Class: OpenIDTokenProxy::Token

Inherits:

Object

• Object
• OpenIDTokenProxy::Token

Defined in:

lib/openid_token_proxy/token.rb,
lib/openid_token_proxy/token/expired.rb,
lib/openid_token_proxy/token/refresh.rb,
lib/openid_token_proxy/token/required.rb,
lib/openid_token_proxy/token/malformed.rb,
lib/openid_token_proxy/token/authentication.rb,
lib/openid_token_proxy/token/invalid_issuer.rb,
lib/openid_token_proxy/token/invalid_audience.rb,
lib/openid_token_proxy/token/invalid_application.rb,
lib/openid_token_proxy/token/unverifiable_signature.rb

Defined Under Namespace

Modules: Authentication, Refresh Classes: Expired, InvalidApplication, InvalidAudience, InvalidIssuer, Malformed, Required, UnverifiableSignature

Instance Attribute Summary

• #access_token ⇒ Object

  Returns the value of attribute access_token.

• #id_token ⇒ Object

  Returns the value of attribute id_token.

• #refresh_token ⇒ Object

  Returns the value of attribute refresh_token.

Class Method Summary

• .decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) ⇒ Object

  Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation.

Instance Method Summary

• #[](key) ⇒ Object

  Retrieves data from identity attributes.

• #expired? ⇒ Boolean
• #expiry_time ⇒ Object
• #initialize(access_token, id_token = nil, refresh_token = nil) ⇒ Token constructor

  A new instance of Token.

• #to_s ⇒ Object
• #valid?(assertions = {}) ⇒ Boolean

  Whether this token is valid.

• #validate!(assertions = {}) ⇒ Object

  Validates this token’s expiration state, application, audience and issuer.

Constructor Details

#initialize(access_token, id_token = nil, refresh_token = nil) ⇒ Token

Returns a new instance of Token.

# File 'lib/openid_token_proxy/token.rb', line 13

def initialize(access_token, id_token = nil, refresh_token = nil)
  @access_token = access_token
  if id_token.is_a? Hash
    id_token = OpenIDConnect::ResponseObject::IdToken.new(id_token)
  end
  @id_token = id_token
  @refresh_token = refresh_token
end

Instance Attribute Details

#access_token ⇒ Object

Returns the value of attribute access_token.

# File 'lib/openid_token_proxy/token.rb', line 11

def access_token
  @access_token
end

#id_token ⇒ Object

Returns the value of attribute id_token.

# File 'lib/openid_token_proxy/token.rb', line 11

def id_token
  @id_token
end

#refresh_token ⇒ Object

Returns the value of attribute refresh_token.

# File 'lib/openid_token_proxy/token.rb', line 11

def refresh_token
  @refresh_token
end

Class Method Details

.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) ⇒ Object

Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation

Raises:

• (Required)

# File 'lib/openid_token_proxy/token.rb', line 72

def self.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys)
  raise Required if access_token.blank?

  Array(keys).each do |key|
    begin
      object = OpenIDConnect::RequestObject.decode(access_token, key)
    rescue JSON::JWT::InvalidFormat => e
      raise Malformed.new(e.message)
    rescue JSON::JWT::VerificationFailed
      # Iterate through remaining public keys (if any)
      # Raises UnverifiableSignature if none applied (see below)

      # A failure in Certificate#verify leaves messages on the error queue,
      # which can lead to errors in SSL communication down the road.
      # See: https://bugs.ruby-lang.org/issues/7215
      OpenSSL.errors.clear
    else
      return Token.new(access_token, object.raw_attributes)
    end
  end

  raise UnverifiableSignature
end

Instance Method Details

#[](key) ⇒ Object

Retrieves data from identity attributes

# File 'lib/openid_token_proxy/token.rb', line 27

def [](key)
  id_token.raw_attributes[key]
end

#expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/openid_token_proxy/token.rb', line 66

def expired?
  id_token.exp.to_i <= Time.now.to_i
end

#expiry_time ⇒ Object

# File 'lib/openid_token_proxy/token.rb', line 62

def expiry_time
  Time.at(id_token.exp.to_i).utc
end

#to_s ⇒ Object

# File 'lib/openid_token_proxy/token.rb', line 22

def to_s
  @access_token
end

#valid?(assertions = {}) ⇒ Boolean

Whether this token is valid

Returns:

• (Boolean)

# File 'lib/openid_token_proxy/token.rb', line 56

def valid?(assertions = {})
  validate!(assertions)
rescue OpenIDTokenProxy::Error
  false
end

#validate!(assertions = {}) ⇒ Object

Validates this token’s expiration state, application, audience and issuer

Raises:

• (Expired)

# File 'lib/openid_token_proxy/token.rb', line 32

def validate!(assertions = {})
  raise Expired if expired?

  # TODO: Nonce validation

  if assertions[:audience]
    audiences = Array(id_token.aud)
    raise InvalidAudience unless audiences.include? assertions[:audience]
  end

  if assertions[:client_id]
    appid = id_token.raw_attributes['appid']
    raise InvalidApplication if appid && appid != assertions[:client_id]
  end

  if assertions[:issuer]
    issuer = id_token.iss
    raise InvalidIssuer unless issuer == assertions[:issuer]
  end

  true
end