omniauth-apple 1.0.2 → 1.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a5e32b1f9b3dfe8859855b86ffdb6da18d238c0f065d2aa83fd8494ae49a3dc5
4
- data.tar.gz: bab7b98074c2a989120b1a7d3188a9ba85037c55956efc5e2e462373ed9d0d4f
3
+ metadata.gz: 81a5350ae8be48914ee324f8586b5d58f83927467bc87106cab846e028e38beb
4
+ data.tar.gz: 42db86865c9120c95e7326359e3ac02dd58dbd28bfe84c7fc0bbb002488b0a1b
5
5
  SHA512:
6
- metadata.gz: bce3e4e1a4feb3df68f3d2d5361a56e6977dfe765068b2bee6cef743a41f59212d1b533a1cdefbeb1eaebf8a7cf832dd0f53dbd080f4efa1311bd30942b7ea86
7
- data.tar.gz: c67ff848f44f6061c6f319db5a708e0e407977446252bea63af9e94799df2ce140c93dd7a5be5c1afbbdf3fdcdeafaeb7650cad4de199749d8edb436f21896e8
6
+ metadata.gz: 18a1bf098d7687ed17df039b9b2f4b0a388f0d6858a4a54aa8c94a7233622f7cb1d4485a38d870ae430f873aadaaee8d9d1b42c9f8a91545c0bdb10c4cffbe11
7
+ data.tar.gz: f53179d2a247e0fd2559614fece6b3b734579d756be44c1b4c40ab9c6911479e38dc7f74800dcc59b36b09749656bb93aff6c8eeccc422238e95667049064b63
@@ -6,21 +6,22 @@ on:
6
6
  - master
7
7
  pull_request:
8
8
 
9
+ permissions:
10
+ contents: read
11
+
9
12
  jobs:
10
- build:
13
+ spec:
11
14
  runs-on: ubuntu-latest
12
15
  strategy:
13
16
  fail-fast: false
14
17
  matrix:
15
- ruby: ['2.5', '2.6', '2.7']
18
+ ruby: ['2.6', '2.7', '3.0', '3.1']
16
19
  steps:
17
- - uses: actions/checkout@v2
18
- - name: Set up Ruby ${{ matrix.ruby }}
19
- uses: actions/setup-ruby@v1
20
+ - uses: actions/checkout@v3
21
+ - name: Set up Ruby
22
+ uses: ruby/setup-ruby@v1
20
23
  with:
21
24
  ruby-version: ${{ matrix.ruby }}
22
- - name: Build and test with Rake on Ruby ${{ matrix.ruby }}
23
- run: |
24
- gem install bundler
25
- bundle install --jobs 4 --retry 3
26
- bundle exec rake spec
25
+ bundler-cache: true
26
+ - name: Run Specs
27
+ run: bundle exec rake spec
data/CHANGELOG.md CHANGED
@@ -1,5 +1,30 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [1.2.1] - 2022-10-25
4
+
5
+ ### Fixed
6
+
7
+ - [#94](https://github.com/nhosoya/omniauth-apple/pull/94) rack-protection.rb is back in rack-protection v3.0.1
8
+ - [#96](https://github.com/nhosoya/omniauth-apple/pull/96) handle JWKS fetch failures
9
+
10
+ ## [1.2.0] - 2022-09-27
11
+
12
+ ### Fixed
13
+
14
+ - [#91](https://github.com/nhosoya/omniauth-apple/pull/91) explicitly specify auth_scheme for oauth2 v2+ support
15
+
16
+ ## [1.1.0] - 2022-09-26
17
+
18
+ ### Added
19
+
20
+ - [#67](https://github.com/nhosoya/omniauth-apple/pull/67) Add email_verified and is_private_email
21
+
22
+ ### Fixed
23
+
24
+ - [#74](https://github.com/nhosoya/omniauth-apple/pull/74) rspec failure - callback_path null pointer
25
+ - [#81](https://github.com/nhosoya/omniauth-apple/pull/81) Allow for omniauth 2.0 series
26
+ - [#88](https://github.com/nhosoya/omniauth-apple/pull/88) update github actions config
27
+
3
28
  ## [1.0.2] - 2021-05-19
4
29
 
5
30
  ### Fixed
@@ -33,7 +58,7 @@
33
58
 
34
59
  ### Changed
35
60
 
36
- - [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency
61
+ - [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency
37
62
  - [#28](https://github.com/nhosoya/omniauth-apple/pull/28) Update README.md
38
63
  - [#38](https://github.com/nhosoya/omniauth-apple/pull/38) Refine AuthHash
39
64
  - [#39](https://github.com/nhosoya/omniauth-apple/pull/39) Set the default scope to 'email name'
@@ -44,7 +69,9 @@
44
69
 
45
70
  ## [0.0.1] - 2019-06-07
46
71
 
47
- [Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...master
48
- [1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
49
- [1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
72
+ [Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.2.0...master
73
+ [1.2.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.1.0...v1.2.0
74
+ [1.1.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...v1.1.0
50
75
  [1.0.2]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.1...v1.0.2
76
+ [1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
77
+ [1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
data/README.md CHANGED
@@ -34,6 +34,77 @@ Rails.application.config.middleware.use OmniAuth::Builder do
34
34
  end
35
35
  ```
36
36
 
37
+ ## Configuring "Sign In with Apple"
38
+
39
+ _other Sign In with Apple guides:_
40
+ - ["How To" by janak amarasena (2019)](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)
41
+ - [the docs, by Apple](https://developer.apple.com/sign-in-with-apple/)
42
+
43
+ ### Look out for the values you need for your config
44
+ 1. your domain and subdomains, something like: `myapp.com`, `www.myapp.com`
45
+ 2. your redirect uri, something like: `https://myapp.com/users/auth/apple/callback` (check `rails routes` to be sure)
46
+ 3. omniauth's "client id" will be Apple's "bundle id", something like: `com.myapp`
47
+ 4. you will get the "team id" value from Apple when you create your _**App Id**_, something like: `H000000B`
48
+ 5. Apple will give you a `.p8` file, which you'll use to GENERATE your `:pem` value
49
+
50
+ ### Steps
51
+
52
+ 1. Log into your [Apple Developer Account](https://idmsa.apple.com/IDMSWebAuth/signin?appIdKey=891bd3417a7776362562d2197f89480a8547b108fd934911bcbea0110d07f757&path=%2Faccount%2F&rv=1)
53
+ (if you don't have one, you can [create one here](https://appleid.apple.com/account?appId=632&returnUrl=https%3A%2F%2Fdeveloper.apple.com%2Faccount%2F))
54
+
55
+ 2. Get an App Id with the "Sign In with Apple" capability
56
+ - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
57
+ - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
58
+ - select _**App IDs**_ and click _**continue**_
59
+ - select _**App**_ and _**continue**_
60
+ - enter a description and a bundle id
61
+ - check the **_"Sign In with Apple"_** capability
62
+ - save it
63
+
64
+ 3. Get a Services Id (which we will use as our client id)
65
+ - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
66
+ - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
67
+ - select _**Services IDs**_ and click _**continue**_
68
+ - enter a description and a bundle id
69
+ - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
70
+ - make sure the Primary App ID matches the App ID you configured earlier
71
+ - enter all the subdomains you might use (comma delimited):
72
+
73
+ example.com,www.example.com
74
+
75
+ - enter all the redirect URLS you might use (comma delimited):
76
+
77
+ https://example.com/users/auth/apple/callback,https://example.com/users/auth/apple/callback
78
+
79
+ - save the "Sign In with Apple" capability config and the Service Id
80
+
81
+ 4. Get a Secret Key
82
+ - go to your [Keys](https://developer.apple.com/account/resources/authkeys/list) list
83
+ - [start a new Key](https://developer.apple.com/account/resources/authkeys/add) by clicking on the + sign in the Keys List
84
+ - enter a name
85
+ - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
86
+ - make sure the Primary App ID matches the App ID you configured earlier
87
+ - save the "Sign In with Apple" capability
88
+ - click "continue" to finish the Key config (you will be prompted to _**Download Your Key**_)
89
+ - Apple will give you a `.p8` file, keep it safe and secure (don't commit it).
90
+
91
+ ### Mapping Apple Values to OmniAuth Values
92
+ - your `:team_id` is in the top-right of your App Id config (aka _**App ID Prefix**_), it looks like: `H000000B`
93
+ - your `:client_id` is in the top-right of your Services Id config (aka _**Identifier**_), it looks like: `com.example`
94
+ - your `:key_id` is on the left side of your Key Details page, it looks like: `XYZ000000`
95
+ - your `:pem` is the content of the `.p8` file you got from Apple, _**with an extra newline at the end**_
96
+
97
+ - example from a Devise config:
98
+
99
+ ```ruby
100
+ config.omniauth :apple, ENV['APPLE_SERVICE_BUNDLE_ID'], '', {
101
+ scope: 'email name',
102
+ team_id: ENV['APPLE_APP_ID_PREFIX'],
103
+ key_id: ENV['APPLE_KEY_ID'],
104
+ pem: ENV['APPLE_P8_FILE_CONTENT_WITH_EXTRA_NEWLINE']
105
+ }
106
+ ```
107
+
37
108
  ## Contributing
38
109
 
39
110
  Bug reports and pull requests are welcome on GitHub at https://github.com/nhosoya/omniauth-apple.
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Apple
3
- VERSION = "1.0.2"
3
+ VERSION = "1.2.2"
4
4
  end
5
5
  end
@@ -6,12 +6,19 @@ require 'net/https'
6
6
  module OmniAuth
7
7
  module Strategies
8
8
  class Apple < OmniAuth::Strategies::OAuth2
9
+ class JWTFetchingFailed < CallbackError
10
+ def initialize(error_reason = nil, error_uri = nil)
11
+ super :jwks_fetching_failed, error_reason, error_uri
12
+ end
13
+ end
14
+
9
15
  option :name, 'apple'
10
16
 
11
17
  option :client_options,
12
18
  site: 'https://appleid.apple.com',
13
19
  authorize_url: '/auth/authorize',
14
- token_url: '/auth/token'
20
+ token_url: '/auth/token',
21
+ auth_scheme: :request_body
15
22
  option :authorize_params,
16
23
  response_mode: 'form_post',
17
24
  scope: 'email name'
@@ -19,6 +26,8 @@ module OmniAuth
19
26
 
20
27
  uid { id_info['sub'] }
21
28
 
29
+ # Documentation on parameters
30
+ # https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
22
31
  info do
23
32
  prune!(
24
33
  sub: id_info['sub'],
@@ -26,6 +35,8 @@ module OmniAuth
26
35
  first_name: first_name,
27
36
  last_name: last_name,
28
37
  name: (first_name || last_name) ? [first_name, last_name].join(' ') : email,
38
+ email_verified: email_verified,
39
+ is_private_email: is_private_email
29
40
  )
30
41
  end
31
42
 
@@ -38,12 +49,22 @@ module OmniAuth
38
49
  ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
39
50
  end
40
51
 
52
+ def email_verified
53
+ value = id_info['email_verified']
54
+ value == true || value == "true"
55
+ end
56
+
57
+ def is_private_email
58
+ value = id_info['is_private_email']
59
+ value == true || value == "true"
60
+ end
61
+
41
62
  def authorize_params
42
63
  super.merge(nonce: new_nonce)
43
64
  end
44
65
 
45
66
  def callback_url
46
- options[:redirect_uri] || (full_host + script_name + callback_path)
67
+ options[:redirect_uri] || (full_host + callback_path)
47
68
  end
48
69
 
49
70
  private
@@ -59,27 +80,38 @@ module OmniAuth
59
80
  def id_info
60
81
  @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
61
82
  id_token = request.params['id_token'] || access_token.params['id_token']
62
- jwt_options = {
63
- verify_iss: true,
64
- iss: 'https://appleid.apple.com',
65
- verify_iat: true,
66
- verify_aud: true,
67
- aud: [options.client_id].concat(options.authorized_client_ids),
68
- algorithms: ['RS256'],
69
- jwks: fetch_jwks
70
- }
71
- payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
72
- verify_nonce!(payload)
73
- payload
83
+ if (verification_key = fetch_jwks)
84
+ jwt_options = {
85
+ verify_iss: true,
86
+ iss: 'https://appleid.apple.com',
87
+ verify_iat: true,
88
+ verify_aud: true,
89
+ aud: [options.client_id].concat(options.authorized_client_ids),
90
+ algorithms: ['RS256'],
91
+ jwks: verification_key
92
+ }
93
+ payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
94
+ verify_nonce!(payload)
95
+ payload
96
+ else
97
+ {}
98
+ end
74
99
  end
75
100
  end
76
101
 
77
102
  def fetch_jwks
78
- http = Net::HTTP.new('appleid.apple.com', 443)
79
- http.use_ssl = true
80
- request = Net::HTTP::Get.new('/auth/keys', 'User-Agent' => 'ruby/omniauth-apple')
81
- response = http.request(request)
82
- JSON.parse(response.body, symbolize_names: true)
103
+ conn = Faraday.new(headers: {user_agent: 'ruby/omniauth-apple'}) do |c|
104
+ c.response :json, parser_options: { symbolize_names: true }
105
+ c.adapter Faraday.default_adapter
106
+ end
107
+ res = conn.get 'https://appleid.apple.com/auth/keys'
108
+ if res.success?
109
+ res.body
110
+ else
111
+ raise JWTFetchingFailed.new('HTTP Error when fetching JWKs')
112
+ end
113
+ rescue JWTFetchingFailed, Faraday::Error => e
114
+ fail!(:jwks_fetching_failed, e) and nil
83
115
  end
84
116
 
85
117
  def verify_nonce!(payload)
@@ -42,5 +42,5 @@ Gem::Specification.new do |spec|
42
42
  spec.add_development_dependency "rake", "~> 13.0"
43
43
  spec.add_development_dependency "rspec", "~> 3.9"
44
44
  spec.add_development_dependency "webmock", "~> 3.8"
45
- spec.add_development_dependency 'simplecov', "~> 0.18"
45
+ spec.add_development_dependency "simplecov", "~> 0.18"
46
46
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-apple
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.2
4
+ version: 1.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - nhosoya
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: exe
11
11
  cert_chain: []
12
- date: 2021-05-19 00:00:00.000000000 Z
12
+ date: 2022-10-31 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: omniauth-oauth2
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
150
150
  - !ruby/object:Gem::Version
151
151
  version: '0'
152
152
  requirements: []
153
- rubygems_version: 3.2.3
153
+ rubygems_version: 3.3.7
154
154
  signing_key:
155
155
  specification_version: 4
156
156
  summary: OmniAuth strategy for Sign In with Apple