Class: Identizer::Handlers::Auth0

Inherits:

Base

• Object
• Base
• Identizer::Handlers::Auth0

Defined in:

lib/identizer/handlers/auth0.rb

Overview

Auth0-style flow: the code is exchanged for an access_token (no id_token by design — the original integration only verifies a JWT when one is returned and a certificate is configured), then the profile is fetched at /userinfo.

Instance Method Summary

• #token(request) ⇒ Object
• #userinfo(request) ⇒ Object

Methods inherited from Base

#initialize

Methods included from Responses

#amz_json, #escape_html, #html, #json, #no_content, #not_found, #notice_page, #redirect, #xml

Constructor Details

This class inherits a constructor from Identizer::Handlers::Base

Instance Method Details

#token(request) ⇒ Object

# File 'lib/identizer/handlers/auth0.rb', line 9

def token(request)
  # The Management API authenticates with a client_credentials grant.
  if merged_params(request)["grant_type"] == "client_credentials"
    return json(200, { access_token: SecureRandom.hex(32), token_type: "Bearer", expires_in: 86_400 })
  end

  authorization = redeem_code(request) # single-use code, PKCE-checked
  return json(400, { error: "invalid_grant" }) if authorization.nil?

  # Mint a distinct access_token that /userinfo resolves to the profile.
  access_token = SecureRandom.hex(20)
  access_tokens.put(access_token, authorization, ttl: config.access_token_ttl)
  json(200, { access_token: access_token, token_type: "Bearer", expires_in: config.access_token_ttl })
end

#userinfo(request) ⇒ Object

# File 'lib/identizer/handlers/auth0.rb', line 24

def userinfo(request)
  authorization = access_tokens.get(bearer(request))
  return json(401, { error: "invalid_token" }) if authorization.nil?

  json(200, authorization.identity.to_h)
end