30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# File 'lib/omniauth/strategies/jwt.rb', line 30
def decoded
begin
secret = if defined?(OpenSSL)
case options.algorithm
when "RS256", "RS384", "RS512"
OpenSSL::PKey::RSA.new(options.secret).public_key
when "ES256", "ES384", "ES512"
OpenSSL::PKey::EC.new(options.secret)
when "HS256", "HS384", "HS512"
options.secret
else
raise NotImplementedError, "Unsupported algorithm: #{options.algorithm}"
end
else
options.secret
end
default_algos = options.decode_options.key?(:algorithms) ? options.decode_options[:algorithms] : [options.algorithm]
@decoded ||= ::JWT.decode(
request.params["jwt"],
secret,
true,
options.decode_options.merge(
{
algorithms: default_algos,
jwks: options.jwks_loader,
}.delete_if { |_, v| v.nil? },
),
)[0]
rescue Exception => e
raise BadJwt.new("#{e.class}: #{e.message}")
end
(options.required_claims || []).each do |field|
raise ClaimInvalid.new("Missing required '#{field}' claim.") if !@decoded.key?(field.to_s)
end
raise ClaimInvalid.new("Missing required 'iat' claim.") if options.valid_within && !@decoded["iat"]
if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within.to_i
raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
end
@decoded
end
|