Class: OpenIDTokenProxy::Token
- Inherits:
-
Object
- Object
- OpenIDTokenProxy::Token
- Defined in:
- lib/openid_token_proxy/token.rb,
lib/openid_token_proxy/token/expired.rb,
lib/openid_token_proxy/token/refresh.rb,
lib/openid_token_proxy/token/required.rb,
lib/openid_token_proxy/token/malformed.rb,
lib/openid_token_proxy/token/authentication.rb,
lib/openid_token_proxy/token/invalid_issuer.rb,
lib/openid_token_proxy/token/invalid_audience.rb,
lib/openid_token_proxy/token/invalid_application.rb,
lib/openid_token_proxy/token/unverifiable_signature.rb
Defined Under Namespace
Modules: Authentication, Refresh Classes: Expired, InvalidApplication, InvalidAudience, InvalidIssuer, Malformed, Required, UnverifiableSignature
Instance Attribute Summary collapse
-
#access_token ⇒ Object
Returns the value of attribute access_token.
-
#id_token ⇒ Object
Returns the value of attribute id_token.
-
#refresh_token ⇒ Object
Returns the value of attribute refresh_token.
Class Method Summary collapse
-
.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) ⇒ Object
Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation.
Instance Method Summary collapse
-
#[](key) ⇒ Object
Retrieves data from identity attributes.
- #expired? ⇒ Boolean
- #expiry_time ⇒ Object
-
#initialize(access_token, id_token = nil, refresh_token = nil) ⇒ Token
constructor
A new instance of Token.
- #to_s ⇒ Object
-
#valid?(assertions = {}) ⇒ Boolean
Whether this token is valid.
-
#validate!(assertions = {}) ⇒ Object
Validates this token’s expiration state, application, audience and issuer.
Constructor Details
#initialize(access_token, id_token = nil, refresh_token = nil) ⇒ Token
Returns a new instance of Token.
13 14 15 16 17 18 19 20 |
# File 'lib/openid_token_proxy/token.rb', line 13 def initialize(access_token, id_token = nil, refresh_token = nil) @access_token = access_token if id_token.is_a? Hash id_token = OpenIDConnect::ResponseObject::IdToken.new(id_token) end @id_token = id_token @refresh_token = refresh_token end |
Instance Attribute Details
#access_token ⇒ Object
Returns the value of attribute access_token.
11 12 13 |
# File 'lib/openid_token_proxy/token.rb', line 11 def access_token @access_token end |
#id_token ⇒ Object
Returns the value of attribute id_token.
11 12 13 |
# File 'lib/openid_token_proxy/token.rb', line 11 def id_token @id_token end |
#refresh_token ⇒ Object
Returns the value of attribute refresh_token.
11 12 13 |
# File 'lib/openid_token_proxy/token.rb', line 11 def refresh_token @refresh_token end |
Class Method Details
.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) ⇒ Object
Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/openid_token_proxy/token.rb', line 72 def self.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) raise Required if access_token.blank? Array(keys).each do |key| begin object = OpenIDConnect::RequestObject.decode(access_token, key) rescue JSON::JWT::InvalidFormat => e raise Malformed.new(e.) rescue JSON::JWT::VerificationFailed # Iterate through remaining public keys (if any) # Raises UnverifiableSignature if none applied (see below) # A failure in Certificate#verify leaves messages on the error queue, # which can lead to errors in SSL communication down the road. # See: https://bugs.ruby-lang.org/issues/7215 OpenSSL.errors.clear else return Token.new(access_token, object.raw_attributes) end end raise UnverifiableSignature end |
Instance Method Details
#[](key) ⇒ Object
Retrieves data from identity attributes
27 28 29 |
# File 'lib/openid_token_proxy/token.rb', line 27 def [](key) id_token.raw_attributes[key] end |
#expired? ⇒ Boolean
66 67 68 |
# File 'lib/openid_token_proxy/token.rb', line 66 def expired? id_token.exp.to_i <= Time.now.to_i end |
#expiry_time ⇒ Object
62 63 64 |
# File 'lib/openid_token_proxy/token.rb', line 62 def expiry_time Time.at(id_token.exp.to_i).utc end |
#to_s ⇒ Object
22 23 24 |
# File 'lib/openid_token_proxy/token.rb', line 22 def to_s @access_token end |
#valid?(assertions = {}) ⇒ Boolean
Whether this token is valid
56 57 58 59 60 |
# File 'lib/openid_token_proxy/token.rb', line 56 def valid?(assertions = {}) validate!(assertions) rescue OpenIDTokenProxy::Error false end |
#validate!(assertions = {}) ⇒ Object
Validates this token’s expiration state, application, audience and issuer
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/openid_token_proxy/token.rb', line 32 def validate!(assertions = {}) raise Expired if expired? # TODO: Nonce validation if assertions[:audience] audiences = Array(id_token.aud) raise InvalidAudience unless audiences.include? assertions[:audience] end if assertions[:client_id] appid = id_token.raw_attributes['appid'] raise InvalidApplication if appid && appid != assertions[:client_id] end if assertions[:issuer] issuer = id_token.iss raise InvalidIssuer unless issuer == assertions[:issuer] end true end |