Class: StandardId::JwtService

Inherits:
Object
  • Object
show all
Defined in:
lib/standard_id/jwt_service.rb

Constant Summary collapse

RESERVED_JWT_KEYS = 
%i[sub client_id scope grant_type exp iat aud iss nbf jti]
BASE_SESSION_FIELDS = 
%i[account_id client_id scopes grant_type aud]
SUPPORTED_ALGORITHMS =

Supported signing algorithms categorized by type Symmetric: use shared secret (Rails.application.secret_key_base) Asymmetric: use key pairs (RSA or EC private key)

{
  # HMAC (symmetric)
  "HS256" => { type: :symmetric },
  "HS384" => { type: :symmetric },
  "HS512" => { type: :symmetric },
  # RSA (asymmetric)
  "RS256" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
  "RS384" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
  "RS512" => { type: :asymmetric, key_class: OpenSSL::PKey::RSA },
  # ECDSA (asymmetric)
  "ES256" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
  "ES384" => { type: :asymmetric, key_class: OpenSSL::PKey::EC },
  "ES512" => { type: :asymmetric, key_class: OpenSSL::PKey::EC }
}.freeze
SESSION_CLASS = 
Concurrent::Delay.new do
  Struct.new(*(BASE_SESSION_FIELDS + claim_resolver_keys), keyword_init: true) do
    def active?
      true
    end
  end
end

Class Method Summary collapse

Class Method Details

.algorithmObject 



41
42
43
 
# File 'lib/standard_id/jwt_service.rb', line 41

def self.algorithm
  StandardId.config.oauth.signing_algorithm.to_s.upcase
end

.algorithm_configObject 



45
46
47
 
# File 'lib/standard_id/jwt_service.rb', line 45

def self.algorithm_config
  SUPPORTED_ALGORITHMS[algorithm] || raise(ArgumentError, "Unsupported algorithm: #{algorithm}. Supported: #{SUPPORTED_ALGORITHMS.keys.join(', ')}")
end

.all_verification_keysObject 



90
91
92
93
94
 
# File 'lib/standard_id/jwt_service.rb', line 90

def self.all_verification_keys
  return [] unless asymmetric?

  [{ kid: key_id, key: verification_key }] + previous_keys
end

.asymmetric?Boolean

Returns:

  • (Boolean) 


49
50
51
 
# File 'lib/standard_id/jwt_service.rb', line 49

def self.asymmetric?
  algorithm_config[:type] == :asymmetric
end

.claim_resolver_keysObject 



208
209
210
211
212
213
214
 
# File 'lib/standard_id/jwt_service.rb', line 208

def self.claim_resolver_keys
  resolvers = StandardId.config.oauth.claim_resolvers
  keys = Hash.try_convert(resolvers)&.keys
  keys.compact.map(&:to_sym).uniq.excluding(*RESERVED_JWT_KEYS)
rescue StandardError
  []
end

.decode(token) ⇒ Object 



114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'lib/standard_id/jwt_service.rb', line 114

def self.decode(token)
  options = { algorithms: [algorithm] }

  if StandardId.config.issuer.present?
    options[:iss] = StandardId.config.issuer
    options[:verify_iss] = true
  end

  if asymmetric? && previous_keys.any?
    # Include algorithms from previous keys for cross-algorithm rotation
    prev_algorithms = previous_keys.filter_map { |k| k[:algorithm] }
    options[:algorithms] = ([algorithm] + prev_algorithms).uniq

    # Build a JWKS set with all active keys for kid-based matching
    jwk_set = JWT::JWK::Set.new
    all_verification_keys.each do |entry|
      jwk_set << JWT::JWK.new(entry[:key], kid: entry[:kid])
    end
    options[:jwks] = jwk_set

    begin
      decoded = JWT.decode(token, nil, true, options)
      return decoded.first.with_indifferent_access
    rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError, JWT::InvalidIssuerError
      return nil
    end
  end

  decoded = JWT.decode(token, verification_key, true, options)
  decoded.first.with_indifferent_access
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIatError, JWT::InvalidIssuerError
  nil
end

.decode_session(token) ⇒ Object 



148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
 
# File 'lib/standard_id/jwt_service.rb', line 148

def self.decode_session(token)
  payload = decode(token)
  return unless payload

  scopes = if payload[:scope].is_a?(String)
    payload[:scope].split(" ")
  else
    Array(payload[:scope]).compact
  end

  session_class.new(
    **payload.slice(*claim_resolver_keys),
    account_id: payload[:sub],
    client_id: payload[:client_id],
    scopes: scopes,
    grant_type: payload[:grant_type],
    aud: payload[:aud]
  )
end

.encode(payload, expires_in: 1.hour) ⇒ Object 



103
104
105
106
107
108
109
110
111
112
 
# File 'lib/standard_id/jwt_service.rb', line 103

def self.encode(payload, expires_in: 1.hour)
  payload[:exp] = expires_in.from_now.to_i
  payload[:iat] = Time.current.to_i
  payload[:iss] ||= StandardId.config.issuer if StandardId.config.issuer.present?

  headers = {}
  headers[:kid] = key_id if asymmetric?

  JWT.encode(payload, signing_key, algorithm, headers)
end

.jwksObject 



168
169
170
171
172
173
174
175
176
177
 
# File 'lib/standard_id/jwt_service.rb', line 168

def self.jwks
  return nil unless asymmetric?

  @jwks ||= begin
    exported_keys = all_verification_keys.map do |entry|
      JWT::JWK.new(entry[:key], kid: entry[:kid]).export
    end
    { keys: exported_keys }
  end
end

.key_idObject 



72
73
74
75
76
77
78
 
# File 'lib/standard_id/jwt_service.rb', line 72

def self.key_id
  return nil unless asymmetric?

  # Generate stable key ID from public key fingerprint
  # Use public_to_pem which works for both RSA and EC keys
  @key_id ||= Digest::SHA256.hexdigest(signing_key.public_to_pem)[0..7]
end

.parse_previous_key_entry(entry) ⇒ Object

Parses a previous_signing_keys entry into { kid:, key:, algorithm: } Accepts either:

- A PEM string or Pathname (uses current algorithm's key class)
- A Hash with :key (PEM/Pathname) and :algorithm (e.g. :rs256, :es256)



185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
# File 'lib/standard_id/jwt_service.rb', line 185

def self.parse_previous_key_entry(entry)
  if entry.is_a?(Hash)
    entry = entry.symbolize_keys
    alg = entry[:algorithm].to_s.upcase
    alg_config = SUPPORTED_ALGORITHMS[alg] || raise(ArgumentError, "Unsupported algorithm: #{alg}")
    key = parse_private_key(entry[:key], key_class: alg_config[:key_class])
  else
    alg = algorithm
    key = parse_private_key(entry)
  end

  vkey = key.is_a?(OpenSSL::PKey::EC) ? key : key.public_key
  kid = Digest::SHA256.hexdigest(key.public_to_pem)[0..7]
  { kid: kid, key: vkey, algorithm: alg }
end

.parse_private_key(key_source, key_class: nil) ⇒ Object 



201
202
203
204
205
206
 
# File 'lib/standard_id/jwt_service.rb', line 201

def self.parse_private_key(key_source, key_class: nil)
  pem = key_source.is_a?(Pathname) ? File.read(key_source) : key_source
  key_class ||= algorithm_config[:key_class]

  key_class.new(pem)
end

.previous_keysObject 



80
81
82
83
84
85
86
87
88
 
# File 'lib/standard_id/jwt_service.rb', line 80

def self.previous_keys
  return [] unless asymmetric?

  @previous_keys_cache ||= Array(StandardId.config.oauth.previous_signing_keys).filter_map do |entry|
    parse_previous_key_entry(entry)
  rescue StandardError
    nil
  end
end

.reset_cached_key!Object 



96
97
98
99
100
101
 
# File 'lib/standard_id/jwt_service.rb', line 96

def self.reset_cached_key!
  @key_id = nil
  @signing_key_cache = nil
  @previous_keys_cache = nil
  @jwks = nil
end

.session_classObject 



37
38
39
 
# File 'lib/standard_id/jwt_service.rb', line 37

def self.session_class
  SESSION_CLASS.value
end

.signing_keyObject 



53
54
55
56
57
58
59
 
# File 'lib/standard_id/jwt_service.rb', line 53

def self.signing_key
  if asymmetric?
    @signing_key_cache ||= parse_private_key(StandardId.config.oauth.signing_key)
  else
    Rails.application.secret_key_base
  end
end

.verification_keyObject 



61
62
63
64
65
66
67
68
69
70
 
# File 'lib/standard_id/jwt_service.rb', line 61

def self.verification_key
  if asymmetric?
    key = signing_key
    # For EC keys, the key itself can be used for verification
    # For RSA keys, we extract the public key
    key.is_a?(OpenSSL::PKey::EC) ? key : key.public_key
  else
    Rails.application.secret_key_base
  end
end