class AppleSignIn::IdentityTokenVerifier
Public Instance Methods
valid?(identity_token)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 11 def valid?(identity_token) decoded_token = JSON::JWT.decode(identity_token, :skip_verification) valid_claims?(decoded_token) && valid_headers?(decoded_token.header) && valid_signature?(identity_token) end
Private Instance Methods
apple_public_keys()
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 55 def apple_public_keys response = apple_api_caller.get("/auth/keys") JSON.parse(response.body)["keys"] end
select_public_key(kid)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 60 def select_public_key(kid) jwk_set = JSON::JWK::Set.new(apple_public_keys) appropriate_key = jwk_set.select { |key| key["kid"] == kid }.first appropriate_key.to_key end
valid_audience?(claims)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 32 def valid_audience?(claims) apple_client_ids.include?(claims["aud"]) end
valid_claims?(claims)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 21 def valid_claims?(claims) valid_issuer?(claims) && valid_audience?(claims) && valid_time?(claims) && valid_expiry_time?(claims) end
valid_expiry_time?(claims)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 40 def valid_expiry_time?(claims) claims["exp"] > Time.now.to_i end
valid_headers?(headers)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 44 def valid_headers?(headers) headers["alg"] == "RS256" end
valid_issuer?(claims)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 28 def valid_issuer?(claims) claims["iss"].include?(apple_base_url.to_s) end
valid_signature?(identity_token)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 48 def valid_signature?(identity_token) jwt = JSON::JWT.decode(identity_token, :skip_verification) kid = jwt.header["kid"] key = select_public_key(kid) jwt.verify!(key) end
valid_time?(claims)
click to toggle source
# File lib/apple_sign_in/identity_token_verifier.rb, line 36 def valid_time?(claims) claims["iat"].between?(30.seconds.ago.to_i, Time.now.to_i) end