class IDTokenDecoder

Attributes

claims[R]
client_id[R]
id_token[R]
keyset[R]
nonce[R]

Public Class Methods

new(id_token:, client_id:, nonce:, keyset:) click to toggle source
# File lib/omniauth/azure_adv2/id_token_decoder.rb, line 2
def initialize(id_token:, client_id:, nonce:, keyset:)
  @id_token = id_token
  @client_id = client_id
  @nonce = nonce
  @keyset = keyset
end

Public Instance Methods

run() click to toggle source
# File lib/omniauth/azure_adv2/id_token_decoder.rb, line 9
def run
  fail(JWT::DecodeError, 'Nil JSON web token') unless id_token

  decoder = JWT::Decode.new(id_token, nil, true, verify_options)
  @header, payload, signature, signing_input = decoder.decode_segments
  decoder.verify

  algo, key = JWT.signature_algorithm_and_key(@header, matching_key)

  if 'RS256' != algo
    fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
  end

  JWT.verify_signature(algo, key, signing_input, signature)

  fail JWT::DecodeError, 'Returned nonce did not match.' unless payload['nonce'] == nonce

  [payload, @header]
end

Private Instance Methods

matching_key() click to toggle source
# File lib/omniauth/azure_adv2/id_token_decoder.rb, line 45
def matching_key
  @_matching_key ||= keyset.find(@header['kid'])
end
verify_options() click to toggle source
# File lib/omniauth/azure_adv2/id_token_decoder.rb, line 33
def verify_options
  {
    verify_expiration: true,
    verify_not_before: true,
    verify_iat: true,
    verify_jti: false,
    verify_aud: true,
    aud: client_id,
    leeway: 0,
  }
end