class ADAL::SelfSignedJwtFactory

Converts client certificates into self signed JWTs.

Public Class Methods

new(client_id, token_endpoint) click to toggle source

Constructs a new SelfSignedJwtFactory.

@param String client_id

The client id of the calling application.

@param String token_endpoint

The token endpoint that will accept the certificate.
# File lib/adal/self_signed_jwt_factory.rb, line 43
def initialize(client_id, token_endpoint)
  @client_id = client_id
  @token_endpoint = token_endpoint
end

Public Instance Methods

create_and_sign_jwt(certificate, private_key) click to toggle source

Creates a JWT from a client certificate and signs it with a private key.

@param OpenSSL::X509::Certificate certificate

The certifcate object to be converted to a JWT and signed for use
in an authentication flow.

@param OpenSSL::PKey::RSA private_key

The private key used to sign the certificate.

@return String

# File lib/adal/self_signed_jwt_factory.rb, line 57
def create_and_sign_jwt(certificate, private_key)
  JWT.encode(payload, private_key, RS256, header(certificate))
end

Private Instance Methods

header(certificate) click to toggle source

The JWT header for a certificate to be encoded.

# File lib/adal/self_signed_jwt_factory.rb, line 64
def header(certificate)
  x5t = thumbprint(certificate)
  logger.verbose("Creating self signed JWT header with thumbprint: #{x5t}.")
  { TYPE => TYPE_JWT,
    ALGORITHM => RS256,
    THUMBPRINT => x5t }
end
payload() click to toggle source

The JWT payload.

# File lib/adal/self_signed_jwt_factory.rb, line 73
def payload
  now = Time.now - 1
  expires = now + 60 * SELF_SIGNED_JWT_LIFETIME
  logger.verbose("Creating self signed JWT payload. Expires: #{expires}. " \
                 "NotBefore: #{now}.")
  { AUDIENCE => @token_endpoint,
    ISSUER => @client_id,
    SUBJECT => @client_id,
    NOT_BEFORE => now.to_i,
    EXPIRES_ON => expires.to_i,
    JWT_ID => SecureRandom.uuid }
end
thumbprint(certificate) click to toggle source

Base 64 encoded thumbprint AKA fingerprint AKA SHA1 hash of the DER representation of the cert.

@param OpenSSL::X509::Certificate certificate @return String

# File lib/adal/self_signed_jwt_factory.rb, line 92
def thumbprint(certificate)
  OpenSSL::Digest::SHA1.new(certificate.to_der).base64digest
end