Class: SpreeCmCommissioner::TelegramOauthIdTokenProvider
- Inherits:
-
BaseInteractor
- Object
- BaseInteractor
- SpreeCmCommissioner::TelegramOauthIdTokenProvider
- Defined in:
- app/interactors/spree_cm_commissioner/telegram_oauth_id_token_provider.rb
Overview
Verifies a Telegram "Login Library / OpenID Connect" id_token and extracts the user claims. The mobile app obtains the id_token directly from Telegram using PKCE (no client secret), so here we only need to validate the JWT signature against Telegram's public JWKS and check iss/aud/exp.
Constant Summary collapse
- ISSUER =
'https://oauth.telegram.org'.freeze
- JWKS_URL =
'https://oauth.telegram.org/.well-known/jwks.json'.freeze
- JWKS_CACHE_KEY =
'telegram-oauth-jwks'.freeze
- SUPPORTED_ALGORITHMS =
ruby-jwt ships native support for RS256 and ES256. Telegram's JWKS also advertises EdDSA/ES256K keys, but id_tokens are signed with RS256 (kid "oidc-1") by default.
%w[RS256 ES256].freeze
Instance Method Summary collapse
-
#call ⇒ Object
:id_token.
Instance Method Details
#call ⇒ Object
:id_token
19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'app/interactors/spree_cm_commissioner/telegram_oauth_id_token_provider.rb', line 19 def call context.fail!(message: 'telegram_id_token_missing') if context.id_token.blank? audience = expected_audience context.fail!(message: 'telegram_oauth_client_id_not_configured') if audience.blank? claim = decode_id_token(audience) return if claim.nil? context.claim = claim context.provider = extract_provider_params(claim) end |