Class: OpenIDConnect::ResponseObject::IdToken

Inherits:

ConnectObject

• Object
• ConnectObject
• OpenIDConnect::ResponseObject::IdToken

Includes:

JWTnizable

Defined in:

lib/openid_connect/response_object/id_token.rb

Defined Under Namespace

Classes: ExpiredToken, InvalidAudience, InvalidIssuer, InvalidNonce, InvalidToken

Instance Attribute Summary

• #access_token ⇒ Object

  Returns the value of attribute access_token.

• #code ⇒ Object

  Returns the value of attribute code.

• #state ⇒ Object

  Returns the value of attribute state.

Attributes inherited from ConnectObject

#raw_attributes

Class Method Summary

• .decode(jwt_string, key_or_config) ⇒ Object
• .decode_self_issued(jwt_string) ⇒ Object
• .self_issued(attributes = {}) ⇒ Object

Instance Method Summary

• #initialize(attributes = {}) ⇒ IdToken constructor

  A new instance of IdToken.

• #to_jwt(key, algorithm = :RS256, &block) ⇒ Object
• #verify!(expected = {}) ⇒ Object

Methods included from JWTnizable

#as_jwt

Methods inherited from ConnectObject

all_attributes, #all_attributes, #as_json, #require_at_least_one_attributes, #validate!

Constructor Details

#initialize(attributes = {}) ⇒ IdToken

Returns a new instance of IdToken.

# File 'lib/openid_connect/response_object/id_token.rb', line 16

def initialize(attributes = {})
  super
  (all_attributes - [:aud, :exp, :iat, :auth_time, :sub_jwk]).each do |key|
    self.send "#{key}=", self.send(key).try(:to_s)
  end
  self.auth_time = auth_time.to_i unless auth_time.nil?
end

Instance Attribute Details

#access_token ⇒ Object

Returns the value of attribute access_token.

# File 'lib/openid_connect/response_object/id_token.rb', line 12

def access_token
  @access_token
end

#code ⇒ Object

Returns the value of attribute code.

# File 'lib/openid_connect/response_object/id_token.rb', line 12

def code
  @code
end

#state ⇒ Object

Returns the value of attribute state.

# File 'lib/openid_connect/response_object/id_token.rb', line 12

def state
  @state
end

Class Method Details

.decode(jwt_string, key_or_config) ⇒ Object

# File 'lib/openid_connect/response_object/id_token.rb', line 66

def decode(jwt_string, key_or_config)
  case key_or_config
  when :self_issued
    decode_self_issued jwt_string
  when OpenIDConnect::Discovery::Provider::Config::Response
    jwt = JSON::JWT.decode jwt_string, :skip_verification
    jwt.verify! key_or_config.jwk(jwt.kid)
    new jwt
  else
    new JSON::JWT.decode jwt_string, key_or_config
  end
end

.decode_self_issued(jwt_string) ⇒ Object

Raises:

• (InvalidToken)

# File 'lib/openid_connect/response_object/id_token.rb', line 79

def decode_self_issued(jwt_string)
  jwt = JSON::JWT.decode jwt_string, :skip_verification
  jwk = JSON::JWK.new jwt[:sub_jwk]
  raise InvalidToken.new('Missing sub_jwk') if jwk.blank?
  raise InvalidToken.new('Invalid subject') unless jwt[:sub] == jwk.thumbprint
  jwt.verify! jwk
  new jwt
end

.self_issued(attributes = {}) ⇒ Object

# File 'lib/openid_connect/response_object/id_token.rb', line 88

def self_issued(attributes = {})
  attributes[:sub_jwk] ||= JSON::JWK.new attributes.delete(:public_key)
  _attributes_ = {
    iss: 'https://self-issued.me',
    sub: JSON::JWK.new(attributes[:sub_jwk]).thumbprint
  }.merge(attributes)
  new _attributes_
end

Instance Method Details

#to_jwt(key, algorithm = :RS256, &block) ⇒ Object

# File 'lib/openid_connect/response_object/id_token.rb', line 38

def to_jwt(key, algorithm = :RS256, &block)
  hash_length = algorithm.to_s[2, 3].to_i
  if access_token
    token = case access_token
    when Rack::OAuth2::AccessToken
      access_token.access_token
    else
      access_token
    end
    self.at_hash = left_half_hash_of token, hash_length
  end
  if code
    self.c_hash = left_half_hash_of code, hash_length
  end
  if state
    self.s_hash = left_half_hash_of state, hash_length
  end
  super
end

#verify!(expected = {}) ⇒ Object

Raises:

• (ExpiredToken)

# File 'lib/openid_connect/response_object/id_token.rb', line 24

def verify!(expected = {})
  raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
  raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
  raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]

  # aud(ience) can be a string or an array of strings
  unless Array(aud).include?(expected[:audience] || expected[:client_id])
    raise InvalidAudience.new('Invalid ID token: Audience does not match')
  end

  true
end