class IntuitOAuth::Flow::OpenID

Public Instance Methods

get_user_info(access_token) click to toggle source

Get the User Info

@param [access_token] the access token needs to access the user info @return [Response] the response object

# File lib/intuit-oauth/flow/openid.rb, line 28
def get_user_info(access_token)
  headers = {
    Authorization: "Bearer #{access_token}"
  }

  IntuitOAuth::Transport.request('GET', @client.user_info_url, headers=headers)
end
validate_id_token(id_token) click to toggle source
If the token can be correctly validated, returns True. Otherwise, return false
The validation rules are:
1.You have to provide the client_id value, which must match the
token's aud field
2.The payload issuer is from Intuit
3.The expire time is not expired.
4.The signature is correct

If something fails, raises an error

@param [String] id_token

The string form of the token

@return [Boolean]

# File lib/intuit-oauth/flow/openid.rb, line 52
def validate_id_token(id_token)

  id_token_header_raw, id_token_payload_raw, id_token_signature_raw = id_token.split(".")

  # base 64 decode
  id_token_header_json = JSON.parse(Base64.decode64(id_token_header_raw.strip))
  id_token_payload_json = JSON.parse(Base64.decode64(id_token_payload_raw.strip))
  id_token_signature = Base64.decode64(id_token_signature_raw.strip)

  # 1. check if payload's issuer is from Intuit
  issue = id_token_payload_json.fetch('iss')
  unless issue.eql? @client.issuer_uri
    return false
  end

  # 2. check if the aud matches the client id
  aud = id_token_payload_json.fetch('aud').first
  unless aud.eql? @client.id
    return false
  end

  # 3. check if the expire time is not expired
  exp = id_token_payload_json.fetch('exp')
  if exp < Time.now.to_i
    return false
  end

  # 4. check if the signature is correct
  response = IntuitOAuth::Transport.request('GET', @client.jwks_uri, nil, nil, false)
  body = response.body

  keys = JSON.parse(body).fetch('keys').first
  standard_kid = keys.fetch('kid')
  kid_in_id_token = id_token_header_json.fetch('kid')

  unless standard_kid.eql? kid_in_id_token
    return false
  end

  return true

  end