class Stytch::M2M

def authenticate_token(access_token:, required_scopes: nil, max_token_age: nil)

The type of this field is +object+.
A map of custom claims present in the token.
custom_claims::
The type of this field is +String+.
The ID of the client that was issued the token
client_id::
The type of this field is list of +String+.
An array of scopes granted to the token holder.
scopes::
+nil+ if the token could not be validated, or an object with the following fields:
== Returns:
The type of this field is nilable +Integer+.
The maximum possible lifetime in seconds for the token to be valid.
max_token_age::
The type of this field is nilable list of +String+.
A list of scopes the token must have to be valid.
required_scopes::
The type of this field is +String+.
The access token granted to the client. Access tokens are JWTs signed with the project's JWKs.
access_token::
== Parameters:

+authenticate_token+ validates a M2M JWT locally.
MANUAL(M2M::authenticate_token)(SERVICE_METHOD)

def authenticate_token(access_token:, required_scopes: nil, max_token_age: nil)
  # Intentionally allow this to re-raise if authentication fails
  decoded_jwt = authenticate_token_local(access_token)
  iat_time = Time.at(decoded_jwt['iat']).to_datetime
  # Token too old
  raise JWTExpiredError if !max_token_age.nil? && (iat_time + max_token_age < Time.now)
  resp = marshal_jwt_into_response(decoded_jwt)
  unless required_scopes.nil?
    for scope in required_scopes
      raise TokenMissingScopeError, scope unless resp['scopes'].include?(scope)
    end
  end
  resp
end

def authenticate_token_local(jwt)

Parse a M2M token and verify the signature locally (without calling /authenticate in the API)

def authenticate_token_local(jwt)
  issuer = 'stytch.com/' + @project_id
  begin
    decoded_token = JWT.decode jwt, nil, true,
                               { jwks: @jwks_loader, iss: issuer, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'] }
    decoded_token[0]
  rescue JWT::InvalidIssuerError
    raise JWTInvalidIssuerError
  rescue JWT::InvalidAudError
    raise JWTInvalidAudienceError
  rescue JWT::ExpiredSignature
    raise JWTExpiredSignatureError
  rescue JWT::IncorrectAlgorithm
    raise JWTIncorrectAlgorithmError
  end
end

def get_jwks(

This is a helper so we can retrieve the JWKS for a project for decoding M2M access tokens
MANUAL(M2M::get_jwks)(SERVICE_METHOD)

def get_jwks(
  project_id:
)
  query_params = {}
  request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
  get_request(request)
end

def initialize(connection, project_id)

def initialize(connection, project_id)
  @connection = connection
  @clients = Stytch::M2M::Clients.new(@connection)
  @project_id = project_id
  @cache_last_update = 0
  @jwks_loader = lambda do |options|
    @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
    @cached_keys ||= begin
      @cache_last_update = Time.now.to_i
      keys = []
      get_jwks(project_id: @project_id)['keys'].each do |r|
        keys << r
      end
      { keys: keys }
    end
  end
end

def marshal_jwt_into_response(jwt)

def marshal_jwt_into_response(jwt)
  # The custom claim set is all the claims in the payload except for the standard claims.
  # The cleanest way to collect those seems to be naming what we want
  # to omit and filtering the rest to collect the custom claims.
  reserved_claims = %w[aud exp iat iss jti nbf sub]
  custom_claims = jwt.reject { |key, _| reserved_claims.include?(key) }
  {
    'scopes' => jwt['scope'].split(' '),
    'client_id' => jwt['sub'],
    'custom_claims' => custom_claims
  }
end

def token(client_id:, client_secret:, scopes: nil)

The type of this field is +String+.
The type of the returned access token. Today, this value will always be equal to "bearer"
token_type::
The type of this field is +Integer+.
For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
The lifetime in seconds of the access token.
expires_in::
The type of this field is +String+.
The access token granted to the client. Access tokens are JWTs signed with the project's JWKs.
access_token::
An object with the following fields:
== Returns:

The type of this field is nilable list of +String+.
An array scopes requested. If omitted, all scopes assigned to the client will be returned.
scopes::
The type of this field is +String+.
The secret of the client.
client_secret::
The type of this field is +String+.
The ID of the client.
client_id::
== Parameters:

M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates.
Access tokens are JWTs signed with the project's JWKs, and are valid for one hour after issuance.
+token+ retrieves an access token for the given M2M Client.
MANUAL(M2M::token)(SERVICE_METHOD)

def token(client_id:, client_secret:, scopes: nil)
  request = {
    grant_type: 'client_credentials',
    client_id: client_id,
    client_secret: client_secret
  }
  request[:scope] = scopes.join(' ') unless scopes.nil?
  JSON.parse(post_request("/v1/public/#{@project_id}/oauth2/token", request), { symbolize_names: true })
end

Instance Methods

Defined in

lib/stytch/m2m.rb