Class: OmniAuth::Auth0::JWTValidator

Inherits:

Object

• Object
• OmniAuth::Auth0::JWTValidator

Defined in:

lib/omniauth/auth0/jwt_validator.rb

Overview

JWT Validator class

Instance Attribute Summary

• #domain ⇒ Object

  Returns the value of attribute domain.

• #issuer ⇒ Object

  Returns the value of attribute issuer.

Instance Method Summary

• #initialize(options, authorize_params = {}) ⇒ JWTValidator constructor

  Initializer.

• #jwks_key(key, kid) ⇒ Object

  Return a specific key from a JWKS object.

• #jwks_public_cert(x5c) ⇒ Object

  Get the JWKS from the issuer and return a public key.

• #token_head(jwt) ⇒ Object

  Get the decoded head segment from a JWT.

• #verify(jwt, authorize_params = {}) ⇒ Object

  Verify a JWT.

• #verify_signature(jwt) ⇒ Object

  Verify a token’s signature.

Constructor Details

#initialize(options, authorize_params = {}) ⇒ JWTValidator

Initializer

Parameters:

• options —

  object options.domain - Application domain. options.issuer - Application issuer (optional). options.client_id - Application Client ID. options.client_secret - Application Client Secret.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 20

def initialize(options, authorize_params = {})
  @domain = uri_string(options.domain)

  # Use custom issuer if provided, otherwise use domain
  @issuer = @domain
  @issuer = uri_string(options.issuer) if options.respond_to?(:issuer)

  @client_id = options.client_id
  @client_secret = options.client_secret
end

Instance Attribute Details

#domain ⇒ Object

Returns the value of attribute domain.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 11

def domain
  @domain
end

#issuer ⇒ Object

Returns the value of attribute issuer.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 11

def issuer
  @issuer
end

Instance Method Details

#jwks_key(key, kid) ⇒ Object

Return a specific key from a JWKS object.

Parameters:

• key —

  string - Key to find in the JWKS.

• kid —

  string - Key ID to identify the right JWK.

Returns:

• nil|string

# File 'lib/omniauth/auth0/jwt_validator.rb', line 95

def jwks_key(key, kid)
  return nil if blank?(jwks[:keys])

  matching_jwk = jwks[:keys].find { |jwk| jwk[:kid] == kid }
  matching_jwk[key] if matching_jwk
end

#jwks_public_cert(x5c) ⇒ Object

Get the JWKS from the issuer and return a public key.

Parameters:

• x5c —

  string - X.509 certificate chain from a JWKS.

Returns:

• key - The X.509 certificate public key.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 84

def jwks_public_cert(x5c)
  x5c = Base64.decode64(x5c)

  # https://docs.ruby-lang.org/en/2.4.0/OpenSSL/X509/Certificate.html
  OpenSSL::X509::Certificate.new(x5c).public_key
end

#token_head(jwt) ⇒ Object

Get the decoded head segment from a JWT.

Returns:

• hash - The parsed head of the JWT passed, empty hash if not.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 74

def token_head(jwt)
  jwt_parts = jwt.split('.')
  return {} if blank?(jwt_parts) || blank?(jwt_parts[0])

  json_parse(Base64.decode64(jwt_parts[0]))
end

#verify(jwt, authorize_params = {}) ⇒ Object

Verify a JWT.

Parameters:

• jwt —

  string - JWT to verify.

• authorize_params (defaults to: {}) —

  hash - Authorization params to verify on the JWT

Returns:

• hash - The verified token, if there were no exceptions.

# File 'lib/omniauth/auth0/jwt_validator.rb', line 55

def verify(jwt, authorize_params = {})
  if !jwt
    raise OmniAuth::Auth0::TokenValidationError.new('ID token is required but missing')
  end

  parts = jwt.split('.')
  if parts.length != 3
    raise OmniAuth::Auth0::TokenValidationError.new('ID token could not be decoded')
  end

  key, alg = verify_signature(jwt)
  id_token, header = JWT.decode(jwt, key, false)
  verify_claims(id_token, authorize_params)

  return id_token
end

#verify_signature(jwt) ⇒ Object

Verify a token’s signature. Only tokens signed with the RS256 or HS256 signatures are supported.

Returns:

• array - The token’s key and signing algorithm

# File 'lib/omniauth/auth0/jwt_validator.rb', line 33

def verify_signature(jwt)
  head = token_head(jwt)

  # Make sure the algorithm is supported and get the decode key.
  if head[:alg] == 'RS256'
    key, alg = [rs256_decode_key(head[:kid]), head[:alg]]
  elsif head[:alg] == 'HS256'
    key, alg = [@client_secret, head[:alg]]
  else
    raise OmniAuth::Auth0::TokenValidationError.new("Signature algorithm of #{head[:alg]} is not supported. Expected the ID token to be signed with RS256 or HS256")
  end

  # Call decode to verify the signature
  JWT.decode(jwt, key, true, decode_opts(alg))

  return key, alg
end