Class: PG::AzureWorkloadIdentity::AuthToken

Inherits:

Object

• Object
• PG::AzureWorkloadIdentity::AuthToken

Defined in:

lib/pg/azure_workload_identity/auth_token.rb

Overview

Wraps a fetched OAuth access token together with the moment it was generated, and answers whether it is still safely usable. Validity is measured against the monotonic clock so the answer is not affected by wall-clock jumps (NTP slews, VM clock corrections).

Constant Summary

REFRESH_THRESHOLD_SECONDS =

Seconds before the reported expiry at which the token is considered stale, so callers proactively refresh before it actually expires in flight.

60

Instance Attribute Summary

• #access_token ⇒ String readonly

  The bearer access token.

Class Method Summary

• .from_json(json) ⇒ AuthToken

  Parses a token response from the Azure AD token endpoint and builds an AuthToken instance.

Instance Method Summary

• #initialize(access_token:, expires_in:, refresh_threshold: REFRESH_THRESHOLD_SECONDS) ⇒ AuthToken constructor

  A new instance of AuthToken.

• #valid? ⇒ Boolean

  true if the token is still valid with the refresh threshold applied.

Constructor Details

#initialize(access_token:, expires_in:, refresh_threshold: REFRESH_THRESHOLD_SECONDS) ⇒ AuthToken

Returns a new instance of AuthToken.

Parameters:

• access_token (String) —

  the bearer access token returned by the token endpoint.

• expires_in (Integer, String) —

  seconds-until-expiry as reported by the token endpoint.

• refresh_threshold (Integer) (defaults to: REFRESH_THRESHOLD_SECONDS) —

  seconds before the reported expiry at which the token should be considered stale.

# File 'lib/pg/azure_workload_identity/auth_token.rb', line 47

def initialize(
  access_token:,
  expires_in:,
  refresh_threshold: REFRESH_THRESHOLD_SECONDS
)
  @access_token = access_token
  @expiry = expires_in
  @generated_at = now
  @refresh_threshold = refresh_threshold
end

Instance Attribute Details

#access_token ⇒ String (readonly)

Returns the bearer access token.

Returns:

• (String) —

  the bearer access token.

# File 'lib/pg/azure_workload_identity/auth_token.rb', line 20

def access_token
  @access_token
end

Class Method Details

.from_json(json) ⇒ AuthToken

Parses a token response from the Azure AD token endpoint and builds an PG::AzureWorkloadIdentity::AuthToken instance.

Parameters:

• json (String) —

  the raw JSON response body from the token endpoint.

Returns:

• (AuthToken) —

  the parsed token.

Raises:

• (Error) —

  when the JSON is invalid or lacks the expected fields.

# File 'lib/pg/azure_workload_identity/auth_token.rb', line 28

def self.from_json(json)
  JSON.parse(json).then do |data|
    new(
      access_token: data.fetch("access_token").to_s,
      expires_in: data.fetch("expires_in").to_i
    )
  end
rescue JSON::ParserError => e
  raise Error, "Failed to parse token response from JSON: #{e.message}"
rescue KeyError => e
  raise Error, "Token response is missing key #{e.key} in #{e.receiver}"
end

Instance Method Details

#valid? ⇒ Boolean

Returns true if the token is still valid with the refresh threshold applied.

Returns:

• (Boolean) —

  true if the token is still valid with the refresh threshold applied.

# File 'lib/pg/azure_workload_identity/auth_token.rb', line 60

def valid?
  (now - @generated_at) < (@expiry - @refresh_threshold)
end