RubyGems - google-id-tokenz - Versions diffs - 1.2.1 - Mend

google-id-tokenz 1.2.1

Files changed (4) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4c8d036fbff7aa58d162239a1c377dcecee06f74
+  data.tar.gz: 652a2c203876170dc81485608259a8bf3f4aa03c
+SHA512:
+  metadata.gz: 65584666085ec799e249f2d1bed0cde6507c4fefeafbe65ed64e8ba21623af3bdee873b98b7fff19bb14b09d95a8bbfd6be04690f4e7281e7372ce2046f3b912
+  data.tar.gz: ec89ae8d5cd861e3ce9037748c0f4ae76557813074336634667696fe3f729202d4b4920472b6001e4fe550ffedd0a89d86577fc9c2fe1c6eb89166ad5734468a

data/README.md ADDED Viewed

@@ -0,0 +1,46 @@
+# GoogleIDToken
+This code is from [@timbray](https://github.com/timbray)'s awesome [google-id-token](https://code.google.com/p/google-id-token/) codebase, with one minor tweak to handle a new token format (array vs hash).
+Tim gives a great overview of id tokens here http://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens.
+GoogleIDToken currently provides a single useful class "Validator", which provides a single method "#check", which parses and validates an ID Token allegedly generated by Google auth servers.
+## Examples
+  [android](http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html)
+  [android cross client auth](https://developers.google.com/accounts/docs/CrossClientAuth)
+Creating a new validator takes a single optional hash argument. If the hash has an entry for :x509_key, that value is taken to be a key as created by OpenSSL::X509::Certificate.new, and the token is validated using that key.  If there is no such entry, the keys are fetched from the Google certs endpoint https://www.googleapis.com/oauth2/v1/certs.
+## Installation
+```
+  gem install google-id-token
+```
+## Examples
+```
+  validator = GoogleIDToken::Validator.new
+  jwt = validator.check(token, required_audience, required_client_id)
+  if jwt
+    email = jwt['email']
+  else
+    report "Cannot validate: #{validator.problem}"
+  end
+```
+```
+  cert = OpenSSL::X509::Certificate.new(File.read('my-cert.pem'))
+  validator = GoogleIDToken::Validator.new(:x509_cert => cert)
+  jwt = validator.check(token, required_audience, required_client_id)
+  if jwt
+    email = jwt['email']
+  else
+    report "Cannot validate: #{validator.problem}"
+  end
+```

data/lib/google-id-token.rb ADDED Viewed

@@ -0,0 +1,164 @@
+# encoding: utf-8
+# Copyright 2012 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+# Validates strings alleged to be ID Tokens issued by Google; if validation
+#  succeeds, returns the decoded ID Token as a hash.
+# It's a good idea to keep an instance of this class around for a long time,
+#  because it caches the keys, performs validation statically, and only
+#  refreshes from Google when required (typically once per day)
+#
+# @author Tim Bray, adapted from code by Bob Aman
+require 'multi_json'
+require 'jwt'
+require 'openssl'
+require 'net/http'
+module GoogleIDToken
+  class Validator
+    GOOGLE_CERTS_URI = 'https://www.googleapis.com/oauth2/v1/certs'
+    # @!attribute [r] problem
+    #   Reason for failure, if #check returns nil
+    attr_reader :problem
+    def initialize(keyopts = {})
+      if keyopts[:x509_cert]
+        @certs_mode = :literal
+        @certs = { :_ => keyopts[:x509_cert] }
+      # elsif keyopts[:jwk_uri]  # TODO
+      #   @certs_mode = :jwk
+      #   @certs = {}
+      else
+        @certs_mode = :old_skool
+        @certs = {}
+      end
+    end
+    ##
+    # If it validates, returns a hash with the JWT fields from the ID Token.
+    #  You have to provide an "aud" value, which must match the
+    #  token's field with that name, and will similarly check cid if provided.
+    #
+    # If something fails, returns nil; #problem returns error text
+    #
+    # @param [String] token
+    #   The string form of the token
+    # @param [String] aud
+    #   The required audience value
+    # @param [String] cid
+    #   The optional client-id ("azp" field) value
+    #
+    # @return [Hash] The decoded ID token, or null
+    def check(token, aud, cid = nil)
+      case check_cached_certs(token, aud, cid)
+      when :valid
+        @token
+      when :problem
+        nil
+      else
+        # no certs worked, might've expired, refresh
+        if refresh_certs
+          @problem = 'Unable to retrieve Google public keys'
+          nil
+        else
+          case check_cached_certs(token, aud, cid)
+          when :valid
+            @token
+          when :problem
+            nil
+          else
+            @problem = 'Token not verified as issued by Google'
+            nil
+          end
+        end
+      end
+    end
+    private
+    # tries to validate the token against each cached cert.
+    # Returns :valid (sets @token) or :problem (sets @problem) or
+    #  nil, which means none of the certs validated.
+    def check_cached_certs(token, aud, cid)
+      @problem = @token = nil
+      # find first public key that validates this token
+      @certs.detect do |key, cert|
+        begin
+          public_key = cert.public_key
+          @token = JWT.decode(token, public_key, !!public_key)
+          @token = @token.first if @token.is_a?(Array)
+          # in Feb 2013, the 'cid' claim became the 'azp' claim per changes
+          #  in the OIDC draft. At some future point we can go all-azp, but
+          #  this should keep everything running for a while
+          if @token['azp']
+            @token['cid'] = @token['azp']
+          elsif @token['cid']
+            @token['azp'] = @token['cid']
+          end
+        rescue JWT::DecodeError
+          nil # go on, try the next cert
+        end
+      end
+      if @token
+        if !(@token.has_key?('aud') && (@token['aud'] == aud))
+          @problem = 'Token audience mismatch'
+        elsif cid && !(@token.has_key?('cid') && (@token['cid'] == cid))
+          @problem = 'Token client-id mismatch'
+        end
+        @problem ? :problem : :valid
+      else
+        nil
+      end
+    end
+    # returns true if there was a problem
+    def refresh_certs
+      case @certs_mode
+      when :literal
+        return # no-op
+      when :old_skool
+        old_skool_refresh_certs
+      # when :jwk          # TODO
+      #  jwk_refresh_certs
+      end
+    end
+    def old_skool_refresh_certs
+      uri = URI(GOOGLE_CERTS_URI)
+      get = Net::HTTP::Get.new uri.request_uri
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      res = http.request(get)
+      if res.kind_of?(Net::HTTPSuccess)
+        new_certs = Hash[MultiJson.load(res.body).map do |key, cert|
+                           [key, OpenSSL::X509::Certificate.new(cert)]
+                         end]
+        @certs.merge! new_certs
+        false
+      else
+        true
+      end
+    end
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: google-id-tokenz
+version: !ruby/object:Gem::Version
+  version: 1.2.1
+platform: ruby
+authors:
+- Tim Bray
+- Bob Aman
+- Nathan Tsoi
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-08-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fakeweb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Google ID Token utilities; currently just a parser/checker
+email: nathan@vertile.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/google-id-token.rb
+homepage: https://github.com/nathantsoi/google-id-tokenz
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.2
+signing_key:
+specification_version: 4
+summary: Google ID Token utilities
+test_files: []