apple_id 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +4 -2
- data/README.md +3 -48
- data/VERSION +1 -1
- data/apple_id.gemspec +1 -1
- data/lib/apple_id/id_token.rb +48 -10
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d5d84152da940b14a875e1e927bf5660b3b7a625ca3f84e5f9c5e4e8f0815ae2
|
|
4
|
+
data.tar.gz: 1d8cfa5bf964c5bf482e327a8f205c6e46b54c836622ce4bf4391a399d11d061
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 34ea5191c7f74a974195d6acc31be3684ae5dd6cc325a46771debbbab1bdcd0fc0252669a8ddcb130499a5043363ad63120bdf5a65bbefc9fe1efaef1ac70887
|
|
7
|
+
data.tar.gz: 1b950617cdfce0691403c63f464c32654a99279ecce7f9587575a5303f61426d6bb39a6a6b88e237e7a406669f79e72da144e70fac464ee067367727c07559ad
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -2,9 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
"Sign-in with Apple" is an implementation of OpenID Connect with small custom features.
|
|
4
4
|
|
|
5
|
-
This gem handles
|
|
6
|
-
|
|
7
|
-
Basically, this gem is based on my [OpenID Connect gem](https://github.com/nov/openid_connect) and [OAuth2 gem](https://github.com/nov/rack-oauth2), so the usage is almost same with them.
|
|
5
|
+
This gem handles these Apple custom features.
|
|
8
6
|
|
|
9
7
|
## Installation
|
|
10
8
|
|
|
@@ -26,52 +24,9 @@ Or install it yourself as:
|
|
|
26
24
|
|
|
27
25
|
There is [a sample rails app](https://github.com/nov/signin-with-apple) running at [signin-with-apple.herokuapp.com](https://signin-with-apple.herokuapp.com).
|
|
28
26
|
|
|
29
|
-
If you run script in your terminal only, do like
|
|
27
|
+
If you run script in your terminal only, [do like this](https://gist.github.com/nov/993a303aa6badd8447f7b96fb952088e).
|
|
30
28
|
|
|
31
|
-
|
|
32
|
-
require 'apple_id'
|
|
33
|
-
|
|
34
|
-
# NOTE: in debugging mode, you can see all HTTPS request & response in the log.
|
|
35
|
-
# AppleID.debug!
|
|
36
|
-
|
|
37
|
-
pem = <<-PEM
|
|
38
|
-
-----BEGIN PRIVATE KEY-----
|
|
39
|
-
:
|
|
40
|
-
:
|
|
41
|
-
-----END PRIVATE KEY-----
|
|
42
|
-
PEM
|
|
43
|
-
private_key = OpenSSL::PKey::EC.new pem
|
|
44
|
-
|
|
45
|
-
client = AppleID::Client.new(
|
|
46
|
-
identifier: '<YOUR-CLIENT-ID>',
|
|
47
|
-
team_id: '<YOUR-TEAM-ID>',
|
|
48
|
-
key_id: '<YOUR-KEY-ID>',
|
|
49
|
-
private_key: private_key,
|
|
50
|
-
redirect_uri: '<YOUR-REDIRECT-URI>'
|
|
51
|
-
)
|
|
52
|
-
|
|
53
|
-
authorization_uri = client.authorization_uri(scope: [:email, :name])
|
|
54
|
-
puts authorization_uri
|
|
55
|
-
`open "#{authorization_uri}"`
|
|
56
|
-
|
|
57
|
-
print 'code: ' and STDOUT.flush
|
|
58
|
-
code = gets.chop
|
|
59
|
-
|
|
60
|
-
client.authorization_code = code
|
|
61
|
-
response = client.access_token!
|
|
62
|
-
|
|
63
|
-
response.id_token.verify!(
|
|
64
|
-
client,
|
|
65
|
-
access_token: response.access_token,
|
|
66
|
-
|
|
67
|
-
# NOTE:
|
|
68
|
-
# When verifying signature, one http request to Apple's JWKs are required.
|
|
69
|
-
# You can skip ID Token signature verification when you got the token directly from the token endpoint in TLS channel.
|
|
70
|
-
verify_signature: false
|
|
71
|
-
)
|
|
72
|
-
puts response.id_token.sub # => OpenID Connect Subject Identifier (= Apple User ID)
|
|
73
|
-
puts response.id_token.original_jwt.pretty_generate
|
|
74
|
-
```
|
|
29
|
+
For more details, see [AppleID Wiki](https://github.com/nov/apple_id/wiki).
|
|
75
30
|
|
|
76
31
|
## Development
|
|
77
32
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.2.0
|
data/apple_id.gemspec
CHANGED
|
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
|
19
19
|
spec.require_paths = ['lib']
|
|
20
20
|
|
|
21
21
|
spec.add_runtime_dependency 'rack-oauth2', '~> 1.9.3'
|
|
22
|
-
spec.add_runtime_dependency 'openid_connect', '~> 1.
|
|
22
|
+
spec.add_runtime_dependency 'openid_connect', '~> 1.1.7'
|
|
23
23
|
spec.add_development_dependency 'bundler'
|
|
24
24
|
spec.add_development_dependency 'rake'
|
|
25
25
|
spec.add_development_dependency 'rspec'
|
data/lib/apple_id/id_token.rb
CHANGED
|
@@ -4,9 +4,9 @@ module AppleID
|
|
|
4
4
|
|
|
5
5
|
alias_method :original_jwt, :raw_attributes
|
|
6
6
|
|
|
7
|
-
def verify!(
|
|
7
|
+
def verify!(verify_signature: true, client: nil, nonce: nil, state: nil, access_token: nil, code: nil)
|
|
8
8
|
verify_signature! if verify_signature
|
|
9
|
-
verify_claims!
|
|
9
|
+
verify_claims! client, nonce, state, access_token, code
|
|
10
10
|
self
|
|
11
11
|
end
|
|
12
12
|
|
|
@@ -31,14 +31,52 @@ module AppleID
|
|
|
31
31
|
raise VerificationFailed, 'Signature Verification Failed'
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
-
def verify_claims!(
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
34
|
+
def verify_claims!(client, nonce, state, access_token, code)
|
|
35
|
+
aud = if client.respond_to?(:identifier)
|
|
36
|
+
client.identifier
|
|
37
|
+
else
|
|
38
|
+
client
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
hash_length = original_jwt.alg.to_s[2, 3].to_i
|
|
42
|
+
s_hash = if state.present?
|
|
43
|
+
left_half_hash_of state, hash_length
|
|
44
|
+
end
|
|
45
|
+
at_hash = if access_token.present?
|
|
46
|
+
left_half_hash_of access_token, hash_length
|
|
47
|
+
end
|
|
48
|
+
c_hash = if code.present?
|
|
49
|
+
left_half_hash_of code, hash_length
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
failure_reasons = []
|
|
53
|
+
if self.iss != ISSUER
|
|
54
|
+
failure_reasons << :iss
|
|
55
|
+
end
|
|
56
|
+
if aud.present? && self.aud != aud
|
|
57
|
+
failure_reasons << :aud
|
|
58
|
+
end
|
|
59
|
+
if nonce.present? && self.nonce != nonce
|
|
60
|
+
failure_reasons << :nonce
|
|
61
|
+
end
|
|
62
|
+
if s_hash.present? && self.s_hash != s_hash
|
|
63
|
+
failure_reasons << :s_hash
|
|
64
|
+
end
|
|
65
|
+
if at_hash.present? && self.at_hash != at_hash
|
|
66
|
+
failure_reasons << :at_hash
|
|
67
|
+
end
|
|
68
|
+
if c_hash.present? && self.c_hash != c_hash
|
|
69
|
+
failure_reasons << :c_hash
|
|
70
|
+
end
|
|
71
|
+
if Time.now.to_i < iat
|
|
72
|
+
failure_reasons << :iat
|
|
73
|
+
end
|
|
74
|
+
if Time.now.to_i >= exp
|
|
75
|
+
failure_reasons << :exp
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
if failure_reasons.present?
|
|
79
|
+
raise VerificationFailed, "Claims Verification Failed at #{failure_reasons}"
|
|
42
80
|
end
|
|
43
81
|
end
|
|
44
82
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: apple_id
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-06-
|
|
11
|
+
date: 2019-06-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack-oauth2
|
|
@@ -30,14 +30,14 @@ dependencies:
|
|
|
30
30
|
requirements:
|
|
31
31
|
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: 1.1.7
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: 1.1.7
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: bundler
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|