Class: MSIDP::CertificateCredential

Inherits:

Object

• Object
• MSIDP::CertificateCredential

Defined in:

lib/msidp/certificate_credential.rb

Overview

Certificate credential for application authentication

Instance Attribute Summary

• #client_id ⇒ String

  Client_id the assigned applicaiton (client) ID.

• #tenant ⇒ String

  Tenant a directory tenant in GUID or domain-name format.

Instance Method Summary

• #assertion ⇒ String

  Computes the JWT assertion.

• #header ⇒ String

  JOSE header of the JWT.

• #initialize(cert, key, tenant:, client_id:) ⇒ CertificateCredential constructor

  Initialize an instance.

• #payload ⇒ String

  JWS payload of the JWT claim.

Constructor Details

#initialize(cert, key, tenant:, client_id:) ⇒ CertificateCredential

Initialize an instance

Parameters:

• cert (OpenSSL::X509::Certificate) —

  a certificate.

• cert (OpenSSL::PKey) —

  the private key paired with the certificate.

• tenant (String) —

  a directory tenant in GUID or domain-name format.

• client_id (String) —

  the assigned applicaiton (client) ID.

# File 'lib/msidp/certificate_credential.rb', line 21

def initialize(cert, key, tenant:, client_id:)
  @cert = cert
  @key = key
  @tenant = tenant
  @client_id = client_id
end

Instance Attribute Details

#client_id ⇒ String

Returns client_id the assigned applicaiton (client) ID.

Returns:

• (String) —

  client_id the assigned applicaiton (client) ID.

# File 'lib/msidp/certificate_credential.rb', line 13

def client_id
  @client_id
end

#tenant ⇒ String

Returns tenant a directory tenant in GUID or domain-name format.

Returns:

• (String) —

  tenant a directory tenant in GUID or domain-name format.

# File 'lib/msidp/certificate_credential.rb', line 11

def tenant
  @tenant
end

Instance Method Details

#assertion ⇒ String

Computes the JWT assertion.

Returns:

• (String) —

  JWT assertion string.

# File 'lib/msidp/certificate_credential.rb', line 31

def assertion
  header_base64 = base64url_encode(header)
  payload_base64 = base64url_encode(payload)
  signature = @key.sign('sha256', "#{header_base64}.#{payload_base64}")
  sign_base64 = base64url_encode(signature)
  "#{header_base64}.#{payload_base64}.#{sign_base64}"
end

#header ⇒ String

JOSE header of the JWT.

Returns:

• (String) —

  JSON string of the JOSE header.

# File 'lib/msidp/certificate_credential.rb', line 42

def header
  digest = OpenSSL::Digest::SHA1.digest(@cert.to_der)
  x5t = Base64.urlsafe_encode64(digest)
  header = { alg: 'RS256', typ: 'JWT', x5t: x5t.to_s }
  JSON.dump(header)
end

#payload ⇒ String

JWS payload of the JWT claim.

Returns:

• (String) —

  JSON string of the JWS payload.

# File 'lib/msidp/certificate_credential.rb', line 52

def payload
  not_after = @cert.not_after.to_i
  not_before = @cert.not_before.to_i
  jti = make_jwt_id
  payload = {
    aud: "https://login.microsoftonline.com/#{tenant}/v2.0",
    exp: not_after, iss: client_id, jti: jti,
    nbf: not_after, sub: client_id, iat: not_before
  }
  JSON.dump(payload)
end