apple_id 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +4 -2
- data/README.md +3 -48
- data/VERSION +1 -1
- data/apple_id.gemspec +1 -1
- data/lib/apple_id/id_token.rb +48 -10
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d5d84152da940b14a875e1e927bf5660b3b7a625ca3f84e5f9c5e4e8f0815ae2
|
|
4
|
+
data.tar.gz: 1d8cfa5bf964c5bf482e327a8f205c6e46b54c836622ce4bf4391a399d11d061
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 34ea5191c7f74a974195d6acc31be3684ae5dd6cc325a46771debbbab1bdcd0fc0252669a8ddcb130499a5043363ad63120bdf5a65bbefc9fe1efaef1ac70887
|
|
7
|
+
data.tar.gz: 1b950617cdfce0691403c63f464c32654a99279ecce7f9587575a5303f61426d6bb39a6a6b88e237e7a406669f79e72da144e70fac464ee067367727c07559ad
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -2,9 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
"Sign-in with Apple" is an implementation of OpenID Connect with small custom features.
|
|
4
4
|
|
|
5
|
-
This gem handles
|
|
6
|
-
|
|
7
|
-
Basically, this gem is based on my [OpenID Connect gem](https://github.com/nov/openid_connect) and [OAuth2 gem](https://github.com/nov/rack-oauth2), so the usage is almost same with them.
|
|
5
|
+
This gem handles these Apple custom features.
|
|
8
6
|
|
|
9
7
|
## Installation
|
|
10
8
|
|
|
@@ -26,52 +24,9 @@ Or install it yourself as:
|
|
|
26
24
|
|
|
27
25
|
There is [a sample rails app](https://github.com/nov/signin-with-apple) running at [signin-with-apple.herokuapp.com](https://signin-with-apple.herokuapp.com).
|
|
28
26
|
|
|
29
|
-
If you run script in your terminal only, do like
|
|
27
|
+
If you run script in your terminal only, [do like this](https://gist.github.com/nov/993a303aa6badd8447f7b96fb952088e).
|
|
30
28
|
|
|
31
|
-
|
|
32
|
-
require 'apple_id'
|
|
33
|
-
|
|
34
|
-
# NOTE: in debugging mode, you can see all HTTPS request & response in the log.
|
|
35
|
-
# AppleID.debug!
|
|
36
|
-
|
|
37
|
-
pem = <<-PEM
|
|
38
|
-
-----BEGIN PRIVATE KEY-----
|
|
39
|
-
:
|
|
40
|
-
:
|
|
41
|
-
-----END PRIVATE KEY-----
|
|
42
|
-
PEM
|
|
43
|
-
private_key = OpenSSL::PKey::EC.new pem
|
|
44
|
-
|
|
45
|
-
client = AppleID::Client.new(
|
|
46
|
-
identifier: '<YOUR-CLIENT-ID>',
|
|
47
|
-
team_id: '<YOUR-TEAM-ID>',
|
|
48
|
-
key_id: '<YOUR-KEY-ID>',
|
|
49
|
-
private_key: private_key,
|
|
50
|
-
redirect_uri: '<YOUR-REDIRECT-URI>'
|
|
51
|
-
)
|
|
52
|
-
|
|
53
|
-
authorization_uri = client.authorization_uri(scope: [:email, :name])
|
|
54
|
-
puts authorization_uri
|
|
55
|
-
`open "#{authorization_uri}"`
|
|
56
|
-
|
|
57
|
-
print 'code: ' and STDOUT.flush
|
|
58
|
-
code = gets.chop
|
|
59
|
-
|
|
60
|
-
client.authorization_code = code
|
|
61
|
-
response = client.access_token!
|
|
62
|
-
|
|
63
|
-
response.id_token.verify!(
|
|
64
|
-
client,
|
|
65
|
-
access_token: response.access_token,
|
|
66
|
-
|
|
67
|
-
# NOTE:
|
|
68
|
-
# When verifying signature, one http request to Apple's JWKs are required.
|
|
69
|
-
# You can skip ID Token signature verification when you got the token directly from the token endpoint in TLS channel.
|
|
70
|
-
verify_signature: false
|
|
71
|
-
)
|
|
72
|
-
puts response.id_token.sub # => OpenID Connect Subject Identifier (= Apple User ID)
|
|
73
|
-
puts response.id_token.original_jwt.pretty_generate
|
|
74
|
-
```
|
|
29
|
+
For more details, see [AppleID Wiki](https://github.com/nov/apple_id/wiki).
|
|
75
30
|
|
|
76
31
|
## Development
|
|
77
32
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.2.0
|
data/apple_id.gemspec
CHANGED
|
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
|
19
19
|
spec.require_paths = ['lib']
|
|
20
20
|
|
|
21
21
|
spec.add_runtime_dependency 'rack-oauth2', '~> 1.9.3'
|
|
22
|
-
spec.add_runtime_dependency 'openid_connect', '~> 1.
|
|
22
|
+
spec.add_runtime_dependency 'openid_connect', '~> 1.1.7'
|
|
23
23
|
spec.add_development_dependency 'bundler'
|
|
24
24
|
spec.add_development_dependency 'rake'
|
|
25
25
|
spec.add_development_dependency 'rspec'
|
data/lib/apple_id/id_token.rb
CHANGED
|
@@ -4,9 +4,9 @@ module AppleID
|
|
|
4
4
|
|
|
5
5
|
alias_method :original_jwt, :raw_attributes
|
|
6
6
|
|
|
7
|
-
def verify!(
|
|
7
|
+
def verify!(verify_signature: true, client: nil, nonce: nil, state: nil, access_token: nil, code: nil)
|
|
8
8
|
verify_signature! if verify_signature
|
|
9
|
-
verify_claims!
|
|
9
|
+
verify_claims! client, nonce, state, access_token, code
|
|
10
10
|
self
|
|
11
11
|
end
|
|
12
12
|
|
|
@@ -31,14 +31,52 @@ module AppleID
|
|
|
31
31
|
raise VerificationFailed, 'Signature Verification Failed'
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
-
def verify_claims!(
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
34
|
+
def verify_claims!(client, nonce, state, access_token, code)
|
|
35
|
+
aud = if client.respond_to?(:identifier)
|
|
36
|
+
client.identifier
|
|
37
|
+
else
|
|
38
|
+
client
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
hash_length = original_jwt.alg.to_s[2, 3].to_i
|
|
42
|
+
s_hash = if state.present?
|
|
43
|
+
left_half_hash_of state, hash_length
|
|
44
|
+
end
|
|
45
|
+
at_hash = if access_token.present?
|
|
46
|
+
left_half_hash_of access_token, hash_length
|
|
47
|
+
end
|
|
48
|
+
c_hash = if code.present?
|
|
49
|
+
left_half_hash_of code, hash_length
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
failure_reasons = []
|
|
53
|
+
if self.iss != ISSUER
|
|
54
|
+
failure_reasons << :iss
|
|
55
|
+
end
|
|
56
|
+
if aud.present? && self.aud != aud
|
|
57
|
+
failure_reasons << :aud
|
|
58
|
+
end
|
|
59
|
+
if nonce.present? && self.nonce != nonce
|
|
60
|
+
failure_reasons << :nonce
|
|
61
|
+
end
|
|
62
|
+
if s_hash.present? && self.s_hash != s_hash
|
|
63
|
+
failure_reasons << :s_hash
|
|
64
|
+
end
|
|
65
|
+
if at_hash.present? && self.at_hash != at_hash
|
|
66
|
+
failure_reasons << :at_hash
|
|
67
|
+
end
|
|
68
|
+
if c_hash.present? && self.c_hash != c_hash
|
|
69
|
+
failure_reasons << :c_hash
|
|
70
|
+
end
|
|
71
|
+
if Time.now.to_i < iat
|
|
72
|
+
failure_reasons << :iat
|
|
73
|
+
end
|
|
74
|
+
if Time.now.to_i >= exp
|
|
75
|
+
failure_reasons << :exp
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
if failure_reasons.present?
|
|
79
|
+
raise VerificationFailed, "Claims Verification Failed at #{failure_reasons}"
|
|
42
80
|
end
|
|
43
81
|
end
|
|
44
82
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: apple_id
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-06-
|
|
11
|
+
date: 2019-06-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack-oauth2
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: 1.1.7
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: 1.1.7
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: bundler
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|