validating jwt signature from alma

[davezuckerman]

No description provided.

[jason-raitz]

lgtm.

[anarchivist]

I think this needs some refactoring - we should look at using ruby-jwt's native methods here rather than rolling our own.

[anarchivist]

Similarly, there's a lot in this file that seems to duplicate what's in JWT::JWK's methods here.

[danschmidt5189]

I have a few nits but they're nothing major (see comments).

One bigger picture question is whether to implement this using an AlmaJwtValidator module (as you've done) or an AlmaJwt class. The benefit of the class is that it could naturally encapsulate the accessor method you implicitly need (username -> alma_id). Not a blocker, but something to think about from an implementation / code style perspective.

[danschmidt5189]

Does the sandbox publish a different URL? If so we'd need to be able to inject this (e.g. via ENV).

[danschmidt5189]

As we noticed when pairing, the actual issuer is Prima. From our testing:

# Get a Ruby shell with jwt installed...
$ docker run --rm -it ruby:3 bash -c 'gem install pry; gem install jwt; exec pry'

# Login to Alma, then visit the fees link from your account page.
# Extract the jwt from the URL in the Framework redirect and decode it.
require 'jwt'
jwt = "{copy from URL}"
JWT.decode(jwt, nil, false)

[danschmidt5189]

Ditto for this.

[anarchivist]

I suppose this wasn't clear from my earlier comment, but I'm curious about why we're using JWT.decode instead of instantiating JWT::EncodedToken and using its methods.