Class: OmniAuth::Strategies::Jwt

Inherits:
Object
  • Object
show all
Includes:
OmniAuth::Strategy
Defined in:
lib/omni_auth/strategies/jwt.rb

Constant Summary collapse

MAX_JWT_BYTESIZE =

Many web servers limit max header size to 8KB. It’s also possible to POST a JWT using GET method to avoid header limit. Allow up to 10KB for flexibility while still balancing performance.

10_000
ClaimInvalid = 
Class.new(StandardError)
JwtTooLarge = 
Class.new(StandardError)

Instance Method Summary collapse

Instance Method Details

#callback_phaseObject 



65
66
67
68
69
70
71
 
# File 'lib/omni_auth/strategies/jwt.rb', line 65

def callback_phase
  super
rescue ClaimInvalid => e
  fail! :claim_invalid, e
rescue JwtTooLarge => e
  fail! :jwt_too_large, e
end

#decodedObject

Raises:



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/omni_auth/strategies/jwt.rb', line 45

def decoded
  jwt = request.params['jwt']

  raise JwtTooLarge, _('JWT must be less than 10KB') if jwt.bytesize >= MAX_JWT_BYTESIZE

  @decoded ||= ::JWT.decode(jwt, secret, true, { algorithm: options.algorithm }).first

  (options.required_claims || []).each do |field|
    raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
  end

  raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]

  if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within.to_i
    raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
  end

  @decoded
end

#request_phaseObject 



41
42
43
 
# File 'lib/omni_auth/strategies/jwt.rb', line 41

def request_phase
  redirect options.auth_url
end

#secretObject 



73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/omni_auth/strategies/jwt.rb', line 73

def secret
  case options.algorithm
  when *%w[RS256 RS384 RS512]
    OpenSSL::PKey::RSA.new(options.secret).public_key
  when *%w[ES256 ES384 ES512]
    OpenSSL::PKey::EC.new(options.secret)
  when *%w[HS256 HS384 HS512]
    options.secret
  else
    raise NotImplementedError, "Unsupported algorithm: #{options.algorithm}"
  end
end