Class: Doorkeeper::OpenidConnect::IdToken

Inherits:

Object

Object
Doorkeeper::OpenidConnect::IdToken

show all

Includes:: ActiveModel::Validations

Defined in:: lib/doorkeeper/openid_connect/id_token.rb

Direct Known Subclasses

IdTokenToken

Constant Summary collapse

REQUIRED_CLAIMS = OIDC Core 1.0 §2 — these claims are REQUIRED in every ID Token, so they must never be silently dropped when blank.

%i[iss sub aud exp iat].freeze

Instance Attribute Summary collapse

#nonce ⇒ Object readonly

Returns the value of attribute nonce.

Instance Method Summary collapse

#as_json(*_) ⇒ Object
#as_jws_token ⇒ Object
#claims ⇒ Object
#initialize(access_token, nonce = nil, expires_in = Doorkeeper::OpenidConnect.configuration.expiration) ⇒ IdToken constructor

A new instance of IdToken.

Constructor Details

#initialize(access_token, nonce = nil, expires_in = Doorkeeper::OpenidConnect.configuration.expiration) ⇒ `IdToken`

Returns a new instance of IdToken.

# File 'lib/doorkeeper/openid_connect/id_token.rb', line 14

def initialize(access_token, nonce = nil, expires_in = Doorkeeper::OpenidConnect.configuration.expiration)
  @access_token = access_token
  @nonce = nonce
  @resource_owner = Doorkeeper::OpenidConnect.configuration.resource_owner_from_access_token.call(access_token)
  @issued_at = Time.zone.now
  @expires_in = expires_in
end

Instance Attribute Details

#nonce ⇒ `Object` (readonly)

Returns the value of attribute nonce.



12
13
14

# File 'lib/doorkeeper/openid_connect/id_token.rb', line 12

def nonce
  @nonce
end

Instance Method Details

#as_json(*_) ⇒ `Object`

# File 'lib/doorkeeper/openid_connect/id_token.rb', line 37

def as_json(*_)
  claims.each_with_object({}) do |(key, value), result|
    blank = value.nil? || value == ""

    if blank
      # A REQUIRED claim must never be silently omitted; surface the
      # misconfiguration instead of issuing a non-conformant ID Token.
      raise Errors::MissingRequiredClaim, key if REQUIRED_CLAIMS.include?(key)

      next
    end

    result[key] = value
  end
end

#as_jws_token ⇒ `Object`

# File 'lib/doorkeeper/openid_connect/id_token.rb', line 53

def as_jws_token
  ::JWT.encode(as_json,
               Doorkeeper::OpenidConnect.signing_key.keypair,
               Doorkeeper::OpenidConnect.signing_algorithm.to_s,
               { typ: "JWT", kid: Doorkeeper::OpenidConnect.signing_key.kid }).to_s
end

#claims ⇒ `Object`

# File 'lib/doorkeeper/openid_connect/id_token.rb', line 22

def claims
  # NOTE: framework-controlled claims are merged last so a custom claim
  # block cannot override security-critical registered claims such as
  # `sub`, `aud`, `exp`, `iss` or `iat` in the signed ID token.
  ClaimsBuilder.generate(@access_token, :id_token).merge(
    iss: issuer,
    sub: subject,
    aud: audience,
    exp: expiration,
    iat: issued_at,
    nonce: nonce,
    auth_time: auth_time,
  )
end