class Google::Auth::IDTokens::Verifier


override any of these settings.
source and fields to verify. However, individual verification calls can
A verifier maintains a set of default settings, including the key
An object that can verify ID tokens.
#

def decode_token token, keys, aud, azp, iss 

def decode_token token, keys, aud, azp, iss
  payload = nil
  keys.find do |key|
    options = { algorithms: key.algorithm }
    decoded_token = JWT.decode token, key.key, true, options
    payload = decoded_token.first
  rescue JWT::ExpiredSignature
    raise ExpiredTokenError, "Token signature is expired"
  rescue JWT::DecodeError
    nil # Try the next key
  end
  normalize_and_verify_payload payload, aud, azp, iss
end

def initialize key_source: nil,

Parameters:
  • iss (String, nil) -- The default issuer (`iss`) check, or `nil`
  • azp (String, nil) -- The default authorized party (`azp`) check,
  • aud (String, nil) -- The default audience (`aud`) check, or `nil`
  • key_source (key source) -- The default key source to use. All 
def initialize key_source: nil,
               aud:        nil,
               azp:        nil,
               iss:        nil
  @key_source = key_source
  @aud = aud
  @azp = azp
  @iss = iss
end

def normalize_and_verify_payload payload, aud, azp, iss 

def normalize_and_verify_payload payload, aud, azp, iss
  return nil unless payload
  # Map the legacy "cid" claim to the canonical "azp"
  payload["azp"] ||= payload["cid"] if payload.key? "cid"
  # Payload content validation
  if aud && (Array(aud) & Array(payload["aud"])).empty?
    raise AudienceMismatchError, "Token aud mismatch: #{payload['aud']}"
  end
  if azp && (Array(azp) & Array(payload["azp"])).empty?
    raise AuthorizedPartyMismatchError, "Token azp mismatch: #{payload['azp']}"
  end
  if iss && (Array(iss) & Array(payload["iss"])).empty?
    raise IssuerMismatchError, "Token iss mismatch: #{payload['iss']}"
  end
  payload
end

def verify token,

Raises:
  • (VerificationError) - if the token verification failed.
  • (KeySourceError) - if the key source failed to obtain public keys

Returns:
  • (Hash) - the decoded payload, if verification succeeded.

Parameters:
  • iss (String, nil) -- If given, override the `iss` check.
  • azp (String, nil) -- If given, override the `azp` check.
  • aud (String, nil) -- If given, override the `aud` check.
  • key_source (key source) -- If given, override the key source.
  • token (String) -- the ID token to verify. 
def verify token,
           key_source: :default,
           aud:        :default,
           azp:        :default,
           iss:        :default
  key_source = @key_source if key_source == :default
  aud = @aud if aud == :default
  azp = @azp if azp == :default
  iss = @iss if iss == :default
  raise KeySourceError, "No key sources" unless key_source
  keys = key_source.current_keys
  payload = decode_token token, keys, aud, azp, iss
  unless payload
    keys = key_source.refresh_keys
    payload = decode_token token, keys, aud, azp, iss
  end
  raise SignatureError, "Token not verified as issued by Google" unless payload
  payload
end