auth0_rs256_jwt_verifier 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 62a95cfb84c90e4b8059e318f2c7bfcee71e8b27
+  data.tar.gz: 9e6cde7f7da12eeb4ddde673900eb9eb18b2a5d3
+SHA512:
+  metadata.gz: e5d78f48de5792166fff6903c7f3740be6bf1f5bb279971deba1363ce5e5151866d22b09f74508fb44c50248193372ab345410b2af921a7f9ba493b3a8eefd4e
+  data.tar.gz: 93a0adcddc9c89f60e846fe4331a1308d5c4c04d35098206d5cf105abea32ab06a2b36622cdda900e6d95cec243430bdfe8560f73e982153f682dcf591c8c397

data/.gitignore

@@ -0,0 +1,2 @@
+*.gem
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,9 @@
+inherit_gem:
+  sanelint:
+    - config/default.yml
+
+AllCops:
+  TargetRubyVersion: 2.4
+
+Style/Documentation:
+  Enabled: false

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+source "https://rubygems.org"
+ruby "~> 2.4.0"
+
+gem "minitest", "~> 5"
+gem "rake", "~> 12.0.0"
+gem "http", "~>2.2.2"
+gem "json-jwt", "~> 1.7.2"

data/README.md

@@ -0,0 +1,6 @@
+# Auth0 JWT (RS256) verification library
+[Auth0](https://auth0.com) is web service handling users identities which can be easily plugged
+into your application. It provides [SDKs](https://auth0.com/docs) for many languages which enable you to sign up/in users
+and returns access token ([JWT](https://jwt.io)) in exchange. Access token can be used then to access your's Web Service.
+This gem helps you to [verify](https://auth0.com/docs/api-auth/tutorials/verify-access-token#verify-the-signature)
+such access token which has been signed using the RS256 algorithm.

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+require "rake/testtask"
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+end
+
+desc "Run tests"
+task default: :test

data/auth0_rs256_jwt_verifier.gemspec

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+Gem::Specification.new do |s|
+  s.name        = "auth0_rs256_jwt_verifier"
+  s.version     = "0.0.1"
+  s.date        = "2017-06-12"
+  s.summary     = "Auth0 JWT (RS256) verification library"
+  s.description = <<-DESCRIPTION.gsub(/\s+/, " ").strip
+                    Auth0 (https://auth0.com) is web service handling users identities which can be easily plugged
+                    into your application. It provides SDKs for many languages which enable you to sign up/in users
+                    and returns access token (JWT) in exchange. Access token can be used then to access your's Web Service.
+                    This gem helps you to verify
+                    (https://auth0.com/docs/api-auth/tutorials/verify-access-token#verify-the-signature)
+                    such access token which has been signed using the RS256 algorithm.
+                  DESCRIPTION
+  s.authors     = ["Krzysztof Zielonka"]
+  s.email       = "krzysztof.zielonka@droidsonroids.pl"
+  s.files       = `git ls-files`.split("\n")
+  s.test_files  = `git ls-files -- {test}/*`.split("\n")
+  s.homepage    = "https://rubygems.org/gems/auth0_rs256_jwt_verifier"
+  s.license     = "MIT"
+  s.add_runtime_dependency "http", "~> 2"
+  s.add_runtime_dependency "json-jwt", "~> 1.7"
+  s.add_development_dependency "rake", "~> 12"
+  s.add_development_dependency "minitest", "~> 5"
+end

data/lib/auth0_access_tokens_rs256_verifier.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+require "http"
+require "json"
+
+require "auth0_jwt_rs256_verifier/user_id"
+require "auth0_jwt_rs256_verifier/results"
+require "auth0_jwt_rs256_verifier/jwt_decoder"
+require "auth0_jwt_rs256_verifier/jwt_decoder_wrapper"
+require "auth0_jwt_rs256_verifier/jwk_set_downloader"
+require "auth0_jwt_rs256_verifier/valid_jwk_set"
+require "auth0_jwt_rs256_verifier/certs_set"
+require "auth0_jwt_rs256_verifier/exp_verifier"
+require "auth0_jwt_rs256_verifier/jwk"
+
+class Auth0RS256JWTVerifier
+  def initialize(issuer:, audience:, jwks_url:, http: HTTP, exp_verifier: ExpVerifier.new)
+    @audience        = audience
+    @issuer          = issuer
+    @jwks_url        = jwks_url
+    @jwks_downloader = JWKSetDownloader.new(http)
+    @exp_verifier    = exp_verifier
+    @certificates    = nil
+  end
+
+  def verify(access_token)
+    payload = JWTDecoderWrapper.new(
+      @audience,
+      @issuer,
+      certificates,
+      exp_verifier: @exp_verifier,
+      jwt_decoder: JWTDecoder.new,
+    ).decode(access_token)
+    Results::ValidAccessToken.new(UserId.new(payload.sub))
+  rescue JWTDecoderWrapper::Error
+    Results::INVALID_ACCESS_TOKEN
+  end
+
+  private
+
+  def certificates
+    return @certificates if @certificates
+    @certificates = CertsSet.new(ValidJWKSet.new(@jwks_downloader.download(@jwks_url)))
+  end
+end

data/lib/auth0_rs256_jwt_verifier.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+require "http"
+require "json"
+
+require "auth0_rs256_jwt_verifier/user_id"
+require "auth0_rs256_jwt_verifier/results"
+require "auth0_rs256_jwt_verifier/jwt_decoder"
+require "auth0_rs256_jwt_verifier/jwt_decoder_wrapper"
+require "auth0_rs256_jwt_verifier/jwk_set_downloader"
+require "auth0_rs256_jwt_verifier/valid_jwk_set"
+require "auth0_rs256_jwt_verifier/certs_set"
+require "auth0_rs256_jwt_verifier/exp_verifier"
+require "auth0_rs256_jwt_verifier/jwk"
+
+class Auth0RS256JWTVerifier
+  def initialize(issuer:, audience:, jwks_url:, http: HTTP, exp_verifier: ExpVerifier.new)
+    @audience        = audience
+    @issuer          = issuer
+    @jwks_url        = jwks_url
+    @jwks_downloader = JWKSetDownloader.new(http)
+    @exp_verifier    = exp_verifier
+    @certificates    = nil
+  end
+
+  def verify(access_token)
+    payload = JWTDecoderWrapper.new(
+      @audience,
+      @issuer,
+      certificates,
+      exp_verifier: @exp_verifier,
+      jwt_decoder: JWTDecoder.new,
+    ).decode(access_token)
+    Results::ValidAccessToken.new(UserId.new(payload.sub))
+  rescue JWTDecoderWrapper::Error
+    Results::INVALID_ACCESS_TOKEN
+  end
+
+  private
+
+  def certificates
+    return @certificates if @certificates
+    @certificates = CertsSet.new(ValidJWKSet.new(@jwks_downloader.download(@jwks_url)))
+  end
+end

data/lib/auth0_rs256_jwt_verifier/certs_set.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require "base64"
+class Auth0RS256JWTVerifier
+  class CertsSet
+    NotFoundError = Class.new(RuntimeError)
+
+    def initialize(jwk_set)
+      @jwk_set = jwk_set
+    end
+
+    def find(id)
+      cert = certs.find { |c| c.id == id }
+      raise NotFoundError, "cert #{id} doesn't exist" if cert.nil?
+      cert.cert
+    end
+
+    private
+
+    CertWithId = Struct.new(:id, :cert)
+    private_constant :CertWithId
+
+    def certs
+      @certs ||= @jwk_set.map { |jwk| CertWithId.new(jwk.kid, build_cert(jwk)) }
+    end
+
+    def build_cert(jwk)
+      encoded = Base64.decode64(String(jwk.x5c.first))
+      OpenSSL::X509::Certificate.new(encoded)
+    end
+  end
+end

data/lib/auth0_rs256_jwt_verifier/exp_verifier.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class ExpVerifier
+    def expired?(exp)
+      Time.at(exp).utc < Time.now.utc
+    end
+  end
+end

data/lib/auth0_rs256_jwt_verifier/jwk.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class JWK
+    ParseError = Class.new(RuntimeError)
+
+    def inspect
+      "JWK(\n"                    \
+      "\talg: #{@alg},\n"         \
+      "\tkty: #{@kty},\n"         \
+      "\tuse: #{@use},\n"         \
+      "\tx5c: #{@x5c.inspect.split("\n").map { |l| "\t#{l}" }.join("\n")},\n" \
+      "\tn: #{@n},\n"             \
+      "\te: #{@e},\n"             \
+      "\tkid: #{@kid},\n"         \
+      "\tx5t: #{@x5t}\n"          \
+      ")"
+    end
+
+    class JWKMember
+      def present?
+        raise NotImplementedMethod
+      end
+    end
+
+    class OptionalStringJWKMember
+      include Comparable
+
+      def initialize(value)
+        if value.nil?
+          @value = nil
+        elsif value.is_a?(String)
+          @value = value
+        else
+          raise ParseError, "require field #{self.class.name} to be String but is '#{value}'"
+        end
+      end
+
+      def <=>(other)
+        @value <=> String(other)
+      end
+
+      def to_s
+        @value
+      end
+
+      def present?
+        !@value.nil?
+      end
+    end
+    private_constant :OptionalStringJWKMember
+
+    class RequiredStringJWKMember
+      include Comparable
+
+      def initialize(value)
+        if value.is_a?(String)
+          @value = value
+        elsif value.nil?
+          raise PraseError, "field #{self.class.name} is required"
+        else
+          raise ParseError, "require field #{self.class.name} to be String but is '#{value}'"
+        end
+      end
+
+      def <=>(other)
+        @value <=> String(other)
+      end
+
+      def to_s
+        @value
+      end
+
+      def present?
+        true
+      end
+    end
+    private_constant :RequiredStringJWKMember
+
+    Kty = Class.new(RequiredStringJWKMember)
+    Use = Class.new(OptionalStringJWKMember)
+    Alg = Class.new(OptionalStringJWKMember)
+    N   = Class.new(OptionalStringJWKMember)
+    E   = Class.new(OptionalStringJWKMember)
+    Kid = Class.new(OptionalStringJWKMember)
+    X5T = Class.new(OptionalStringJWKMember)
+
+    class X5C
+      include Enumerable
+
+      class Certificate
+        def initialize(certificate)
+          raise ParseError unless certificate.is_a?(String)
+          @certificate = certificate
+        end
+
+        def to_s
+          @certificate
+        end
+
+        def to_str
+          to_s
+        end
+      end
+
+      def initialize(certificates)
+        if certificates.nil?
+          @certificates = nil
+        else
+          raise ParseError unless certificates.is_a?(Array)
+          @certificates = certificates.map { |certificate| Certificate.new(certificate) }
+        end
+      end
+
+      def inspect
+        "X5C(\n#{@certificates.map { |c| "\t#{c}" }.join(",\n")}\n\t)"
+      end
+
+      def present?
+        !@certificates.nil?
+      end
+
+      def each
+        return unless present?
+        @certificates.each { |cert| yield cert }
+      end
+    end
+
+    def initialize(hash)
+      raise ParseError unless hash.is_a?(Hash)
+      %i(Alg Kty Use X5C N E Kid X5T).each do |field_name|
+        field = self.class.const_get(field_name).new(hash[String(field_name).downcase])
+        instance_variable_set("@#{String(field_name).downcase}", field)
+      end
+    end
+
+    attr_reader :alg, :kty, :use, :x5c, :n, :e, :kid, :x5t
+  end
+end

data/lib/auth0_rs256_jwt_verifier/jwk_set_downloader.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class JWKSetDownloader
+    InvalidJWKSetError = Class.new(RuntimeError)
+
+    class JWKSet
+      include Enumerable
+
+      ParseError = Class.new(RuntimeError)
+
+      def initialize(hash)
+        raise ParseError if hash["keys"].is_a?(Hash)
+        @keys = hash["keys"].map { |key| JWK.new(key) }
+      end
+
+      def each
+        @keys.each { |key| yield key }
+      end
+
+      def inspect
+        "JWKSet(#{@keys.collect(&:inspect).join(", ")})"
+      end
+    end
+    private_constant :JWKSet
+
+    def initialize(http)
+      @http = http
+    end
+
+    def download(url)
+      body = @http.get(url)
+      json = JSON.parse(body)
+      begin
+        JWKSet.new(json)
+      rescue JWKSet::ParseError
+        raise InvalidJWKSetError
+      end
+    end
+  end
+  private_constant :JWKSetDownloader
+end

data/lib/auth0_rs256_jwt_verifier/jwt_decoder.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require "json/jwt"
+
+class Auth0RS256JWTVerifier
+  class JWTDecoder
+    def decode(jwt_str)
+      jwt = JSON::JWT.decode(jwt_str, :skip_verification)
+      DecodedJWT.new(jwt)
+    end
+
+    def signed_with?(jwt_str, public_key)
+      JSON::JWT.decode(jwt_str, public_key)
+      true
+    rescue JSON::JWS::VerificationFailed
+      false
+    end
+
+    class DecodedJWT
+      def initialize(jwt)
+        @jwt = jwt
+      end
+
+      def [](k)
+        case k
+        when :alg then @jwt.alg
+        when :kid then @jwt.header[:kid]
+        else @jwt[k]
+        end
+      end
+
+      def key?(k)
+        ![k].nil?
+      end
+    end
+    private_constant :DecodedJWT
+  end
+  private_constant :JWTDecoder
+end

data/lib/auth0_rs256_jwt_verifier/jwt_decoder_wrapper.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class JWTDecoderWrapper
+    Payload = Struct.new(:sub)
+    private_constant :Payload
+
+    Error                = Class.new(RuntimeError)
+    InvalidJWTError      = Class.new(Error)
+    InvalidAlgError      = Class.new(Error)
+    InvalidAudienceError = Class.new(Error)
+    InvalidIssuerError   = Class.new(Error)
+    MissingSubError      = Class.new(Error)
+    InvalidSubError      = Class.new(Error)
+    VerificationError    = Class.new(Error)
+    MissingExpError      = Class.new(Error)
+    InvalidExpError      = Class.new(Error)
+    JWTExpiredError      = Class.new(Error)
+    CertNotFoundError    = Class.new(Error)
+
+    def initialize(audience, issuer, certificates, exp_verifier:, jwt_decoder:)
+      @audience     = audience
+      @issuer       = issuer
+      @certificates = certificates
+      @exp_verifier = exp_verifier
+      @jwt_decoder  = jwt_decoder
+    end
+
+    def decode(jwt_str)
+      jwt_str = String(jwt_str)
+
+      decoded_jwt = raw_decode(jwt_str)
+
+      verify_alg(decoded_jwt)
+
+      public_key = find_public_key_for(decoded_jwt)
+      verify_is_signed(jwt_str, public_key)
+
+      # verify JWT
+      verify_expiration_time(decoded_jwt)
+      verify_audience(decoded_jwt)
+      verify_issuer(decoded_jwt)
+      verify_sub(decoded_jwt)
+
+      Payload.new(decoded_jwt[:sub])
+    end
+
+    private
+
+    def raw_decode(jwt_str)
+      @jwt_decoder.decode(jwt_str)
+    rescue StandardError => e
+      raise InvalidJWTError, e.message
+    end
+
+    def verify_alg(decoded_jwt)
+      alg = decoded_jwt[:alg]
+      raise InvalidAlgError, "alg should be RS256 but is #{alg}" unless alg == "RS256"
+    end
+
+    def find_public_key_for(decoded_jwt)
+      kid = decoded_jwt[:kid]
+      @certificates.find(kid).public_key
+    rescue CertsSet::NotFoundError => e
+      raise CertNotFoundError, e.message
+    end
+
+    def verify_is_signed(jwt_str, public_key)
+      raise VerificationError unless @jwt_decoder.signed_with?(jwt_str, public_key)
+    rescue StandardError => e
+      raise VerificationError, e.message
+    end
+
+    def verify_expiration_time(decoded_jwt)
+      verify_exp_exist(decoded_jwt)
+      verify_exp_is_int(decoded_jwt)
+      raise JWTExpiredError, "jwt expired" if @exp_verifier.expired?(decoded_jwt[:exp])
+    end
+
+    def verify_exp_exist(decoded_jwt)
+      raise MissingExpError, "missing 'exp' jwt key" unless decoded_jwt.key?(:exp)
+    end
+
+    def verify_exp_is_int(decoded_jwt)
+      return if decoded_jwt[:exp].is_a?(Integer)
+      raise InvalidExpError, "jwt 'exp' field must be an integer"
+    end
+
+    def verify_audience(decoded_jwt)
+      raise InvalidAudienceError unless Array(decoded_jwt[:aud]).include?(@audience)
+    end
+
+    def verify_issuer(decoded_jwt)
+      raise InvalidIssuerError unless decoded_jwt[:iss] == @issuer
+    end
+
+    def verify_sub(decoded_jwt)
+      raise MissingSubError unless decoded_jwt.key?(:sub)
+      raise InvalidSubError unless decoded_jwt[:sub].is_a?(String)
+    end
+  end
+  private_constant :JWTDecoderWrapper
+end

data/lib/auth0_rs256_jwt_verifier/results.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  module Results
+    class Base
+      def valid?
+        raise NotImplementedMethod
+      end
+
+      def invalid?
+        !valid?
+      end
+
+      def on(_)
+        raise NotImplementedMethod
+      end
+    end
+    private_constant :Base
+
+    class ValidAccessToken < Base
+      def initialize(user_id)
+        @user_id = user_id
+      end
+
+      attr_reader :user_id
+
+      def valid?
+        true
+      end
+
+      def on(type)
+        yield @user_id if type == :valid
+        self
+      end
+
+      def inspect
+        "Auth0RS256JWTVerifier::Results::ValidAccessToken(user_id: #{@user_id})"
+      end
+    end
+
+    INVALID_ACCESS_TOKEN = Class.new(Base) do
+      def valid?
+        false
+      end
+
+      def on(type)
+        yield if type == :invalid
+        self
+      end
+
+      def inspect
+        "Auth0RS256JWTVerifier::Results::INVALID_ACCESS_TOKEN"
+      end
+    end.new.freeze
+  end
+  private_constant :Results
+end

data/lib/auth0_rs256_jwt_verifier/user_id.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class UserId
+    def initialize(id)
+      @id = String(id).dup.freeze
+    end
+
+    def to_s
+      @id
+    end
+
+    def to_str
+      to_s
+    end
+
+    def ==(other)
+      String(self) == String(other)
+    end
+
+    def inspect
+      "Auth0RS256JWTVerifier::UserId(#{@id})"
+    end
+  end
+  private_constant :UserId
+end

data/lib/auth0_rs256_jwt_verifier/valid_jwk_set.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+class Auth0RS256JWTVerifier
+  class ValidJWKSet
+    include Enumerable
+
+    def initialize(jwk_set)
+      @jwk_set = jwk_set
+    end
+
+    def each
+      filtered.each { |jwk| yield jwk }
+    end
+
+    private
+
+    def filtered
+      @filtered ||= @jwk_set.select { |jwk| valid_jwk?(jwk) }
+    end
+
+    def valid_jwk?(jwk)
+      jwk.use == "sig" &&
+        jwk.kty == "RSA" &&
+        jwk.kid.present? &&
+        jwk.x5c.any?
+    end
+  end
+end

data/test/.rubocop.yml

@@ -0,0 +1,11 @@
+inherit_from:
+  - ../.rubocop.yml
+
+Metrics/ClassLength:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+RSpec:
+  Enabled: false

data/test/auth0_rs256_jwt_verifier/jwt_decoder_test.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require "test_helper"
+
+class Auth0RS256JWTVerifier
+  describe JWTDecoder do
+    before :each do
+      @decoder = JWTDecoder.new
+    end
+
+    it "should decodde simple jwt" do
+      jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImlkMTIzNCJ9." \
+            "eyJzdWIiOiIxMjM0NTY3ODkwIiwiYXVkIjoiYXVkaWVuY2UiLCJpc3MiO" \
+            "iJpc3N1ZXIifQ.cp374RbcG-q8rTLxSoWtLK7dtn5cBa3_g4riKL9OSt0"
+      result = @decoder.decode(jwt)
+      assert_equal "HS256",    result[:alg]
+      assert_equal "id1234",   result[:kid]
+      assert_equal "audience", result[:aud]
+      assert_equal "issuer",   result[:iss]
+    end
+  end
+end

data/test/auth0_rs256_jwt_verifier/jwt_decoder_wrapper_test.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+require "test_helper"
+
+class Auth0RS256JWTVerifier
+  describe JWTDecoderWrapper do
+    class JWTDecoderWrapperFake
+      def decode(_jwt)
+        {}
+      end
+
+      def signed_with?(_jwt, _public_key)
+        true
+      end
+    end
+
+    class CertsSetFake
+      def find(_id)
+        CertFake.new
+      end
+    end
+
+    class CertFake
+      def public_key
+        "ascd"
+      end
+    end
+
+    class ExpVerifierFake
+      def expired?(_)
+        false
+      end
+    end
+
+    before :all do
+      @decoder      = JWTDecoderWrapperFake.new
+      @certs_set    = CertsSetFake.new
+      @exp_verifier = ExpVerifierFake.new
+      @audience     = "valid audience"
+      @issuer       = "valid issuer"
+
+      @jwt_decoder = factory_subject
+    end
+
+    it "should execute JWT#decode & JWT#verify with valid args" do
+      jwt_str = "JWT to decode"
+      public_key = "valid public key"
+      cert = Object.new
+      cert.define_singleton_method(:public_key) { public_key }
+
+      @decoder = Minitest::Mock.new
+      @decoder.expect(:decode, valid_decoded_jwt, [jwt_str])
+      @decoder.expect(:signed_with?, valid_decoded_jwt, [jwt_str, public_key])
+
+      @jwt_decoder = factory_subject(jwt_decoder: @decoder)
+
+      @certs_set.stub(:find, cert) do
+        @jwt_decoder.decode(jwt_str)
+      end
+
+      @decoder.verify
+    end
+
+    it "should raise InvalidJWTError if adapter#decode raises standard error" do
+      @decoder.stub(:decode, ->(*_) { raise StandardError }) do
+        assert_raises(JWTDecoderWrapper::InvalidJWTError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise InvalidAlgError" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(alg: "HS256"),
+      ) do
+        assert_raises(JWTDecoderWrapper::InvalidAlgError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise CertNotFoundError" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(kid: "unexisting key"),
+      ) do
+        @certs_set.stub(
+          :find,
+          ->(*_) { raise CertsSet::NotFoundError },
+        ) do
+          assert_raises(JWTDecoderWrapper::CertNotFoundError) do
+            @jwt_decoder.decode("jwt")
+          end
+        end
+      end
+    end
+
+    it "should raise VerificationError" do
+      @decoder.stub(:decode, valid_decoded_jwt) do
+        @decoder.stub(:signed_with?, false) do
+          assert_raises(JWTDecoderWrapper::VerificationError) do
+            @jwt_decoder.decode("jwt")
+          end
+        end
+      end
+    end
+
+    it "should raise VerificationError if adapter#signed_with raises StandardError" do
+      @decoder.stub(:decode, valid_decoded_jwt) do
+        @decoder.stub(:signed_with?, ->(*_) { raise StandardError }) do
+          assert_raises(JWTDecoderWrapper::VerificationError) do
+            @jwt_decoder.decode("jwt")
+          end
+        end
+      end
+    end
+
+    it "should raise missing exp error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt.reject { |k, _| k == :exp },
+      ) do
+        assert_raises(JWTDecoderWrapper::MissingExpError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise invalid exp error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(exp: "1234"),
+      ) do
+        assert_raises(JWTDecoderWrapper::InvalidExpError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise jwt expired error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(exp: 1234),
+      ) do
+        @exp_verifier.stub(:expired?, true) do
+          assert_raises(JWTDecoderWrapper::JWTExpiredError) do
+            @jwt_decoder.decode("jwt")
+          end
+        end
+      end
+    end
+
+    it "should raise invalid audience error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(aud: "invalid audience"),
+      ) do
+        assert_raises(JWTDecoderWrapper::InvalidAudienceError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise invalid issuer error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(iss: "invalid issuer"),
+      ) do
+        assert_raises(JWTDecoderWrapper::InvalidIssuerError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise missing sub error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt.reject { |k, _| k == :sub },
+      ) do
+        assert_raises(JWTDecoderWrapper::MissingSubError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise invalid sub error" do
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(sub: { id: 1 }),
+      ) do
+        assert_raises(JWTDecoderWrapper::InvalidSubError) do
+          @jwt_decoder.decode("jwt")
+        end
+      end
+    end
+
+    it "should raise nothing and return payload with sub" do
+      sub = "sub1234"
+      @decoder.stub(
+        :decode,
+        valid_decoded_jwt(sub: sub),
+      ) do
+        begin
+          payload = @jwt_decoder.decode("jwt")
+          assert_respond_to payload, :sub
+          assert_equal sub, payload.sub
+        rescue StandardError => e
+          refute "expected to not return any error buty got #{e}"
+        end
+      end
+    end
+
+    private
+
+    def factory_subject(dependencies = {})
+      default_dependencies = {
+        exp_verifier: @exp_verifier,
+        jwt_decoder:  @decoder,
+      }
+      JWTDecoderWrapper.new(
+        @audience, @issuer, @certs_set,
+        default_dependencies.merge(dependencies)
+      )
+    end
+
+    def valid_decoded_jwt(overwrites = {})
+      {
+        alg: "RS256",
+        kid: "id1",
+        exp: 1234,
+        aud: @audience,
+        iss: @issuer,
+        sub: "1234",
+      }.merge(overwrites)
+    end
+  end
+end

data/test/auth0_rs256_jwt_verifier_test.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+require "test_helper"
+
+describe Auth0RS256JWTVerifier do
+  it "verifies successfully access token" do
+    auth0 = Auth0RS256JWTVerifier.new(
+      issuer:       "https://multi-jobbers.eu.auth0.com/",
+      audience:     "https://multijobbers.herokuapp.com/",
+      jwks_url:     "https://multi-jobbers.eu.auth0.com/.well-known/jwks.json",
+      http:         http_stub,
+      exp_verifier: exp_verifier_stub,
+    )
+
+    verification_result = auth0.verify(
+      "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5rTkJPRFEzUWpNeFF6WkVOa1" \
+      "kzUVVNMk9VTTFSVGMxUTBZMk4wUXdSVGRHTWpkRk9UQkROdyJ9.eyJpc3MiOiJodHRwczo" \
+      "vL211bHRpLWpvYmJlcnMuZXUuYXV0aDAuY29tLyIsInN1YiI6IjZwM2tFc0pkOUhteGFxV" \
+      "VIwdXN3c1VFRUdoZTNuQ05IQGNsaWVudHMiLCJhdWQiOiJodHRwczovL211bHRpam9iYmV" \
+      "ycy5oZXJva3VhcHAuY29tLyIsImV4cCI6MTQ5NzE4MTMzNSwiaWF0IjoxNDk3MDk0OTM1L" \
+      "CJzY29wZSI6IiJ9.LPtyDb26UxS5NKHEU2VJdmj7pDI4-tfgue2Ttk62H0a9XehsCArwwy" \
+      "QtI2ZAXxY8gQGS4dhXpcDqevmpfAy9zcjMEvvjWqmcGpepL8bn4MUJ_lAmL3A3FJXduf8T" \
+      "pHRXUHiMcdGT0vcFrv5kkMHDzTiwvOUxPcRT5nufX16Vqg3MTQS5pDb2NPcLCqI4PrJhse" \
+      "uJnDthxYelUvf6AIyVesuK5e3g8FLiXjZoPmwr3u6xeljF2KECetBPskKI8MgWrhIDD9Zv" \
+      "-O_fV1UZ41M-7zURcsQNYV--knHuX0i6nF46JlnbdqoA35d8LJvtnzbiO7hj8mP_GMa8FS" \
+      "cKqq5D8w",
+    )
+
+    expected_user_id = "6p3kEsJd9HmxaqUR0uswsUEEGhe3nCNH@clients"
+
+    assert verification_result.valid?
+    refute verification_result.invalid?
+    assert_equal expected_user_id, verification_result.user_id
+  end
+
+  it "fails when jwt public key verification is not successful" do
+    auth0 = Auth0RS256JWTVerifier.new(
+      issuer:       "https://example.eu.auth0.com/",
+      audience:     "https://multijobbers.herokuapp.com/",
+      jwks_url:     "https://multi-jobbers.eu.auth0.com/.well-known/jwks.json",
+      http:         http_stub,
+      exp_verifier: exp_verifier_stub,
+    )
+
+    verification_result = auth0.verify(
+      "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5rTkJPRFEzUWpNeFF6WkVOa1" \
+      "kzUVVNMk9VTTFSVGMxUTBZMk4wUXdSVGRHTWpkRk9UQkROdyJ9.eyJpc3MiOiJodHRwczo" \
+      "vL211bHRpLWpvYmJlcnMuZXUuYXV0aDAuY29tLyIsInN1YiI6IjZwM2tFc0pkOUhteGFxV" \
+      "VIwdXN3c1VFRUdoZTNuQ05IQGNsaWVudHMiLCJhdWQiOiJodHRwczovL211bHRpam9iYmV" \
+      "ycy5oZXJva3VhcHAuY29tLyIsImV4cCI6MTQ5NzQ3NzYyOCwiaWF0IjoxNDk3MzkxMjI4L" \
+      "CJzY29wZSI6IiJ9.aGhyzkMM7sE4FNSijzRJlIvJQwx4tBq8uJbL0Taq9I41YOuSWPF4eC" \
+      "8886EU3gLkOiEpYlSkX9SHINljHR2ajcNBXoCThbREyReY_ZDjNfXZRREYWT6x8wT5WtmM" \
+      "xdxpOOVIXKrxkhfy57vGJs2clpo2MTFEVNPYhslMv-p_WLY",
+    )
+
+    refute verification_result.valid?
+    assert verification_result.invalid?
+  end
+
+  it "fails when jwt is expired" do
+    auth0 = Auth0RS256JWTVerifier.new(
+      issuer:       "https://multi-jobbers.eu.auth0.com/",
+      audience:     "https://multijobbers.herokuapp.com/",
+      jwks_url:     "https://multi-jobbers.eu.auth0.com/.well-known/jwks.json",
+      http:         http_stub,
+      exp_verifier: exp_verifier_stub(expired: true),
+    )
+
+    verification_result = auth0.verify(
+      "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5rTkJPRFEzUWpNeFF6WkVOa1" \
+      "kzUVVNMk9VTTFSVGMxUTBZMk4wUXdSVGRHTWpkRk9UQkROdyJ9.eyJpc3MiOiJodHRwczo" \
+      "vL211bHRpLWpvYmJlcnMuZXUuYXV0aDAuY29tLyIsInN1YiI6IjZwM2tFc0pkOUhteGFxV" \
+      "VIwdXN3c1VFRUdoZTNuQ05IQGNsaWVudHMiLCJhdWQiOiJodHRwczovL211bHRpam9iYmV" \
+      "ycy5oZXJva3VhcHAuY29tLyIsImV4cCI6MTQ5NzE4MTMzNSwiaWF0IjoxNDk3MDk0OTM1L" \
+      "CJzY29wZSI6IiJ9.LPtyDb26UxS5NKHEU2VJdmj7pDI4-tfgue2Ttk62H0a9XehsCArwwy" \
+      "QtI2ZAXxY8gQGS4dhXpcDqevmpfAy9zcjMEvvjWqmcGpepL8bn4MUJ_lAmL3A3FJXduf8T" \
+      "pHRXUHiMcdGT0vcFrv5kkMHDzTiwvOUxPcRT5nufX16Vqg3MTQS5pDb2NPcLCqI4PrJhse" \
+      "uJnDthxYelUvf6AIyVesuK5e3g8FLiXjZoPmwr3u6xeljF2KECetBPskKI8MgWrhIDD9Zv" \
+      "-O_fV1UZ41M-7zURcsQNYV--knHuX0i6nF46JlnbdqoA35d8LJvtnzbiO7hj8mP_GMa8FS" \
+      "cKqq5D8w",
+    )
+
+    refute verification_result.valid?
+    assert verification_result.invalid?
+  end
+
+  it "fails when jwt is random string" do
+    auth0 = Auth0RS256JWTVerifier.new(
+      issuer:       "https://multi-jobbers.eu.auth0.com/",
+      audience:     "https://multijobbers.herokuapp.com/",
+      jwks_url:     "https://multi-jobbers.eu.auth0.com/.well-known/jwks.json",
+      http:         http_stub,
+      exp_verifier: exp_verifier_stub(expired: true),
+    )
+
+    verification_result = auth0.verify("random string")
+
+    refute verification_result.valid?
+    assert verification_result.invalid?
+  end
+
+  private
+
+  def http_stub
+    @http_stub = Object.new
+    jwks = sample_jwks
+    @http_stub.define_singleton_method(:get) { |*_| jwks }
+    @http_stub
+  end
+
+  def exp_verifier_stub(expired: false)
+    @exp_verifier_stub = Object.new
+    @exp_verifier_stub.define_singleton_method(:expired?) { |*_| expired }
+    @exp_verifier_stub
+  end
+
+  def sample_jwks
+    @sample_jwsk ||= File.read("./test/fixtures/sample_jwks.json")
+  end
+end

data/test/fixtures/sample_jwks.json

@@ -0,0 +1,16 @@
+{
+  "keys":[
+    {
+      "alg":"RS256",
+      "kty":"RSA",
+      "use":"sig",
+      "x5c":[
+        "MIIDDzCCAfegAwIBAgIJXBxlkRndNs3ZMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNVBAMTGm11bHRpLWpvYmJlcnMuZXUuYXV0aDAuY29tMB4XDTE3MDUyOTEzNTA1OFoXDTMxMDIwNTEzNTA1OFowJTEjMCEGA1UEAxMabXVsdGktam9iYmVycy5ldS5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNwGcDVRbVjAXEhmMfa8OT37YAcFMhCGDZSgORTg/Wo+3E+WipgckLpT6+7LZH1ohgcbEVKkcDxjW0djYkSmgVvcDOxKClzj2iwXM0FYXJtU6Vwq1R5BzKWeMclbCZT7gEpVkCte3ZFvY80lYwlGvrw5QLMURnW5uMWA75Hf2VhzVx07M1KcwL3reHLd5YqDq5mrwTr+g5maFvl+t2dcMzOwuI2LhKgdImDGR6BUEteeEchNeir1r1lBrd5juwPiXT76ZVuGYnzf01UPqhGfcjSKey4W8WbIiYpDm7J0ORjGm/HAMHSvnOTYIqrJ62J0p5PexYzUGOhH0N06/G+VgtAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFInchclYauappYScpEgOo+hUFwdZMA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEAoJ/uqy6TYmWMnuVP1vHQDv8pFRv5mpXa8D6aqDzfXKW3P4pAdFfDZ5PFVZkSiAnd/DJk//9cVAT7SEHHe9yxkp8N6MewxdHT+JGAszG4xyR73eV7gCAcITGh3t1efflNcxV7ycTJp61FuPtVs7MxdUAgWkpP5nMd41pHY01r5qy1g+ysUJ5TDI5SmqEAFc54etX5i8WUDtcH0DxJrib+YlZPA7xrbCV5DnykODXjJ0De7J89hcIXq4eL3TtbPCqJMPwH79cphJ9NUd+320WexTdNB5ysL7ML/Uk1KaWuS7fyA0C+gxSF6gOaJ3/u2OE3TrudLdTco/C87YnvWYJS9A=="
+      ],
+      "n":"zcBnA1UW1YwFxIZjH2vDk9-2AHBTIQhg2UoDkU4P1qPtxPloqYHJC6U-vuy2R9aIYHGxFSpHA8Y1tHY2JEpoFb3AzsSgpc49osFzNBWFybVOlcKtUeQcylnjHJWwmU-4BKVZArXt2Rb2PNJWMJRr68OUCzFEZ1ubjFgO-R39lYc1cdOzNSnMC963hy3eWKg6uZq8E6_oOZmhb5frdnXDMzsLiNi4SoHSJgxkegVBLXnhHITXoq9a9ZQa3eY7sD4l0--mVbhmJ839NVD6oRn3I0insuFvFmyImKQ5uydDkYxpvxwDB0r5zk2CKqyetidKeT3sWM1BjoR9DdOvxvlYLQ",
+      "e":"AQAB",
+      "kid":"NkNBODQ3QjMxQzZENkY3QUM2OUM1RTc1Q0Y2N0QwRTdGMjdFOTBDNw",
+      "x5t":"NkNBODQ3QjMxQzZENkY3QUM2OUM1RTc1Q0Y2N0QwRTdGMjdFOTBDNw"
+    }
+  ]
+}

data/test/fixtures/sample_jwks_2.json

@@ -0,0 +1 @@
+{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","x5c":["MIIDETCCAfmgAwIBAgIJALUn2x16sU0BMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFGV4YW1wbGUuZXUuYXV0aDAuY29tMB4XDTE1MDQyMzA3MTcyOVoXDTI4MTIzMDA3MTcyOVowHzEdMBsGA1UEAwwUZXhhbXBsZS5ldS5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQColCyrzR24viQYf3gdHSrH1rCMS7wH3SOmzq5RRZeOxz6wcmTr8Jip/SQiS5QSsFfUoRk8PPbeafUhF+/NDwvCJXnUf8lTDeOAVRDM5hkfWnLZf8sBHYdAZXTps6Oz6Nq0MT4J/7cL43a1Q/UU8qwCYG652NPX2bPIAjfxq28MUJ47iz2EKg445MHpsuHU3MXqKApyLBlyUQL4VRw9xjlqkL45HTB2zCNuO4o8zQNE70jWQe8b4eauzLT5oeakUVTW5vGq5ryKE6T0vUERxYO/Bxzw+qfZ75IV9dQefUZ41WLB6PWP6OvzsRSEOGZR2LBMh3IfArhUwNxpkmTf4lZfAgMBAAGjUDBOMB0GA1UdDgQWBBShBM7FGFBWlZSI0AkqeI/tcZftQDAfBgNVHSMEGDAWgBShBM7FGFBWlZSI0AkqeI/tcZftQDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCOraDmW3eSauYY4Xdf81t7XgPiUiWaqHUOtLEFOVmpPlX8mHtcUpSHZwh2C52iLtFkBUq97r2AwmTArysTb+ZNsFotEaAxTe2f6dO8oV7lxjn5ApL3NZWVDXsO//F/kJTsA0AlGozdHedb/Xy90atY9IRBHqlY49QHJmiheSxy3QTuABEVfHShsbqhT22a/VOEWelwyJZyeQX03ysu6c9NqnWblU/9j/Ccg96VorL7bYN0dLgImdcZQFR8fjhGeV86n15C7ZvOE4cJyVdBc0er1IrEmx7oXG6YgxyBYMRL+DiIjZAftE6YjOuet2GQOSdGYPiYqn6Z7xLg4DPTaWEP"],"n":"qJQsq80duL4kGH94HR0qx9awjEu8B90jps6uUUWXjsc-sHJk6_CYqf0kIkuUErBX1KEZPDz23mn1IRfvzQ8LwiV51H_JUw3jgFUQzOYZH1py2X_LAR2HQGV06bOjs-jatDE-Cf-3C-N2tUP1FPKsAmBuudjT19mzyAI38atvDFCeO4s9hCoOOOTB6bLh1NzF6igKciwZclEC-FUcPcY5apC-OR0wdswjbjuKPM0DRO9I1kHvG-Hmrsy0-aHmpFFU1ubxqua8ihOk9L1BEcWDvwcc8Pqn2e-SFfXUHn1GeNViwej1j-jr87EUhDhmUdiwTIdyHwK4VMDcaZJk3-JWXw","e":"AQAB","kid":"QUVGRUVENTEwNDUwODlFQjA1QzE0QkVBMUY5NDFFRjFBRjI5Mzc3MA","x5t":"QUVGRUVENTEwNDUwODlFQjA1QzE0QkVBMUY5NDFFRjFBRjI5Mzc3MA"}]}

data/test/test_helper.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+require "minitest/autorun"
+require "auth0_rs256_jwt_verifier"

metadata

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: auth0_rs256_jwt_verifier
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Krzysztof Zielonka
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5'
+description: Auth0 (https://auth0.com) is web service handling users identities which
+  can be easily plugged into your application. It provides SDKs for many languages
+  which enable you to sign up/in users and returns access token (JWT) in exchange.
+  Access token can be used then to access your's Web Service. This gem helps you to
+  verify (https://auth0.com/docs/api-auth/tutorials/verify-access-token#verify-the-signature)
+  such access token which has been signed using the RS256 algorithm.
+email: krzysztof.zielonka@droidsonroids.pl
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- README.md
+- Rakefile
+- auth0_rs256_jwt_verifier.gemspec
+- lib/auth0_access_tokens_rs256_verifier.rb
+- lib/auth0_rs256_jwt_verifier.rb
+- lib/auth0_rs256_jwt_verifier/certs_set.rb
+- lib/auth0_rs256_jwt_verifier/exp_verifier.rb
+- lib/auth0_rs256_jwt_verifier/jwk.rb
+- lib/auth0_rs256_jwt_verifier/jwk_set_downloader.rb
+- lib/auth0_rs256_jwt_verifier/jwt_decoder.rb
+- lib/auth0_rs256_jwt_verifier/jwt_decoder_wrapper.rb
+- lib/auth0_rs256_jwt_verifier/results.rb
+- lib/auth0_rs256_jwt_verifier/user_id.rb
+- lib/auth0_rs256_jwt_verifier/valid_jwk_set.rb
+- test/.rubocop.yml
+- test/auth0_rs256_jwt_verifier/jwt_decoder_test.rb
+- test/auth0_rs256_jwt_verifier/jwt_decoder_wrapper_test.rb
+- test/auth0_rs256_jwt_verifier_test.rb
+- test/fixtures/sample_jwks.json
+- test/fixtures/sample_jwks_2.json
+- test/test_helper.rb
+homepage: https://rubygems.org/gems/auth0_rs256_jwt_verifier
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Auth0 JWT (RS256) verification library
+test_files: []