Class: OmniAuth::Strategies::JWT

Inherits:

Object

• Object
• OmniAuth::Strategies::JWT

Includes:

OmniAuth::Strategy

Defined in:

lib/omniauth/strategies/jwt.rb

Direct Known Subclasses

Jwt

Defined Under Namespace

Classes: BadJwt, ClaimInvalid

Instance Method Summary

• #callback_phase ⇒ Object
• #decoded ⇒ Object
• #request_phase ⇒ Object

Instance Method Details

#callback_phase ⇒ Object

# File 'lib/omniauth/strategies/jwt.rb', line 74

def callback_phase
  super
rescue BadJwt => e
  fail!("bad_jwt", e)
rescue ClaimInvalid => e
  fail!(:claim_invalid, e)
end

#decoded ⇒ Object

Raises:

• (ClaimInvalid)

# File 'lib/omniauth/strategies/jwt.rb', line 30

def decoded
  begin
    secret = if defined?(OpenSSL)
      case options.algorithm
      when "RS256", "RS384", "RS512"
        OpenSSL::PKey::RSA.new(options.secret).public_key
      when "ES256", "ES384", "ES512"
        OpenSSL::PKey::EC.new(options.secret)
      when "HS256", "HS384", "HS512"
        options.secret
      else
        raise NotImplementedError, "Unsupported algorithm: #{options.algorithm}"
      end
    else
      options.secret
    end

    # JWT.decode can handle either algorithms or algorithm, but not both.
    default_algos = options.decode_options.key?(:algorithms) ? options.decode_options[:algorithms] : [options.algorithm]
    @decoded ||= ::JWT.decode(
      request.params["jwt"],
      secret,
      true,
      options.decode_options.merge(
        {
          algorithms: default_algos,
          jwks: options.jwks_loader,
        }.delete_if { |_, v| v.nil? },
      ),
    )[0]
  rescue Exception => e
    raise BadJwt.new("#{e.class}: #{e.message}")
  end
  (options.required_claims || []).each do |field|
    raise ClaimInvalid.new("Missing required '#{field}' claim.") if !@decoded.key?(field.to_s)
  end
  raise ClaimInvalid.new("Missing required 'iat' claim.") if options.valid_within && !@decoded["iat"]
  if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within.to_i
    raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
  end

  @decoded
end

#request_phase ⇒ Object

# File 'lib/omniauth/strategies/jwt.rb', line 26

def request_phase
  redirect(options.auth_url)
end