Class: SpreeCmCommissioner::TelegramOauthIdTokenProvider

Inherits:
BaseInteractor
  • Object
show all
Defined in:
app/interactors/spree_cm_commissioner/telegram_oauth_id_token_provider.rb

Overview

Verifies a Telegram "Login Library / OpenID Connect" id_token and extracts the user claims. The mobile app obtains the id_token directly from Telegram using PKCE (no client secret), so here we only need to validate the JWT signature against Telegram's public JWKS and check iss/aud/exp.

Docs: https://core.telegram.org/bots/telegram-login

Constant Summary collapse

ISSUER =
'https://oauth.telegram.org'.freeze
JWKS_URL =
'https://oauth.telegram.org/.well-known/jwks.json'.freeze
JWKS_CACHE_KEY =
'telegram-oauth-jwks'.freeze
SUPPORTED_ALGORITHMS =

ruby-jwt ships native support for RS256 and ES256. Telegram's JWKS also advertises EdDSA/ES256K keys, but id_tokens are signed with RS256 (kid "oidc-1") by default.

%w[RS256 ES256].freeze

Instance Method Summary collapse

Instance Method Details

#callObject

:id_token



19
20
21
22
23
24
25
26
27
28
29
30
# File 'app/interactors/spree_cm_commissioner/telegram_oauth_id_token_provider.rb', line 19

def call
  context.fail!(message: 'telegram_id_token_missing') if context.id_token.blank?

  audience = expected_audience
  context.fail!(message: 'telegram_oauth_client_id_not_configured') if audience.blank?

  claim = decode_id_token(audience)
  return if claim.nil?

  context.claim = claim
  context.provider = extract_provider_params(claim)
end