

The auth_time value from Keycloak.

Returns:

• (Time)

# File 'lib/keycloak_rack/decoded_token.rb', line 82

attribute? :authorized_at, Types::Timestamp

#authorized_party ⇒ String (readonly)

The azp claim

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 100

attribute? :authorized_party, Types::String

#email ⇒ String^? (readonly)

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 65

attribute? :email, Types::String.optional

#email_verified ⇒ Boolean (readonly)

Returns:

• (Boolean)

# File 'lib/keycloak_rack/decoded_token.rb', line 45

attribute? :email_verified, Types::Bool

#expires_at ⇒ Time (readonly)

The exp claim

Returns:

• (Time)

# File 'lib/keycloak_rack/decoded_token.rb', line 72

attribute? :expires_at, Types::Timestamp

#family_name ⇒ String^? (readonly) Also known as: last_name

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 61

attribute? :family_name, Types::String.optional

#given_name ⇒ String^? (readonly) Also known as: first_name

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 57

attribute? :given_name, Types::String.optional

#headers ⇒ ActiveSupport::HashWithindifferentAccess (readonly)

The JWT headers, provided for debugging

Returns:

• (ActiveSupport::HashWithindifferentAccess)

# File 'lib/keycloak_rack/decoded_token.rb', line 126

attribute? :headers, Types::IndifferentHash

#issued_at ⇒ Time (readonly)

The iat claim

Returns:

• (Time)

# File 'lib/keycloak_rack/decoded_token.rb', line 77

attribute? :issued_at, Types::Timestamp

#jti ⇒ String (readonly)

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 86

attribute :jti, Types::String

#locale ⇒ String^? (readonly)

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 117

attribute? :locale, Types::String.optional

#name ⇒ String^? (readonly)

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 49

attribute? :name, Types::String.optional

#nonce ⇒ String (readonly)

Cryptographic nonce for the token

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 105

attribute? :nonce, Types::String

#original_payload ⇒ ActiveSupport::HashWithIndifferentAccess (readonly)

The original JWT payload, unmodified, for extracting potential additional attributes.

Returns:

• (ActiveSupport::HashWithIndifferentAccess)

# File 'lib/keycloak_rack/decoded_token.rb', line 131

attribute? :original_payload, Types::IndifferentHash

#preferred_username ⇒ String^? (readonly)

Returns:

• (String, nil)

# File 'lib/keycloak_rack/decoded_token.rb', line 53

attribute? :preferred_username, Types::String.optional

#realm_access ⇒ KeycloakRack::RoleMap (readonly)

Returns:

• (KeycloakRack::RoleMap)

# File 'lib/keycloak_rack/decoded_token.rb', line 37

attribute :realm_access, RoleMap

#resource_access ⇒ { String => KeycloakRack::RoleMap } (readonly)

Returns:

• ({ String => KeycloakRack::RoleMap })

# File 'lib/keycloak_rack/decoded_token.rb', line 41

attribute :resource_access, ResourceRoleMap

#scope ⇒ String (readonly)

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 109

attribute? :scope, Types::String

#session_state ⇒ String (readonly)

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 113

attribute? :session_state, Types::String

#sub ⇒ String (readonly) Also known as: keycloak_id

The user id / subject for the JWT. Corresponds to user_id in Keycloak's rest API, and suitable for linking your local user records to Keycloak's.

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 33

attribute :sub, Types::String

#type ⇒ String (readonly)

The typ claim in the JWT. Keycloak sets this to "JWT".

Returns:

• (String)

# File 'lib/keycloak_rack/decoded_token.rb', line 95

attribute :type, Types::String

Class Method Details

.maybe_unalias_key(key) ⇒ Symbol

Parameters:

• key (Symbol)

Returns:

• (Symbol)

# File 'lib/keycloak_rack/decoded_token.rb', line 198

def maybe_unalias_key(key)
  ALIAS_MAP.fetch(key, key).to_sym
end

Instance Method Details

#fetch(key) ⇒ Object

Parameters:

• key (#to_sym)

Returns:

• (Object)

Raises:

• (KeycloakRack::DecodedToken::UnknownAttribute) —

  if it is an unknown attribute

# File 'lib/keycloak_rack/decoded_token.rb', line 150

def fetch(key)
  key = key.to_sym

  if key.in?(attribute_names)
    self[key]
  elsif key.in?(ALIASES)
    public_send(key)
  elsif key.in?(original_payload)
    original_payload[key]
  else
    raise UnknownAttribute, "Cannot fetch #{key.inspect}"
  end
end

#has_realm_role?(name) ⇒ Boolean

Check if the current user has a certain realm role

Parameters:

• name (#to_s)

Returns:

• (Boolean)

# File 'lib/keycloak_rack/decoded_token.rb', line 167

def has_realm_role?(name)
  name.to_s.in? realm_access.roles
end

#has_resource_role?(resource_name, role_name) ⇒ Boolean

Check if the user has a certain role on a certain resource.

Parameters:

• resource_name (#to_s)
• role_name (#to_s)

Returns:

• (Boolean)

# File 'lib/keycloak_rack/decoded_token.rb', line 175

def has_resource_role?(resource_name, role_name)
  resource_access[resource_name.to_s]&.has_role?(role_name)
end

#slice(*keys) ⇒ ActiveSupport::HashWithIndifferentAccess

Extract keys into something hash-like

Parameters:

• keys (<String, Symbol>)

Returns:

• (ActiveSupport::HashWithIndifferentAccess)

# File 'lib/keycloak_rack/decoded_token.rb', line 183

def slice(*keys)
  keys.flatten!

  keys.each_with_object({}.with_indifferent_access) do |key, h|
    h[key] = fetch(key)
  end
end