Class: OmniAuth::Auth0::JWTValidator

Inherits:

Object

• Object
• OmniAuth::Auth0::JWTValidator

Defined in:

lib/omniauth/auth0/jwt_validator.rb

Overview

JWT Validator class

Instance Attribute Summary

• #domain ⇒ Object

  Returns the value of attribute domain.

• #issuer ⇒ Object

  Returns the value of attribute issuer.

Instance Method Summary

• #decode(jwt) ⇒ Object

  Decode a JWT.

• #initialize(options) ⇒ JWTValidator constructor

  Initializer.

• #jwks_key(key, kid) ⇒ Object

  Return a specific key from a JWKS object.

• #jwks_public_cert(x5c) ⇒ Object

  Get the JWKS from the issuer and return a public key.

• #token_head(jwt) ⇒ Object

  Get the decoded head segment from a JWT.

Constructor Details

#initialize(options) ⇒ JWTValidator

Initializer

Parameters:

• options —

  object options.domain - Application domain. options.issuer - Application issuer (optional). options.client_id - Application Client ID. options.client_secret - Application Client Secret.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 18

def initialize(options)
  @domain = uri_string(options.domain)

  # Use custom issuer if provided, otherwise use domain
  @issuer = @domain
  @issuer = uri_string(options.issuer) if options.respond_to?(:issuer)

  @client_id = options.client_id
  @client_secret = options.client_secret
end

Instance Attribute Details

#domain ⇒ Object

Returns the value of attribute domain.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 10

def domain
  @domain
end

#issuer ⇒ Object

Returns the value of attribute issuer.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 10

def issuer
  @issuer
end

Instance Method Details

#decode(jwt) ⇒ Object

Decode a JWT.

Parameters:

• jwt —

  string - JWT to decode.

Returns:

• hash - The decoded token, if there were no exceptions.

See Also:

• https://github.com/jwt/ruby-jwt

# File 'lib/omniauth/auth0/jwt_validator.rb', line 33

def decode(jwt)
  head = token_head(jwt)

  # Make sure the algorithm is supported and get the decode key.
  decode_key = @client_secret
  if head[:alg] == 'RS256'
    decode_key = rs256_decode_key(head[:kid])
  elsif head[:alg] != 'HS256'
    raise JWT::VerificationError, :id_token_alg_unsupported
  end

  # Docs: https://github.com/jwt/ruby-jwt#algorithms-and-usage
  JWT.decode(jwt, decode_key, true, decode_opts(head[:alg]))
end

#jwks_key(key, kid) ⇒ Object

Return a specific key from a JWKS object.

Parameters:

• key —

  string - Key to find in the JWKS.

• kid —

  string - Key ID to identify the right JWK.

Returns:

• nil|string

# File 'lib/omniauth/auth0/jwt_validator.rb', line 71

def jwks_key(key, kid)
  return nil if blank?(jwks[:keys])

  matching_jwk = jwks[:keys].find { |jwk| jwk[:kid] == kid }
  matching_jwk[key] if matching_jwk
end

#jwks_public_cert(x5c) ⇒ Object

Get the JWKS from the issuer and return a public key.

Parameters:

• x5c —

  string - X.509 certificate chain from a JWKS.

Returns:

• key - The X.509 certificate public key.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 60

def jwks_public_cert(x5c)
  x5c = Base64.decode64(x5c)

  # https://docs.ruby-lang.org/en/2.4.0/OpenSSL/X509/Certificate.html
  OpenSSL::X509::Certificate.new(x5c).public_key
end

#token_head(jwt) ⇒ Object

Get the decoded head segment from a JWT.

Returns:

• hash - The parsed head of the JWT passed, empty hash if not.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 50

def token_head(jwt)
  jwt_parts = jwt.split('.')
  return {} if blank?(jwt_parts) || blank?(jwt_parts[0])

  json_parse(Base64.decode64(jwt_parts[0]))
end