Class: OmniAuth::Cloudiap::IAPJWT

Inherits:
Object
  • Object
show all
Defined in:
lib/omniauth/cloudiap/iapjwt.rb

Defined Under Namespace

Classes: InvalidAudError

Instance Method Summary collapse

Constructor Details

#initialize(aud: nil) ⇒ IAPJWT

Returns a new instance of IAPJWT.



10
11
12
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 10

def initialize(aud: nil)
  @required_aud = aud
end

Instance Method Details

#decode_with_validate(token) ⇒ Object 



14
15
16
17
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 14

def decode_with_validate(token)
  payload, = validate(token)
  { identifier: payload["sub"], email: payload["email"] }
end

#default_jwt_decode_optionsObject 



41
42
43
44
45
46
47
48
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 41

def default_jwt_decode_options
  {
    verify_expiration: true,
    verify_iat: true,
    verify_aud: true,
    verify_iss: true,
  }
end

#jwk_keysObject 



23
24
25
26
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 23

def jwk_keys
  url = "https://www.gstatic.com/iap/verify/public_key-jwk"
  URI.open(url) { |f| JSON.parse(f.read) } # rubocop:disable Security/Open
end

#jwks_loader(options) ⇒ Object 



28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 28

def jwks_loader(options)
  if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
    logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
    @cached_keys = nil
  end
  @cached_keys ||= begin # rubocop:disable Naming/MemoizedInstanceVariableName
    @cache_last_update = Time.now.to_i
    jwks = JWT::JWK::Set.new(jwk_keys)
    jwks.select! { |key| key[:use] == "sig" } # Signing Keys only
    jwks
  end
end

#parse(token) ⇒ Object 



19
20
21
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 19

def parse(token)
  JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
end

#validate(token) ⇒ Object 



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/omniauth/cloudiap/iapjwt.rb', line 50

def validate(token)
  iss = "https://cloud.google.com/iap"
  options = default_jwt_decode_options.merge(
    iss: iss,
    algorithm: "ES256",
    jwks: method(:jwks_loader),
  )

  payload, header = JWT.decode(token, nil, true, options)

  if @required_aud
    validate_aud(@required_aud, payload["aud"])
  else
    validate_aud_format(payload["aud"])
  end
  [payload, header]
end