Skip to content

Instantly share code, notes, and snippets.

@bradleybeddoes
Last active August 18, 2016 02:39
Show Gist options
  • Save bradleybeddoes/6154072 to your computer and use it in GitHub Desktop.
Save bradleybeddoes/6154072 to your computer and use it in GitHub Desktop.
Example AAF JWT code on Heroku
require 'sinatra'
require 'json'
require 'json/jwt'
use Rack::Session::Pool, :expire_after => 3600
get '/' do
erb :index
end
get '/welcome' do
if session[:attributes]
@attributes = session[:attributes]
@jwt = session[:jwt]
erb :welcome
else
redirect '/'
end
end
get '/logout' do
session.clear
redirect '/'
end
post '/auth/jwt' do
jws = params[:assertion]
if jws
begin
jwt = JSON::JWT.decode(jws.to_s, "SECRET")
# In a complete app we'd also store and validate the jti value to ensure there is no replay attack
if jwt['iss'] == 'https://rapid.aaf.edu.au' && jwt['aud'] == 'https://aaf-echo.herokuapp.com' &&
Time.now > Time.at(jwt['nbf']) && Time.now < Time.at(jwt['exp'])
attributes = jwt['https://aaf.edu.au/attributes']
session[:attributes] = attributes
session[:jwt] = jwt
redirect '/welcome'
else
halt 500, "Audience or timings are invalid"
end
rescue Exception => e
halt 500, "Signature was invalid or JWT was otherwise erronous"
end
else
halt 500, "JWS was not found in request"
end
end
@lukehorvat
Copy link

According to the Rapid Connect developer guide, "the current time MUST be after or equal to the time provided in the nbf claim". So I think you need to change it to Time.now >= Time.at(jwt['nbf']).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment