Class: Himari::AccessTokenJwt

Inherits:
JwtToken
  • Object
show all
Defined in:
lib/himari/access_token_jwt.rb

Overview

RFC 9068 (JWT Profile for OAuth 2.0 Access Tokens) representation of an access token. The signed JWT carries the same IdP claims as the ID Token for relying parties to consume directly, plus the registered claims RFC 9068 requires. Himari still authenticates the token by the opaque secret embedded in the hmat claim (see Himari::AccessToken.parse), so the JWT signature is an additional, self-contained guarantee for relying parties.

Defined Under Namespace

Classes: MissingSubject

Instance Attribute Summary

Attributes inherited from JwtToken

#claims, #client_id, #issuer, #signing_key

Instance Method Summary collapse

Methods inherited from JwtToken

#standard_claims, #to_jwt

Constructor Details

#initialize(access:, **kwargs) ⇒ AccessTokenJwt

Returns a new instance of AccessTokenJwt.

Parameters:



18
19
20
21
 
# File 'lib/himari/access_token_jwt.rb', line 18

def initialize(access:, **kwargs)
  super(**kwargs)
  @access = access
end

Instance Method Details

#final_claimsObject

www.rfc-editor.org/rfc/rfc9068.html#section-2.2

Raises:



29
30
31
32
33
34
35
36
37
38
 
# File 'lib/himari/access_token_jwt.rb', line 29

def final_claims
  raise MissingSubject, 'RFC 9068 access token requires a sub claim' unless claims[:sub]

  standard_claims.merge(
    client_id: @client_id,
    jti: @access.handle,
    # The opaque access token Himari validates against storage; relying parties ignore it.
    AccessToken.magic_header.to_sym => @access.format.to_s,
  ).merge(scope_claim)
end

#jwt_headerObject

www.rfc-editor.org/rfc/rfc9068.html#section-2.1



24
25
26
 
# File 'lib/himari/access_token_jwt.rb', line 24

def jwt_header
  {typ: 'at+jwt'}
end