Class: Stytch::IDP

Inherits:

Object

• Object
• Stytch::IDP

Includes:

RequestHelper

Defined in:

lib/stytch/idp.rb

Defined Under Namespace

Classes: OAuth

Instance Attribute Summary

• #oauth ⇒ Object readonly

  Returns the value of attribute oauth.

Instance Method Summary

• #initialize(connection, project_id, jwks_cache, policy_cache) ⇒ IDP constructor

  A new instance of IDP.

• #introspect_access_token_local(access_token:, authorization_check: nil) ⇒ Object

  Introspects a token JWT from an authorization code response.

• #introspect_token_network(token:, client_id:, client_secret: nil, token_type_hint: 'access_token', authorization_check: nil) ⇒ Object

  Introspects a token JWT from an authorization code response.

Methods included from RequestHelper

#delete_request, #get_request, #post_request, #put_request, #request_with_query_params

Constructor Details

#initialize(connection, project_id, jwks_cache, policy_cache) ⇒ IDP

Returns a new instance of IDP.

# File 'lib/stytch/idp.rb', line 19

def initialize(connection, project_id, jwks_cache, policy_cache)
  @connection = connection

  @oauth = Stytch::IDP::OAuth.new(@connection)
  @policy_cache = policy_cache
  @project_id = project_id
  @jwks_cache = jwks_cache
end

Instance Attribute Details

#oauth ⇒ Object (readonly)

Returns the value of attribute oauth.

# File 'lib/stytch/idp.rb', line 17

def oauth
  @oauth
end

Instance Method Details

#introspect_access_token_local(access_token:, authorization_check: nil) ⇒ Object

Introspects a token JWT from an authorization code response. Access tokens are JWTs signed with the project’s JWKs. Refresh tokens are opaque tokens. Access tokens contain a standard set of claims as well as any custom claims generated from templates.

Parameters:

access_token

The access token (or refresh token) to introspect. The type of this field is String.

authorization_check

Optional authorization check object. The type of this field is nilable Hash.

Returns:

An object with the following fields:

subject

The subject of the token. The type of this field is String.

scope

The scope of the token. The type of this field is String.

audience

The audience of the token. The type of this field is String.

expires_at

The expiration time of the token. The type of this field is Integer.

issued_at

The issued at time of the token. The type of this field is Integer.

issuer

The issuer of the token. The type of this field is String.

not_before

The not before time of the token. The type of this field is Integer.

token_type

The type of the token. The type of this field is String.

custom_claims

Custom claims in the token. The type of this field is Hash.

# File 'lib/stytch/idp.rb', line 168

def introspect_access_token_local(
  access_token:,
  authorization_check: nil
)
  scope_claim = 'scope'
  begin
    decoded_jwt = JWT.decode(
      access_token,
      nil,
      true,
      {
        algorithms: ['RS256'],
        jwks: @jwks_cache.loader,
        iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
        aud: @project_id
      }
    )[0]

    generic_claims = decoded_jwt
    custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) }
    scope = generic_claims[scope_claim]

    if authorization_check
      @policy_cache.perform_scope_authorization_check(
        token_scopes: scope.split,
        authorization_check: authorization_check
      )
    end

    {
      'subject' => generic_claims['sub'],
      'scope' => generic_claims[scope_claim],
      'audience' => generic_claims['aud'],
      'expires_at' => generic_claims['exp'],
      'issued_at' => generic_claims['iat'],
      'issuer' => generic_claims['iss'],
      'not_before' => generic_claims['nbf'],
      'token_type' => 'access_token',
      'custom_claims' => custom_claims
    }
  rescue JWT::InvalidIssuerError
    raise Stytch::JWTInvalidIssuerError
  rescue JWT::InvalidAudError
    raise Stytch::JWTInvalidAudienceError
  rescue JWT::ExpiredSignature
    raise Stytch::JWTExpiredSignatureError
  rescue JWT::IncorrectAlgorithm
    raise Stytch::JWTIncorrectAlgorithmError
  rescue JWT::DecodeError
    nil
  end
end

#introspect_token_network(token:, client_id:, client_secret: nil, token_type_hint: 'access_token', authorization_check: nil) ⇒ Object

Introspects a token JWT from an authorization code response. Access tokens are JWTs signed with the project’s JWKs. Refresh tokens are opaque tokens. Access tokens contain a standard set of claims as well as any custom claims generated from templates.

Parameters:

token

The access token (or refresh token) to introspect. The type of this field is String.

client_id

The ID of the client. The type of this field is String.

client_secret

The secret of the client. The type of this field is nilable String.

token_type_hint

A hint on what the token contains. Valid fields are ‘access_token’ and ‘refresh_token’. The type of this field is String.

authorization_check

Optional authorization check object. The type of this field is nilable Hash.

Returns:

An object with the following fields:

subject

The subject of the token. The type of this field is String.

scope

The scope of the token. The type of this field is String.

audience

The audience of the token. The type of this field is String.

expires_at

The expiration time of the token. The type of this field is Integer.

issued_at

The issued at time of the token. The type of this field is Integer.

issuer

The issuer of the token. The type of this field is String.

not_before

The not before time of the token. The type of this field is Integer.

token_type

The type of the token. The type of this field is String.

custom_claims

Custom claims in the token. The type of this field is Hash.

# File 'lib/stytch/idp.rb', line 83

def introspect_token_network(
  token:,
  client_id:,
  client_secret: nil,
  token_type_hint: 'access_token',
  authorization_check: nil
)
  headers = {}
  data = {
    'token' => token,
    'client_id' => client_id,
    'token_type_hint' => token_type_hint
  }
  data['client_secret'] = client_secret unless client_secret.nil?

  url = @connection.url_prefix + '/v1/oauth2/introspect'
  res = post_request(url, data, headers)

  jwt_response = res
  return nil unless jwt_response['active']

  custom_claims = res.reject { |k, _| non_custom_claim_keys.include?(k) }
  scope = jwt_response['scope']

  if authorization_check
    @policy_cache.perform_scope_authorization_check(
      token_scopes: scope.split,
      authorization_check: authorization_check
    )
  end

  {
    'subject' => jwt_response['sub'],
    'scope' => jwt_response['scope'],
    'audience' => jwt_response['aud'],
    'expires_at' => jwt_response['exp'],
    'issued_at' => jwt_response['iat'],
    'issuer' => jwt_response['iss'],
    'not_before' => jwt_response['nbf'],
    'token_type' => jwt_response['token_type'],
    'custom_claims' => custom_claims
  }
end