Class: OmniauthOpenidFederation::EntityStatementReader

Inherits:

Object

• Object
• OmniauthOpenidFederation::EntityStatementReader

Defined in:

lib/omniauth_openid_federation/entity_statement_reader.rb

Constant Summary

JWT_PARTS_COUNT =

Standard JWT has 3 parts: header.payload.signature

3

Class Method Summary

• .fetch_keys(entity_statement_path: nil) ⇒ Array<Hash>

  Fetch JWKS keys from entity statement.

• .parse_metadata(entity_statement_path: nil) ⇒ Hash^?

  Parse provider metadata from entity statement.

• .validate_fingerprint(entity_statement_content, expected_fingerprint) ⇒ Boolean

  Validate entity statement fingerprint.

Class Method Details

.fetch_keys(entity_statement_path: nil) ⇒ Array<Hash>

Fetch JWKS keys from entity statement

Parameters:

• entity_statement_path (String, nil) (defaults to: nil) —

  Path to entity statement file

Returns:

• (Array<Hash>) —

  Array of JWK hash objects

# File 'lib/omniauth_openid_federation/entity_statement_reader.rb', line 32

def fetch_keys(entity_statement_path: nil)
  entity_statement = load_entity_statement(entity_statement_path)
  return [] if StringHelpers.blank?(entity_statement)

  # Decode self-signed entity statement
  # Entity statements are self-signed, so we validate using their own JWKS
  # First, decode without validation to get the JWKS
  jwt_parts = entity_statement.split(".")
  return [] if jwt_parts.length != JWT_PARTS_COUNT

  # Decode payload (second part)
  payload = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))

  # Extract JWKS from entity statement claims
  payload.fetch("jwks", {}).fetch("keys", [])

  # Return JWK hashes directly (no need to convert to objects)
end

.parse_metadata(entity_statement_path: nil) ⇒ Hash^?

Parse provider metadata from entity statement

Parameters:

• entity_statement_path (String, nil) (defaults to: nil) —

  Path to entity statement file

Returns:

• (Hash, nil) —

  Hash with provider metadata or nil if not found

# File 'lib/omniauth_openid_federation/entity_statement_reader.rb', line 55

def parse_metadata(entity_statement_path: nil)
  entity_statement = load_entity_statement(entity_statement_path)
  return nil if StringHelpers.blank?(entity_statement)

  # Decode JWT payload
  jwt_parts = entity_statement.split(".")
  return nil if jwt_parts.length != JWT_PARTS_COUNT

  claims = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))

  # Extract provider metadata
  metadata = claims.fetch("metadata", {})
  provider_metadata = metadata.fetch("openid_provider", {})

  {
    issuer: provider_metadata["issuer"],
    authorization_endpoint: provider_metadata["authorization_endpoint"],
    token_endpoint: provider_metadata["token_endpoint"],
    userinfo_endpoint: provider_metadata["userinfo_endpoint"],
    jwks_uri: provider_metadata["jwks_uri"],
    signed_jwks_uri: provider_metadata["signed_jwks_uri"],
    entity_issuer: claims["iss"],
    entity_jwks: claims.fetch("jwks", {})
  }
end

.validate_fingerprint(entity_statement_content, expected_fingerprint) ⇒ Boolean

Validate entity statement fingerprint

Parameters:

• entity_statement_content (String) —

  The entity statement content

• expected_fingerprint (String) —

  The expected SHA-256 fingerprint

Returns:

• (Boolean) —

  true if fingerprints match

# File 'lib/omniauth_openid_federation/entity_statement_reader.rb', line 86

def validate_fingerprint(entity_statement_content, expected_fingerprint)
  calculated = Digest::SHA256.hexdigest(entity_statement_content).downcase
  expected = expected_fingerprint.downcase
  calculated == expected
end