Class: StandardId::Providers::Google

Inherits:

Base

Object
Base
StandardId::Providers::Google

show all

Defined in:: lib/standard_id/google/providers/google.rb

Constant Summary collapse

AUTH_ENDPOINT =

"https://accounts.google.com/o/oauth2/v2/auth".freeze

TOKEN_ENDPOINT =

"https://oauth2.googleapis.com/token".freeze

USERINFO_ENDPOINT =

"https://www.googleapis.com/oauth2/v2/userinfo".freeze

TOKEN_INFO_ENDPOINT =

"https://oauth2.googleapis.com/tokeninfo".freeze

DEFAULT_SCOPE =

"openid email profile".freeze

AUTHORIZATION_PARAM_DEFAULTS =

{
  scope: DEFAULT_SCOPE
}.freeze

Class Method Summary collapse

.authorization_url(state:, redirect_uri:, **options) ⇒ Object
.config_schema ⇒ Object
.default_scope ⇒ Object
.exchange_code_for_user_info(code:, redirect_uri:, nonce: nil) ⇒ Object
.fetch_user_info(access_token:) ⇒ Object
.get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options) ⇒ Object
.provider_name ⇒ Object
.supported_authorization_params ⇒ Object
.verify_id_token(id_token:, nonce: nil) ⇒ Object

Class Method Details

.authorization_url(state:, redirect_uri:, **options) ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 25

def authorization_url(state:, redirect_uri:, **options)
  query = {
    client_id: credentials[:client_id],
    redirect_uri: redirect_uri,
    response_type: "code",
    state: state
  }

  supported_authorization_params.each do |param|
    query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
  end

  "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
end

.config_schema ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 58

def config_schema
  {
    google_client_id: { type: :string, default: nil },
    google_client_secret: { type: :string, default: nil }
  }
end

.default_scope ⇒ `Object`



65
66
67

# File 'lib/standard_id/google/providers/google.rb', line 65

def default_scope
  DEFAULT_SCOPE
end

.exchange_code_for_user_info(code:, redirect_uri:, nonce: nil) ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 69

def exchange_code_for_user_info(code:, redirect_uri:, nonce: nil)
  raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?

  token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
    client_id: credentials[:client_id],
    client_secret: credentials[:client_secret],
    code: code,
    grant_type: "authorization_code",
    redirect_uri: redirect_uri
  }.compact)

  unless token_response.is_a?(Net::HTTPSuccess)
    raise StandardId::InvalidRequestError, "Failed to exchange Google authorization code"
  end

  parsed_token = JSON.parse(token_response.body)
  access_token = parsed_token["access_token"]
  raise StandardId::InvalidRequestError, "Google response missing access token" if access_token.blank?

  # If we have an ID token in the response and a nonce was provided, verify it
  if parsed_token["id_token"].present? && nonce.present?
    verify_id_token(id_token: parsed_token["id_token"], nonce: nonce)
  end

  tokens = extract_token_payload(parsed_token)
  user_info = fetch_user_info(access_token: access_token)

  build_response(user_info, tokens: tokens)
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)

  raise StandardId::OAuthError, e.message, cause: e
end

.fetch_user_info(access_token:) ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 147

def fetch_user_info(access_token:)
  raise StandardId::InvalidRequestError, "Missing access token" if access_token.blank?

  verify_token(access_token)
  user_response = HttpClient.get_with_bearer(USERINFO_ENDPOINT, access_token)

  unless user_response.is_a?(Net::HTTPSuccess)
    raise StandardId::InvalidRequestError, "Failed to fetch Google user info"
  end

  JSON.parse(user_response.body)
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)

  raise StandardId::OAuthError, e.message, cause: e
end

.get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options) ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 40

def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options)
  if id_token.present?
    build_response(
      verify_id_token(id_token: id_token, nonce: nonce),
      tokens: { id_token: id_token }
    )
  elsif access_token.present?
    build_response(
      fetch_user_info(access_token: access_token),
      tokens: { access_token: access_token }
    )
  elsif code.present?
    exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, nonce: nonce)
  else
    raise StandardId::InvalidRequestError, "Either code, id_token, or access_token must be provided"
  end
end

.provider_name ⇒ `Object`



17
18
19

# File 'lib/standard_id/google/providers/google.rb', line 17

def provider_name
  "google"
end

.supported_authorization_params ⇒ `Object`



21
22
23

# File 'lib/standard_id/google/providers/google.rb', line 21

def supported_authorization_params
  [:nonce, :login_hint, :prompt, :scope, :access_type, :hd, :response_mode, :include_granted_scopes]
end

.verify_id_token(id_token:, nonce: nil) ⇒ `Object`

# File 'lib/standard_id/google/providers/google.rb', line 103

def verify_id_token(id_token:, nonce: nil)
  raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?

  response = HttpClient.post_form(TOKEN_INFO_ENDPOINT, id_token: id_token)

  raise StandardId::InvalidRequestError, "Invalid or expired id_token" unless response.is_a?(Net::HTTPSuccess)

  token_info = JSON.parse(response.body)

  # Validate nonce if provided (web flow with server-generated nonce)
  if nonce.present?
    token_nonce = token_info["nonce"]
    if token_nonce != nonce
      raise StandardId::InvalidRequestError,
            "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
    end
  end

  unless token_info["aud"] == credentials[:client_id]
    raise StandardId::InvalidRequestError,
          "ID token audience mismatch. Expected: #{credentials[:client_id]}, got: #{token_info["aud"]}"
  end

  unless ["accounts.google.com", "https://accounts.google.com"].include?(token_info["iss"])
    raise StandardId::InvalidRequestError,
          "ID token issuer invalid. Expected Google, got: #{token_info["iss"]}"
  end

  {
    "sub" => token_info["sub"],
    "email" => token_info["email"],
    "email_verified" => token_info["email_verified"],
    "name" => token_info["name"],
    "given_name" => token_info["given_name"],
    "family_name" => token_info["family_name"],
    "picture" => token_info["picture"],
    "locale" => token_info["locale"]
  }.compact
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)

  raise StandardId::OAuthError, e.message, cause: e
end

Class: StandardId::Providers::Google

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.authorization_url(state:, redirect_uri:, **options) ⇒ Object

.config_schema ⇒ Object

.default_scope ⇒ Object

.exchange_code_for_user_info(code:, redirect_uri:, nonce: nil) ⇒ Object

.fetch_user_info(access_token:) ⇒ Object

.get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options) ⇒ Object

.provider_name ⇒ Object

.supported_authorization_params ⇒ Object

.verify_id_token(id_token:, nonce: nil) ⇒ Object

.authorization_url(state:, redirect_uri:, **options) ⇒ `Object`

.config_schema ⇒ `Object`

.default_scope ⇒ `Object`

.exchange_code_for_user_info(code:, redirect_uri:, nonce: nil) ⇒ `Object`

.fetch_user_info(access_token:) ⇒ `Object`

.get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **_options) ⇒ `Object`

.provider_name ⇒ `Object`

.supported_authorization_params ⇒ `Object`

.verify_id_token(id_token:, nonce: nil) ⇒ `Object`