Class: OpenIDTokenProxy::Token

Inherits:
Object
  • Object
show all
Defined in:
lib/openid_token_proxy/token.rb,
lib/openid_token_proxy/token/expired.rb,
lib/openid_token_proxy/token/refresh.rb,
lib/openid_token_proxy/token/required.rb,
lib/openid_token_proxy/token/malformed.rb,
lib/openid_token_proxy/token/authentication.rb,
lib/openid_token_proxy/token/invalid_issuer.rb,
lib/openid_token_proxy/token/invalid_audience.rb,
lib/openid_token_proxy/token/invalid_application.rb,
lib/openid_token_proxy/token/unverifiable_signature.rb

Defined Under Namespace

Modules: Authentication, Refresh Classes: Expired, InvalidApplication, InvalidAudience, InvalidIssuer, Malformed, Required, UnverifiableSignature

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(access_token, id_token = nil, refresh_token = nil) ⇒ Token

Returns a new instance of Token.



13
14
15
16
17
18
19
20
 
# File 'lib/openid_token_proxy/token.rb', line 13

def initialize(access_token, id_token = nil, refresh_token = nil)
  @access_token = access_token
  if id_token.is_a? Hash
    id_token = OpenIDConnect::ResponseObject::IdToken.new(id_token)
  end
  @id_token = id_token
  @refresh_token = refresh_token
end

Instance Attribute Details

#access_tokenObject

Returns the value of attribute access_token.



11
12
13
 
# File 'lib/openid_token_proxy/token.rb', line 11

def access_token
  @access_token
end

#id_tokenObject

Returns the value of attribute id_token.



11
12
13
 
# File 'lib/openid_token_proxy/token.rb', line 11

def id_token
  @id_token
end

#refresh_tokenObject

Returns the value of attribute refresh_token.



11
12
13
 
# File 'lib/openid_token_proxy/token.rb', line 11

def refresh_token
  @refresh_token
end

Class Method Details

.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) ⇒ Object

Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation

Raises:



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/openid_token_proxy/token.rb', line 65

def self.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys)
  raise Required if access_token.blank?

  Array(keys).each do |key|
    begin
      object = OpenIDConnect::RequestObject.decode(access_token, key)
    rescue JSON::JWT::InvalidFormat => e
      raise Malformed.new(e.message)
    rescue JSON::JWT::VerificationFailed
      # Iterate through remaining public keys (if any)
      # Raises TokenInvalid if none applied (see below)
    else
      return Token.new(access_token, object.raw_attributes)
    end
  end

  raise UnverifiableSignature
end

Instance Method Details

#[](key) ⇒ Object

Retrieves data from identity attributes



27
28
29
 
# File 'lib/openid_token_proxy/token.rb', line 27

def [](key)
  id_token.raw_attributes[key]
end

#expired?Boolean

Returns:



59
60
61
 
# File 'lib/openid_token_proxy/token.rb', line 59

def expired?
  id_token.exp.to_i <= Time.now.to_i
end

#expiry_timeObject 



55
56
57
 
# File 'lib/openid_token_proxy/token.rb', line 55

def expiry_time
  Time.at(id_token.exp.to_i).utc
end

#to_sObject 



22
23
24
 
# File 'lib/openid_token_proxy/token.rb', line 22

def to_s
  @access_token
end

#validate!(assertions = {}) ⇒ Object

Validates this token’s expiration state, application, audience and issuer

Raises:



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/openid_token_proxy/token.rb', line 32

def validate!(assertions = {})
  raise Expired if expired?

  # TODO: Nonce validation

  if assertions[:audience]
    audiences = Array(id_token.aud)
    raise InvalidAudience unless audiences.include? assertions[:audience]
  end

  if assertions[:client_id]
    appid = id_token.raw_attributes['appid']
    raise InvalidApplication if appid && appid != assertions[:client_id]
  end

  if assertions[:issuer]
    issuer = id_token.iss
    raise InvalidIssuer unless issuer == assertions[:issuer]
  end

  true
end