omniauth-apple 1.0.2 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e32b1f9b3dfe8859855b86ffdb6da18d238c0f065d2aa83fd8494ae49a3dc5
-  data.tar.gz: bab7b98074c2a989120b1a7d3188a9ba85037c55956efc5e2e462373ed9d0d4f
+  metadata.gz: 81a5350ae8be48914ee324f8586b5d58f83927467bc87106cab846e028e38beb
+  data.tar.gz: 42db86865c9120c95e7326359e3ac02dd58dbd28bfe84c7fc0bbb002488b0a1b
 SHA512:
-  metadata.gz: bce3e4e1a4feb3df68f3d2d5361a56e6977dfe765068b2bee6cef743a41f59212d1b533a1cdefbeb1eaebf8a7cf832dd0f53dbd080f4efa1311bd30942b7ea86
-  data.tar.gz: c67ff848f44f6061c6f319db5a708e0e407977446252bea63af9e94799df2ce140c93dd7a5be5c1afbbdf3fdcdeafaeb7650cad4de199749d8edb436f21896e8
+  metadata.gz: 18a1bf098d7687ed17df039b9b2f4b0a388f0d6858a4a54aa8c94a7233622f7cb1d4485a38d870ae430f873aadaaee8d9d1b42c9f8a91545c0bdb10c4cffbe11
+  data.tar.gz: f53179d2a247e0fd2559614fece6b3b734579d756be44c1b4c40ab9c6911479e38dc7f74800dcc59b36b09749656bb93aff6c8eeccc422238e95667049064b63

data/.github/workflows/rspec.yml

@@ -6,21 +6,22 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  spec:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        ruby: ['2.5', '2.6', '2.7']
+        ruby: ['2.6', '2.7', '3.0', '3.1']
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby ${{ matrix.ruby }}
-      uses: actions/setup-ruby@v1
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
-    - name: Build and test with Rake on Ruby ${{ matrix.ruby }}
-      run: |
-        gem install bundler
-        bundle install --jobs 4 --retry 3
-        bundle exec rake spec
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 ## [Unreleased]
 
+## [1.2.1] - 2022-10-25
+
+### Fixed
+
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/94) rack-protection.rb is back in rack-protection v3.0.1
+- [#96](https://github.com/nhosoya/omniauth-apple/pull/96) handle JWKS fetch failures
+
+## [1.2.0] - 2022-09-27
+
+### Fixed
+
+- [#91](https://github.com/nhosoya/omniauth-apple/pull/91) explicitly specify auth_scheme for oauth2 v2+ support
+
+## [1.1.0] - 2022-09-26
+
+### Added
+
+- [#67](https://github.com/nhosoya/omniauth-apple/pull/67) Add email_verified and is_private_email
+
+### Fixed
+
+- [#74](https://github.com/nhosoya/omniauth-apple/pull/74) rspec failure - callback_path null pointer
+- [#81](https://github.com/nhosoya/omniauth-apple/pull/81) Allow for omniauth 2.0 series
+- [#88](https://github.com/nhosoya/omniauth-apple/pull/88) update github actions config
+
 ## [1.0.2] - 2021-05-19
 
 ### Fixed
@@ -33,7 +58,7 @@
 
 ### Changed
 
-- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency 
+- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency
 - [#28](https://github.com/nhosoya/omniauth-apple/pull/28) Update README.md
 - [#38](https://github.com/nhosoya/omniauth-apple/pull/38) Refine AuthHash
 - [#39](https://github.com/nhosoya/omniauth-apple/pull/39) Set the default scope to 'email name'
@@ -44,7 +69,9 @@
 
 ## [0.0.1] - 2019-06-07
 
-[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...master
-[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
-[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.2.0...master
+[1.2.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...v1.1.0
 [1.0.2]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0

data/README.md

@@ -34,6 +34,77 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+## Configuring "Sign In with Apple"
+
+_other Sign In with Apple guides:_
+- ["How To" by janak amarasena (2019)](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)
+- [the docs, by Apple](https://developer.apple.com/sign-in-with-apple/)
+
+### Look out for the values you need for your config
+  1. your domain and subdomains, something like: `myapp.com`, `www.myapp.com`
+  2. your redirect uri, something like: `https://myapp.com/users/auth/apple/callback` (check `rails routes` to be sure)
+  3. omniauth's "client id" will be Apple's "bundle id", something like: `com.myapp`
+  4. you will get the "team id" value from Apple when you create your _**App Id**_, something like: `H000000B`
+  5. Apple will give you a `.p8` file, which you'll use to GENERATE your `:pem` value
+
+### Steps
+
+1. Log into your [Apple Developer Account](https://idmsa.apple.com/IDMSWebAuth/signin?appIdKey=891bd3417a7776362562d2197f89480a8547b108fd934911bcbea0110d07f757&path=%2Faccount%2F&rv=1)
+    (if you don't have one, you can [create one here](https://appleid.apple.com/account?appId=632&returnUrl=https%3A%2F%2Fdeveloper.apple.com%2Faccount%2F))
+
+2. Get an App Id with the "Sign In with Apple" capability
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**App IDs**_ and click _**continue**_
+    - select _**App**_ and _**continue**_
+    - enter a description and a bundle id
+    - check the **_"Sign In with Apple"_** capability
+    - save it
+
+3. Get a Services Id (which we will use as our client id)
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**Services IDs**_ and click _**continue**_
+    - enter a description and a bundle id
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    -  enter all the subdomains you might use (comma delimited):
+
+        example.com,www.example.com
+
+    - enter all the redirect URLS you might use (comma delimited):
+
+       https://example.com/users/auth/apple/callback,https://example.com/users/auth/apple/callback
+
+    -  save the "Sign In with Apple" capability config and the Service Id
+
+4. Get a Secret Key
+    - go to your [Keys](https://developer.apple.com/account/resources/authkeys/list) list
+    - [start a new Key](https://developer.apple.com/account/resources/authkeys/add) by clicking on the + sign in the Keys List
+    - enter a name
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    - save the "Sign In with Apple" capability
+    - click "continue" to finish the Key config (you will be prompted to _**Download Your Key**_)
+    - Apple will give you a `.p8` file, keep it safe and secure (don't commit it).
+
+### Mapping Apple Values to OmniAuth Values
+  - your `:team_id` is in the top-right of your App Id config (aka _**App ID Prefix**_), it looks like: `H000000B`
+  - your `:client_id` is in the top-right of your Services Id config (aka _**Identifier**_), it looks like: `com.example`
+  - your `:key_id` is on the left side of your Key Details page, it looks like: `XYZ000000`
+  - your `:pem` is the content of the `.p8` file you got from Apple, _**with an extra newline at the end**_
+
+  - example from a Devise config:
+
+      ```ruby
+        config.omniauth :apple, ENV['APPLE_SERVICE_BUNDLE_ID'], '', {
+          scope: 'email name',
+          team_id: ENV['APPLE_APP_ID_PREFIX'],
+          key_id: ENV['APPLE_KEY_ID'],
+          pem: ENV['APPLE_P8_FILE_CONTENT_WITH_EXTRA_NEWLINE']
+        }
+      ```
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/nhosoya/omniauth-apple.

data/lib/omniauth/apple/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.0.2"
+    VERSION = "1.2.2"
   end
 end

data/lib/omniauth/strategies/apple.rb

@@ -6,12 +6,19 @@ require 'net/https'
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2
+      class JWTFetchingFailed < CallbackError
+        def initialize(error_reason = nil, error_uri = nil)
+          super :jwks_fetching_failed, error_reason, error_uri
+        end
+      end
+
       option :name, 'apple'
 
       option :client_options,
              site: 'https://appleid.apple.com',
              authorize_url: '/auth/authorize',
-             token_url: '/auth/token'
+             token_url: '/auth/token',
+             auth_scheme: :request_body
       option :authorize_params,
              response_mode: 'form_post',
              scope: 'email name'
@@ -19,6 +26,8 @@ module OmniAuth
 
       uid { id_info['sub'] }
 
+      # Documentation on parameters
+      # https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
       info do
         prune!(
           sub: id_info['sub'],
@@ -26,6 +35,8 @@ module OmniAuth
           first_name: first_name,
           last_name: last_name,
           name: (first_name || last_name) ? [first_name, last_name].join(' ') : email,
+          email_verified: email_verified,
+          is_private_email: is_private_email
         )
       end
 
@@ -38,12 +49,22 @@ module OmniAuth
         ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
       end
 
+      def email_verified
+        value = id_info['email_verified']
+        value == true || value == "true"
+      end
+
+      def is_private_email
+        value = id_info['is_private_email']
+        value == true || value == "true"
+      end
+
       def authorize_params
         super.merge(nonce: new_nonce)
       end
 
       def callback_url
-        options[:redirect_uri] || (full_host + script_name + callback_path)
+        options[:redirect_uri] || (full_host + callback_path)
       end
 
       private
@@ -59,27 +80,38 @@ module OmniAuth
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
                        id_token = request.params['id_token'] || access_token.params['id_token']
-                       jwt_options = {
-                         verify_iss: true,
-                         iss: 'https://appleid.apple.com',
-                         verify_iat: true,
-                         verify_aud: true,
-                         aud: [options.client_id].concat(options.authorized_client_ids),
-                         algorithms: ['RS256'],
-                         jwks: fetch_jwks
-                       }
-                       payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
-                       verify_nonce!(payload)
-                       payload
+                       if (verification_key = fetch_jwks)
+                         jwt_options = {
+                           verify_iss: true,
+                           iss: 'https://appleid.apple.com',
+                           verify_iat: true,
+                           verify_aud: true,
+                           aud: [options.client_id].concat(options.authorized_client_ids),
+                           algorithms: ['RS256'],
+                           jwks: verification_key
+                         }
+                         payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
+                         verify_nonce!(payload)
+                         payload
+                       else
+                         {}
+                       end
                      end
       end
 
       def fetch_jwks
-        http = Net::HTTP.new('appleid.apple.com', 443)
-        http.use_ssl = true
-        request = Net::HTTP::Get.new('/auth/keys', 'User-Agent' => 'ruby/omniauth-apple')
-        response = http.request(request)
-        JSON.parse(response.body, symbolize_names: true)
+        conn = Faraday.new(headers: {user_agent: 'ruby/omniauth-apple'}) do |c|
+          c.response :json, parser_options: { symbolize_names: true }
+          c.adapter Faraday.default_adapter
+        end
+        res = conn.get 'https://appleid.apple.com/auth/keys'
+        if res.success?
+          res.body
+        else
+          raise JWTFetchingFailed.new('HTTP Error when fetching JWKs')
+        end
+      rescue JWTFetchingFailed, Faraday::Error => e
+        fail!(:jwks_fetching_failed, e) and nil
       end
 
       def verify_nonce!(payload)

data/omniauth-apple.gemspec

@@ -42,5 +42,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.9"
   spec.add_development_dependency "webmock", "~> 3.8"
-  spec.add_development_dependency 'simplecov', "~> 0.18"
+  spec.add_development_dependency "simplecov", "~> 0.18"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.2.2
 platform: ruby
 authors:
 - nhosoya
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-19 00:00:00.000000000 Z
+date: 2022-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple