class OpenIDTokenProxy::Token

Attributes

access_token[RW]
id_token[RW]
refresh_token[RW]

Public Class Methods

decode!(access_token, keys = OpenIDTokenProxy.config.public_keys) click to toggle source

Decodes given access token and validates its signature by public key(s) Use :skip_verification as second argument to skip signature validation

# File lib/openid_token_proxy/token.rb, line 66
def self.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys)
  raise Required if access_token.blank?

  Array(keys).each do |key|
    begin
      object = OpenIDConnect::RequestObject.decode(access_token, key)
    rescue JSON::JWT::InvalidFormat => e
      raise Malformed.new(e.message)
    rescue JSON::JWT::VerificationFailed
      # Iterate through remaining public keys (if any)
      # Raises UnverifiableSignature if none applied (see below)

      # A failure in Certificate#verify leaves messages on the error queue,
      # which can lead to errors in SSL communication down the road.
      # See: https://bugs.ruby-lang.org/issues/7215
      OpenSSL.errors.clear
    else
      return Token.new(access_token, object.raw_attributes)
    end
  end

  raise UnverifiableSignature
end
new(access_token, id_token = nil, refresh_token = nil) click to toggle source
# File lib/openid_token_proxy/token.rb, line 12
def initialize(access_token, id_token = nil, refresh_token = nil)
  @access_token = access_token
  if id_token.is_a? Hash
    id_token = OpenIDConnect::ResponseObject::IdToken.new(id_token)
  end
  @id_token = id_token
  @refresh_token = refresh_token
end

Public Instance Methods

[](key) click to toggle source

Retrieves data from identity attributes

# File lib/openid_token_proxy/token.rb, line 26
def [](key)
  id_token.raw_attributes[key]
end
expired?() click to toggle source
# File lib/openid_token_proxy/token.rb, line 60
def expired?
  id_token.exp.to_i <= Time.now.to_i
end
expiry_time() click to toggle source
# File lib/openid_token_proxy/token.rb, line 56
def expiry_time
  Time.at(id_token.exp.to_i).utc
end
to_s() click to toggle source
# File lib/openid_token_proxy/token.rb, line 21
def to_s
  @access_token
end
valid?(assertions = {}) click to toggle source

Whether this token is valid

# File lib/openid_token_proxy/token.rb, line 50
def valid?(assertions = {})
  validate!(assertions)
rescue OpenIDTokenProxy::Error
  false
end
validate!(assertions = {}) click to toggle source

Validates this token's expiration state, application, audience and issuer

# File lib/openid_token_proxy/token.rb, line 31
def validate!(assertions = {})
  raise Expired if expired?

  # TODO: Nonce validation

  if assertions[:audience]
    audiences = Array(id_token.aud)
    raise InvalidAudience unless audiences.include? assertions[:audience]
  end

  if assertions[:issuer]
    issuer = id_token.iss
    raise InvalidIssuer unless issuer == assertions[:issuer]
  end

  true
end