Add validation to the id_token on the callback phase

Meeco · Oct 27, 2017 · 9552814 · 9552814
1 parent b0327fd
commit 9552814
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/omniauth/strategies/azure_active_directory_b2c.rb b/lib/omniauth/strategies/azure_active_directory_b2c.rb
@@ -36,6 +36,7 @@ def self.failure_message_key(key)
       InvalidCredentialsError = Class.new(CallbackError) { failure_message_key :invalid_credentials }
       UnauthorizedError = Class.new(CallbackError) { failure_message_key :unauthorized }
       MissingCodeError = Class.new(CallbackError) { failure_message_key :missing_code }
+      IdTokenValidationError = Class.new(CallbackError) { failure_message_key :id_token_validation_failed }
 
       #########################################
       # Strategy options
@@ -98,6 +99,7 @@ def authentication_response
 
       def callback_phase
         validate_callback_response!
+        validate_id_token!
         super # required to complete the callback phase
 
       rescue UnauthorizedError => e
@@ -122,6 +124,13 @@ def validate_callback_response!
         end
       end
 
+      def validate_id_token!
+        results = authentication_response.validate_id_token
+        if results.has_errors?
+          raise IdTokenValidationError, results.full_messages.join('. ')
+        end
+      end
+
       #########################################
       # Auth Hash Schema
       #########################################

diff --git a/lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb b/lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb
@@ -112,6 +112,10 @@ def jwk_key
           end
         end
 
+        def validate_id_token(seconds_since_epoc = Time.now.to_i)
+          JwtValidator.validate(id_token.raw_attributes, public_key, policy, seconds_since_epoc)
+        end
+
       end # AuthenticationResponse
     end # AzureActiveDirectoryB2C
   end # Strategies