Class: Himari::JwtToken

Inherits:

Object

• Object
• Himari::JwtToken

Defined in:

lib/himari/jwt_token.rb

Overview

Shared minting process for the JWTs Himari signs for relying parties: the OIDC ID Token and the RFC 9068 access token. Holds the common claim derivation (registered claims merged over the IdP claims) and the signing step (kid, optional JOSE header fields, signature). Subclasses add their token-specific claims/header by overriding #final_claims / #jwt_header.

Direct Known Subclasses

AccessTokenJwt, IdToken

Instance Attribute Summary

• #claims ⇒ Object readonly

  Returns the value of attribute claims.

• #client_id ⇒ Object readonly

  Returns the value of attribute client_id.

• #issuer ⇒ Object readonly

  Returns the value of attribute issuer.

• #signing_key ⇒ Object readonly

  Returns the value of attribute signing_key.

Instance Method Summary

• #final_claims ⇒ Object
• #initialize(claims:, client_id:, signing_key:, issuer:, time: Time.now, lifetime: 3600) ⇒ JwtToken constructor

  A new instance of JwtToken.

• #jwt_header ⇒ Object

  JOSE header fields beyond kid; subclasses override (e.g. typ=at+jwt for RFC 9068).

• #standard_claims ⇒ Object

  Registered claims common to every Himari-minted JWT.

• #to_jwt ⇒ Object

Constructor Details

#initialize(claims:, client_id:, signing_key:, issuer:, time: Time.now, lifetime: 3600) ⇒ JwtToken

Returns a new instance of JwtToken.

# File 'lib/himari/jwt_token.rb', line 11

def initialize(claims:, client_id:, signing_key:, issuer:, time: Time.now, lifetime: 3600)
  @claims = claims
  @client_id = client_id
  @signing_key = signing_key
  @issuer = issuer
  @time = time
  @lifetime = lifetime
end

Instance Attribute Details

#claims ⇒ Object (readonly)

Returns the value of attribute claims.

# File 'lib/himari/jwt_token.rb', line 20

def claims
  @claims
end

#client_id ⇒ Object (readonly)

Returns the value of attribute client_id.

# File 'lib/himari/jwt_token.rb', line 20

def client_id
  @client_id
end

#issuer ⇒ Object (readonly)

Returns the value of attribute issuer.

# File 'lib/himari/jwt_token.rb', line 20

def issuer
  @issuer
end

#signing_key ⇒ Object (readonly)

Returns the value of attribute signing_key.

# File 'lib/himari/jwt_token.rb', line 20

def signing_key
  @signing_key
end

Instance Method Details

#final_claims ⇒ Object

# File 'lib/himari/jwt_token.rb', line 34

def final_claims
  standard_claims
end

#jwt_header ⇒ Object

JOSE header fields beyond kid; subclasses override (e.g. typ=at+jwt for RFC 9068).

# File 'lib/himari/jwt_token.rb', line 39

def jwt_header
  {}
end

#standard_claims ⇒ Object

Registered claims common to every Himari-minted JWT. The IdP claims (sub and the rest) are carried verbatim so the access token exposes the same claim set as the ID Token.

# File 'lib/himari/jwt_token.rb', line 24

def standard_claims
  claims.merge(
    iss: @issuer,
    aud: @client_id,
    iat: @time.to_i,
    nbf: @time.to_i,
    exp: (@time + @lifetime).to_i,
  )
end

#to_jwt ⇒ Object

# File 'lib/himari/jwt_token.rb', line 43

def to_jwt
  jwt = JSON::JWT.new(final_claims)
  jwt.kid = @signing_key.id
  jwt_header.each { |k, v| jwt.header[k] = v }
  jwt.sign(@signing_key.pkey, @signing_key.alg.to_sym).to_s
end