Class: Stytch::M2M

Inherits:

Object

• Object
• Stytch::M2M

Includes:

RequestHelper

Defined in:

lib/stytch/m2m.rb

Defined Under Namespace

Classes: Clients

Instance Attribute Summary

• #clients ⇒ Object readonly

  Returns the value of attribute clients.

Instance Method Summary

• #authenticate_token(access_token:, required_scopes: nil, max_token_age: nil, scope_authorization_func: method(:perform_authorization_check), clock_tolerance_seconds: nil) ⇒ Object

  MANUAL(M2M::authenticate_token)(SERVICE_METHOD) authenticate_token validates a M2M JWT locally.

• #authenticate_token_local(jwt, clock_tolerance_seconds: nil) ⇒ Object

  Parse a M2M token and verify the signature locally (without calling /authenticate in the API) If clock_tolerance_seconds is not supplied 0 seconds will be used as the default.

• #get_jwks(project_id:) ⇒ Object

  MANUAL(M2M::get_jwks)(SERVICE_METHOD) This is a helper so we can retrieve the JWKS for a project for decoding M2M access tokens.

• #initialize(connection, project_id, is_b2b_client) ⇒ M2M constructor

  A new instance of M2M.

• #marshal_jwt_into_response(jwt) ⇒ Object
• #perform_authorization_check(has_scopes:, required_scopes:) ⇒ Object

  Performs an authorization check against an M2M client and a set of required scopes.

• #token(client_id:, client_secret:, scopes: nil) ⇒ Object

  MANUAL(M2M::token)(SERVICE_METHOD) token retrieves an access token for the given M2M Client.

Methods included from RequestHelper

#delete_request, #get_request, #post_request, #put_request, #request_with_query_params

Constructor Details

#initialize(connection, project_id, is_b2b_client) ⇒ M2M

Returns a new instance of M2M.

# File 'lib/stytch/m2m.rb', line 16

def initialize(connection, project_id, is_b2b_client)
  @connection = connection

  @clients = Stytch::M2M::Clients.new(@connection)
  @project_id = project_id
  @cache_last_update = 0
  @is_b2b_client = is_b2b_client
  @jwks_loader = lambda do |options|
    @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
    @cached_keys ||= begin
      @cache_last_update = Time.now.to_i
      keys = []
      get_jwks(project_id: @project_id)['keys'].each do |r|
        keys << r
      end
      { keys: keys }
    end
  end
end

Instance Attribute Details

#clients ⇒ Object (readonly)

Returns the value of attribute clients.

# File 'lib/stytch/m2m.rb', line 14

def clients
  @clients
end

Instance Method Details

#authenticate_token(access_token:, required_scopes: nil, max_token_age: nil, scope_authorization_func: method(:perform_authorization_check), clock_tolerance_seconds: nil) ⇒ Object

MANUAL(M2M::authenticate_token)(SERVICE_METHOD) authenticate_token validates a M2M JWT locally.

Parameters:

access_token

The access token granted to the client. Access tokens are JWTs signed with the project’s JWKs. The type of this field is String.

required_scopes

A list of scopes the token must have to be valid. The type of this field is nilable list of String.

max_token_age

The maximum possible lifetime in seconds for the token to be valid. The type of this field is nilable Integer.

scope_authorization_func

A function to check if the token has the required scopes. This defaults to a function that assumes scopes are either direct string matches or written in the form “action:resource”. See the documentation for perform_authorization_check for more information.

clock_tolerance_seconds:

The tolerance to use during verification of the nbf claim. This can help with clock drift issues.
The type of this field is nilable +Integer+.

Returns:

nil if the token could not be validated, or an object with the following fields:

scopes

An array of scopes granted to the token holder. The type of this field is list of String.

client_id

The ID of the client that was issued the token The type of this field is String.

custom_claims

A map of custom claims present in the token. The type of this field is object.

Raises:

• (JWTExpiredError)

# File 'lib/stytch/m2m.rb', line 120

def authenticate_token(
  access_token:,
  required_scopes: nil,
  max_token_age: nil,
  scope_authorization_func: method(:perform_authorization_check),
  clock_tolerance_seconds: nil
)
  # Intentionally allow this to re-raise if authentication fails
  decoded_jwt = authenticate_token_local(access_token, clock_tolerance_seconds: clock_tolerance_seconds)

  iat_time = Time.at(decoded_jwt['iat']).to_datetime

  # Token too old
  raise JWTExpiredError if !max_token_age.nil? && (iat_time + max_token_age < Time.now)

  resp = marshal_jwt_into_response(decoded_jwt)

  unless required_scopes.nil?
    is_authorized = scope_authorization_func.call(
      has_scopes: resp['scopes'],
      required_scopes: required_scopes
    )
    raise M2MPermissionError.new(resp['scopes'], required_scopes) unless is_authorized
  end

  resp
end

#authenticate_token_local(jwt, clock_tolerance_seconds: nil) ⇒ Object

Parse a M2M token and verify the signature locally (without calling /authenticate in the API) If clock_tolerance_seconds is not supplied 0 seconds will be used as the default.

# File 'lib/stytch/m2m.rb', line 184

def authenticate_token_local(jwt, clock_tolerance_seconds: nil)
  clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
  issuer = 'stytch.com/' + @project_id
  begin
    decoded_token = JWT.decode jwt, nil, true,
                               { jwks: @jwks_loader, iss: issuer, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
    decoded_token[0]
  rescue JWT::InvalidIssuerError
    raise JWTInvalidIssuerError
  rescue JWT::InvalidAudError
    raise JWTInvalidAudienceError
  rescue JWT::ExpiredSignature
    raise JWTExpiredSignatureError
  rescue JWT::IncorrectAlgorithm
    raise JWTIncorrectAlgorithmError
  end
end

#get_jwks(project_id:) ⇒ Object

MANUAL(M2M::get_jwks)(SERVICE_METHOD) This is a helper so we can retrieve the JWKS for a project for decoding M2M access tokens

# File 'lib/stytch/m2m.rb', line 38

def get_jwks(
  project_id:
)
  headers = {}
  query_params = {}
  path = @is_b2b_client ? "/v1/b2b/sessions/jwks/#{project_id}" : "/v1/sessions/jwks/#{project_id}"
  request = request_with_query_params(path, query_params)
  get_request(request, headers)
end

#marshal_jwt_into_response(jwt) ⇒ Object

# File 'lib/stytch/m2m.rb', line 202

def marshal_jwt_into_response(jwt)
  # The custom claim set is all the claims in the payload except for the standard claims.
  # The cleanest way to collect those seems to be naming what we want
  # to omit and filtering the rest to collect the custom claims.
  reserved_claims = %w[aud exp iat iss jti nbf sub]
  custom_claims = jwt.reject { |key, _| reserved_claims.include?(key) }
  {
    'scopes' => jwt['scope'].split(' '),
    'client_id' => jwt['sub'],
    'custom_claims' => custom_claims
  }
end

#perform_authorization_check(has_scopes:, required_scopes:) ⇒ Object

Performs an authorization check against an M2M client and a set of required scopes. Returns true if the client has all the required scopes, false otherwise. A scope can match if the client has a wildcard resource or the specific resource. This function assumes that scopes are of the form “action:resource” or just “specific_scope”. It is also possible to represent scopes as “resource:action”, but it is ultimately up to the developer to ensure consistency in the scopes format. Note that a scope of “*” will only match another literal “*” because wildcards are not supported in the prefix piece of a scope.

# File 'lib/stytch/m2m.rb', line 156

def perform_authorization_check(
  has_scopes:,
  required_scopes:
)
  client_scopes = Hash.new { |hash, key| hash[key] = Set.new }
  has_scopes.each do |scope|
    action = scope
    resource = '-'
    action, resource = scope.split(':') if scope.include?(':')
    client_scopes[action].add(resource)
  end

  required_scopes.each do |required_scope|
    required_action = required_scope
    required_resource = '-'
    required_action, required_resource = required_scope.split(':') if required_scope.include?(':')
    return false unless client_scopes.key?(required_action)

    resources = client_scopes[required_action]
    # The client can either have a wildcard resource or the specific resource
    return false unless resources.include?('*') || resources.include?(required_resource)
  end

  true
end

#token(client_id:, client_secret:, scopes: nil) ⇒ Object

MANUAL(M2M::token)(SERVICE_METHOD) token retrieves an access token for the given M2M Client. Access tokens are JWTs signed with the project’s JWKs, and are valid for one hour after issuance. M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates.

Parameters:

client_id

The ID of the client. The type of this field is String.

client_secret

The secret of the client. The type of this field is String.

scopes

An array scopes requested. If omitted, all scopes assigned to the client will be returned. The type of this field is nilable list of String.

Returns:

An object with the following fields:

access_token

The access token granted to the client. Access tokens are JWTs signed with the project’s JWKs. The type of this field is String.

expires_in

The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated. The type of this field is Integer.

token_type

The type of the returned access token. Today, this value will always be equal to “bearer” The type of this field is String.

# File 'lib/stytch/m2m.rb', line 77

def token(client_id:, client_secret:, scopes: nil)
  request = {
    grant_type: 'client_credentials',
    client_id: client_id,
    client_secret: client_secret
  }
  request[:scope] = scopes.join(' ') unless scopes.nil?

  JSON.parse(post_request("/v1/public/#{@project_id}/oauth2/token", request), { symbolize_names: true })
end