class Stytch::IDP
def get_jwks(project_id:)
The JWKS for the project.
== Returns:
The type of this field is +String+.
The ID of the project.
project_id::
== Parameters:
Gets the JWKS for the project.
def get_jwks(project_id:) headers = {} query_params = {} request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params) get_request(request, headers) end
def initialize(connection, project_id, jwks_cache, policy_cache)
def initialize(connection, project_id, jwks_cache, policy_cache) @connection = connection @oauth = Stytch::IDP::OAuth.new(@connection) @policy_cache = policy_cache @project_id = project_id @jwks_cache = jwks_cache end
def introspect_access_token_local(
Custom claims in the token.
custom_claims::
The type of this field is +String+.
The type of the token.
token_type::
The type of this field is +Integer+.
The not before time of the token.
not_before::
The type of this field is +String+.
The issuer of the token.
issuer::
The type of this field is +Integer+.
The issued at time of the token.
issued_at::
The type of this field is +Integer+.
The expiration time of the token.
expires_at::
The type of this field is +String+.
The audience of the token.
audience::
The type of this field is +String+.
The scope of the token.
scope::
The type of this field is +String+.
The subject of the token.
subject::
An object with the following fields:
== Returns:
The type of this field is nilable +Hash+.
Optional authorization check object.
authorization_check::
The type of this field is +String+.
The access token (or refresh token) to introspect.
access_token::
== Parameters:
Access tokens contain a standard set of claims as well as any custom claims generated from templates.
Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
Introspects a token JWT from an authorization code response.
def introspect_access_token_local( access_token:, authorization_check: nil ) scope_claim = 'scope' begin decoded_jwt = JWT.decode( access_token, nil, true, { algorithms: ['RS256'], jwks: @jwks_cache.loader, iss: ["stytch.com/#{@project_id}", @connection.url_prefix], aud: @project_id } )[0] generic_claims = decoded_jwt custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) } scope = generic_claims[scope_claim] if authorization_check @policy_cache.perform_scope_authorization_check( token_scopes: scope.split, authorization_check: authorization_check ) end { 'subject' => generic_claims['sub'], 'scope' => generic_claims[scope_claim], 'audience' => generic_claims['aud'], 'expires_at' => generic_claims['exp'], 'issued_at' => generic_claims['iat'], 'issuer' => generic_claims['iss'], 'not_before' => generic_claims['nbf'], 'token_type' => 'access_token', 'custom_claims' => custom_claims } rescue JWT::InvalidIssuerError raise Stytch::JWTInvalidIssuerError rescue JWT::InvalidAudError raise Stytch::JWTInvalidAudienceError rescue JWT::ExpiredSignature raise Stytch::JWTExpiredSignatureError rescue JWT::IncorrectAlgorithm raise Stytch::JWTIncorrectAlgorithmError rescue JWT::DecodeError nil end end
def introspect_token_network(
Custom claims in the token.
custom_claims::
The type of this field is +String+.
The type of the token.
token_type::
The type of this field is +Integer+.
The not before time of the token.
not_before::
The type of this field is +String+.
The issuer of the token.
issuer::
The type of this field is +Integer+.
The issued at time of the token.
issued_at::
The type of this field is +Integer+.
The expiration time of the token.
expires_at::
The type of this field is +String+.
The audience of the token.
audience::
The type of this field is +String+.
The scope of the token.
scope::
The type of this field is +String+.
The subject of the token.
subject::
An object with the following fields:
== Returns:
The type of this field is nilable +Hash+.
Optional authorization check object.
authorization_check::
The type of this field is +String+.
A hint on what the token contains. Valid fields are 'access_token' and 'refresh_token'.
token_type_hint::
The type of this field is nilable +String+.
The secret of the client.
client_secret::
The type of this field is +String+.
The ID of the client.
client_id::
The type of this field is +String+.
The access token (or refresh token) to introspect.
token::
== Parameters:
Access tokens contain a standard set of claims as well as any custom claims generated from templates.
Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
Introspects a token JWT from an authorization code response.
def introspect_token_network( token:, client_id:, client_secret: nil, token_type_hint: 'access_token', authorization_check: nil ) headers = {} data = { 'token' => token, 'client_id' => client_id, 'token_type_hint' => token_type_hint } data['client_secret'] = client_secret unless client_secret.nil? url = @connection.url_prefix + '/v1/oauth2/introspect' res = post_request(url, data, headers) jwt_response = res return nil unless jwt_response['active'] custom_claims = res.reject { |k, _| non_custom_claim_keys.include?(k) } scope = jwt_response['scope'] if authorization_check @policy_cache.perform_scope_authorization_check( token_scopes: scope.split, authorization_check: authorization_check ) end { 'subject' => jwt_response['sub'], 'scope' => jwt_response['scope'], 'audience' => jwt_response['aud'], 'expires_at' => jwt_response['exp'], 'issued_at' => jwt_response['iat'], 'issuer' => jwt_response['iss'], 'not_before' => jwt_response['nbf'], 'token_type' => jwt_response['token_type'], 'custom_claims' => custom_claims } end
def non_custom_claim_keys
def non_custom_claim_keys %w[ aud exp iat iss jti nbf sub active client_id request_id scope status_code token_type ] end