Class: XeroKiwi::OAuth::IDToken

Inherits:

Object

• Object
• XeroKiwi::OAuth::IDToken

Defined in:

lib/xero_kiwi/oauth/id_token.rb

Overview

Verifies an OIDC id_token (JWT) returned by Xero. Validates the signature against Xero’s JWKS and checks the standard OIDC claims (iss, aud, exp). Optionally verifies the nonce claim if you sent one in the authorisation request.

Two ways to use this:

# 1. Via an OAuth instance — uses the instance's JWKS cache, so
#    repeated verifications don't refetch Xero's signing keys.
verified = oauth.verify_id_token(token.id_token)

# 2. Standalone class method — fetches JWKS fresh on each call.
#    Fine for one-off verification.
verified = XeroKiwi::OAuth::IDToken.verify(id_token, client_id: "abc123")

verified.subject       # OIDC `sub` claim
verified.email         # if `email` scope was granted
verified.given_name    # if `profile` scope was granted
verified.expires_at    # Time
verified.claims        # full claims hash

Constant Summary

ISSUER =

"https://identity.xero.com"

ALGORITHMS =

%w[RS256].freeze

Instance Attribute Summary

• #claims ⇒ Object readonly

  Returns the value of attribute claims.

Class Method Summary

• .verify(id_token, client_id:, nonce: nil, jwks: nil) ⇒ Object

Instance Method Summary

• #email ⇒ Object
• #expires_at ⇒ Object
• #family_name ⇒ Object
• #given_name ⇒ Object
• #initialize(claims) ⇒ IDToken constructor

  A new instance of IDToken.

• #issued_at ⇒ Object
• #nonce ⇒ Object
• #subject ⇒ Object

Constructor Details

#initialize(claims) ⇒ IDToken

Returns a new instance of IDToken.

# File 'lib/xero_kiwi/oauth/id_token.rb', line 89

def initialize(claims)
  @claims = claims
end

Instance Attribute Details

#claims ⇒ Object (readonly)

Returns the value of attribute claims.

# File 'lib/xero_kiwi/oauth/id_token.rb', line 35

def claims
  @claims
end

Class Method Details

.verify(id_token, client_id:, nonce: nil, jwks: nil) ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 37

def self.verify(id_token, client_id:, nonce: nil, jwks: nil)
  raise ArgumentError, "id_token is required"  if id_token.nil?  || id_token.empty?
  raise ArgumentError, "client_id is required" if client_id.nil? || client_id.empty?

  decoded = decode(id_token, client_id, jwks)
  claims  = decoded.first
  verify_nonce!(claims, nonce) if nonce
  new(claims)
rescue JWT::DecodeError => e
  raise IDTokenError, "ID token verification failed: #{e.message}"
end

Instance Method Details

#email ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 94

def email       = claims["email"]

#expires_at ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 99

def expires_at  = claims["exp"] && Time.at(claims["exp"]).utc

#family_name ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 96

def family_name = claims["family_name"]

#given_name ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 95

def given_name  = claims["given_name"]

#issued_at ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 98

def issued_at   = claims["iat"] && Time.at(claims["iat"]).utc

#nonce ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 97

def nonce       = claims["nonce"]

#subject ⇒ Object

# File 'lib/xero_kiwi/oauth/id_token.rb', line 93

def subject     = claims["sub"]