Class: Google::Auth::IDTokens::Verifier

Inherits:

Object

Object
Google::Auth::IDTokens::Verifier

show all

Defined in:: lib/googleauth/id_tokens/verifier.rb

Overview

An object that can verify ID tokens.

A verifier maintains a set of default settings, including the key source and fields to verify. However, individual verification calls can override any of these settings.

Instance Method Summary collapse

#initialize(key_source: nil, aud: nil, azp: nil, iss: nil) ⇒ Verifier constructor
Create a verifier.
#verify(token, key_source: :default, aud: :default, azp: :default, iss: :default) ⇒ Hash
Verify the given token.

Constructor Details

#initialize(key_source: nil, aud: nil, azp: nil, iss: nil) ⇒ `Verifier`

Create a verifier.

Parameters:

key_source (key source) (defaults to: nil) —
The default key source to use. All verification calls must have a key source, so if no default key source is provided here, then calls to #verify must provide a key source.
aud (String, nil) (defaults to: nil) —
The default audience (aud) check, or nil for no check.
azp (String, nil) (defaults to: nil) —
The default authorized party (azp) check, or nil for no check.
iss (String, nil) (defaults to: nil) —
The default issuer (iss) check, or nil for no check.

# File 'lib/googleauth/id_tokens/verifier.rb', line 44

def initialize key_source: nil,
               aud:        nil,
               azp:        nil,
               iss:        nil
  @key_source = key_source
  @aud = aud
  @azp = azp
  @iss = iss
end

Instance Method Details

#verify(token, key_source: :default, aud: :default, azp: :default, iss: :default) ⇒ `Hash`

Verify the given token.

Parameters:

token (String) —
the ID token to verify.
key_source (key source) (defaults to: :default) —
If given, override the key source.
aud (String, nil) (defaults to: :default) —
If given, override the aud check.
azp (String, nil) (defaults to: :default) —
If given, override the azp check.
iss (String, nil) (defaults to: :default) —
If given, override the iss check.

Returns:

(Hash) —
the decoded payload, if verification succeeded.

Raises:

(Google::Auth::IDTokens::KeySourceError) —
if the key source failed to obtain public keys
(Google::Auth::IDTokens::VerificationError) —
if the token verification failed. Additional data may be available in the error subclass and message.

# File 'lib/googleauth/id_tokens/verifier.rb', line 67

def verify token,
           key_source: :default,
           aud:        :default,
           azp:        :default,
           iss:        :default
  key_source = @key_source if key_source == :default
  aud = @aud if aud == :default
  azp = @azp if azp == :default
  iss = @iss if iss == :default

  raise KeySourceError, "No key sources" unless key_source
  keys = key_source.current_keys
  payload = decode_token token, keys, aud, azp, iss
  unless payload
    keys = key_source.refresh_keys
    payload = decode_token token, keys, aud, azp, iss
  end
  raise SignatureError, "Token not verified as issued by Google" unless payload
  payload
end