apple_id 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57f3b090e123b3239c7ee81b0d54fb532d1cded860820d69f66985a5c764c789
-  data.tar.gz: 6f89d4c1685fd2b59220aab71e3a11d852ac75aaf6422c3b959626482467bb0f
+  metadata.gz: e000f6003a2baeecbb6683a9636b311cac3eec9ec20df988f79f0bbd50231135
+  data.tar.gz: e4890bdb603981bcd9d4489915e607029490c221210816315f96dd3d6fccfd9d
 SHA512:
-  metadata.gz: bbe0117b9c67246b03b6814c5ba75f1fd7f893129cfdcac09d5ba9aa731f7f3f462cb233634a75acd6edd38ffeb34982a37b4591278271654a11a91d79d11170
-  data.tar.gz: 7541063a289eec294bcaadd363f6bbb23f937c42fd1334e6ff7be8a1e4a24e945cb62268cb91da896e256eca3060ea1bd402a9cee96b4566397a05b286453032
+  metadata.gz: 1bb4b14f28e1906cf6517e2382422a5dd44c864479ea550bf2ad54a2758b166ab0464e0e04539f0e2f26c592daae932eba81d4f82f508b0aae2d45f956d1bcce
+  data.tar.gz: 406ae5c6dca6868bfac746b83b3422b1a92876e6f6d75ced236f2b653b88e8d6469ca5544b33afae387d8bca78aa2237608e1557022daff8d3f334667c8e1663

data/README.md

@@ -1,8 +1,10 @@
 # AppleID
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/apple_id`. To experiment with that code, run `bin/console` for an interactive prompt.
+"Sign-in with Apple" is an implementation of OpenID Connect with small custom features.
 
-TODO: Delete this and the text above, and describe your gem
+This gem handles such custom features.
+
+Basically, this gem is based on my [OpenID Connect gem](https://github.com/nov/openid_connect) and [OAuth2 gem](https://github.com/nov/rack-oauth2), so the usage is almost same with them.
 
 ## Installation
 
@@ -22,7 +24,54 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+There is [a sample rails app](https://github.com/nov/signin-with-apple) running at [signin-with-apple.herokuapp.com](https://signin-with-apple.herokuapp.com).
+
+If you run script in your terminal only, do like below.
+
+```ruby
+require 'apple_id'
+
+# NOTE: in debugging mode, you can see all HTTPS request & response in the log.
+# AppleID.debug!
+
+pem = <<-PEM
+-----BEGIN PRIVATE KEY-----
+  :
+  :
+-----END PRIVATE KEY-----
+PEM
+private_key = OpenSSL::PKey::EC.new pem
+
+client = AppleID::Client.new(
+  identifier: '<YOUR-CLIENT-ID>',
+  team_id: '<YOUR-TEAM-ID>',
+  key_id: '<YOUR-KEY-ID>',
+  private_key: private_key,
+  redirect_uri: '<YOUR-REDIRECT-URI>'
+)
+
+authorization_uri = client.authorization_uri(scope: [:email, :name])
+puts authorization_uri
+`open "#{authorization_uri}"`
+
+print 'code: ' and STDOUT.flush
+code = gets.chop
+
+client.authorization_code = code
+response = client.access_token!
+
+response.id_token.verify!(
+  client,
+  access_token: response.access_token,
+
+  # NOTE:
+  #  When verifying signature, one http request to Apple's JWKs are required.
+  #  You can skip ID Token signature verification when you got the token directly from the token endpoint in TLS channel.
+  verify_signature: false
+)
+puts response.id_token.sub # => OpenID Connect Subject Identifier (= Apple User ID)
+puts response.id_token.original_jwt.pretty_generate
+```
 
 ## Development
 

data/Rakefile

@@ -1,6 +1,19 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require 'bundler'
+Bundler::GemHelper.install_tasks
 
+require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
+namespace :coverage do
+  desc 'Open coverage report'
+  task :report do
+    require 'simplecov'
+    `open "#{File.join SimpleCov.coverage_path, 'index.html'}"`
+  end
+end
+
+task :spec do
+  Rake::Task[:'coverage:report'].invoke unless ENV['TRAVIS_RUBY_VERSION']
+end
+
 task :default => :spec

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.1.0

data/apple_id.gemspec

@@ -20,7 +20,10 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'rack-oauth2', '~> 1.9.3'
   spec.add_runtime_dependency 'openid_connect', '~> 1.0'
-  spec.add_development_dependency 'bundler', '~> 1.17'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec-its'
+  spec.add_development_dependency 'webmock'
+  spec.add_development_dependency 'simplecov'
 end

data/lib/apple_id.rb

@@ -2,6 +2,7 @@ require 'openid_connect'
 
 module AppleID
   ISSUER = 'https://appleid.apple.com'
+  JWKS_URI = 'https://appleid.apple.com/auth/keys'
 
   VERSION = ::File.read(
     ::File.join(::File.dirname(__FILE__), '../VERSION')
@@ -50,4 +51,6 @@ module AppleID
   self.debugging = false
 end
 
-require 'apple_id/client'
+require 'apple_id/client'
+require 'apple_id/access_token'
+require 'apple_id/id_token'

data/lib/apple_id/access_token.rb

@@ -0,0 +1,10 @@
+module AppleID
+  class AccessToken < OpenIDConnect::AccessToken
+    undef_required_attributes :client
+
+    def initialize(access_token, attributes = {})
+      super attributes.merge(access_token: access_token)
+      self.id_token = IdToken.decode(id_token) if id_token.present?
+    end
+  end
+end

data/lib/apple_id/client.rb

@@ -1,12 +1,13 @@
 module AppleID
   class Client < OpenIDConnect::Client
+    class Error < Rack::OAuth2::Client::Error; end
+
     attr_required :team_id, :key_id, :private_key
 
     def initialize(attributes)
       attributes_with_default = {
-        host: 'appleid.apple.com',
-        authorization_endpoint: '/auth/authorize',
-        token_endpoint: '/auth/token'
+        authorization_endpoint: File.join(ISSUER, '/auth/authorize'),
+        token_endpoint: File.join(ISSUER, '/auth/token')
       }.merge(attributes)
       super attributes_with_default
     end
@@ -21,7 +22,7 @@ module AppleID
     def client_secret_jwt
       jwt = JSON::JWT.new(
         iss: team_id,
-        aud: AppleID::ISSUER,
+        aud: ISSUER,
         sub: identifier,
         iat: Time.now,
         exp: 1.minutes.from_now
@@ -29,5 +30,22 @@ module AppleID
       jwt.kid = key_id
       jwt.sign(private_key)
     end
+
+    def setup_required_scope(scopes)
+      # NOTE:
+      #  openid_connect gem add `openid` scope automatically.
+      #  However, it's not required for Sign-in with Apple.
+      scopes
+    end
+
+    def handle_success_response(response)
+      token_hash = JSON.parse(response.body).with_indifferent_access
+      AccessToken.new token_hash.delete(:access_token), token_hash
+    end
+
+    def handle_error_response(response)
+      error = JSON.parse(response.body).with_indifferent_access
+      raise Error.new(response.status, error)
+    end
   end
-end
+end

data/lib/apple_id/id_token.rb

@@ -0,0 +1,45 @@
+module AppleID
+  class IdToken < OpenIDConnect::ResponseObject::IdToken
+    class VerificationFailed < StandardError; end
+
+    alias_method :original_jwt, :raw_attributes
+
+    def verify!(expected_client, access_token: nil, code: nil, verify_signature: true)
+      verify_signature! if verify_signature
+      verify_claims! expected_client, access_token, code
+      self
+    end
+
+    class << self
+      def decode(jwt_string)
+        super jwt_string, :skip_verification
+      end
+    end
+
+    private
+
+    def jwks
+      @jwks ||= JSON.parse(
+        OpenIDConnect.http_client.get_content(JWKS_URI)
+      ).with_indifferent_access
+      JSON::JWK::Set.new @jwks[:keys]
+    end
+
+    def verify_signature!
+      original_jwt.verify! jwks
+    rescue
+      raise VerificationFailed, 'Signature Verification Failed'
+    end
+
+    def verify_claims!(expected_client, access_token, code)
+      # TODO: verify at_hash & c_hash
+      unless (
+        iss == ISSUER &&
+        aud == expected_client.identifier &&
+        Time.now.to_i.between?(iat, exp)
+      )
+        raise VerificationFailed, 'Claims Verification Failed'
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple_id
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - nov
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-04 00:00:00.000000000 Z
+date: 2019-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack-oauth2
@@ -42,44 +42,86 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
 description: Sign-in with Apple backend library in Ruby.
 email:
 - nov@matake.jp
@@ -100,7 +142,9 @@ files:
 - bin/console
 - bin/setup
 - lib/apple_id.rb
+- lib/apple_id/access_token.rb
 - lib/apple_id/client.rb
+- lib/apple_id/id_token.rb
 homepage: https://github.com/nov/apple_id
 licenses:
 - MIT