Skip to content

Commit

Permalink
feat: support jwt aud validation for hosted apps
Browse files Browse the repository at this point in the history
  • Loading branch information
Vanessa Burroughs committed Dec 9, 2024
1 parent 34df698 commit 19d04d6
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions lib/passageidentity/auth.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# frozen_string_literal: true

require 'active_support'
require 'faraday_middleware'
require 'openssl'
require 'base64'
require 'jwt'
Expand Down Expand Up @@ -82,18 +83,21 @@ def validate_jwt(token)
)
end

audiences = [@auth_origin, @app_id]

claims =
JWT.decode(
token,
nil,
true,
{
aud: @auth_origin,
aud: audiences,
verify_aud: true,
algorithms: ['RS256'],
jwks: @jwks
}
)

claims[0]['sub']
rescue JWT::InvalidIssuerError, JWT::InvalidAudError, JWT::ExpiredSignature, JWT::IncorrectAlgorithm,
JWT::DecodeError => e
Expand Down Expand Up @@ -237,11 +241,6 @@ def get_cache(key)
def set_cache(key:, jwks:)
@app_cache.write(key, jwks, expires_in: 86_400)
end

def jwk_exists(token)
kid = JWT.decode(token, nil, false)[1]['kid']
@jwks['keys'].any? { |jwk| jwk['kid'] == kid }
end
# rubocop:enable Metrics/AbcSize

deprecate(:authenticate_request, :validate_jwt, 2025, 1)
Expand Down

0 comments on commit 19d04d6

Please sign in to comment.