omniauth-apple 1.0.2 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e32b1f9b3dfe8859855b86ffdb6da18d238c0f065d2aa83fd8494ae49a3dc5
-  data.tar.gz: bab7b98074c2a989120b1a7d3188a9ba85037c55956efc5e2e462373ed9d0d4f
+  metadata.gz: b0a0049edf786737a4acc4af68aeff8b8323a020822dfd530a01c0f8925cc1f1
+  data.tar.gz: 44d8cf583c85cb198f6dd5a9f7e593d5109335a78cc01ec7b32feaa69b449df0
 SHA512:
-  metadata.gz: bce3e4e1a4feb3df68f3d2d5361a56e6977dfe765068b2bee6cef743a41f59212d1b533a1cdefbeb1eaebf8a7cf832dd0f53dbd080f4efa1311bd30942b7ea86
-  data.tar.gz: c67ff848f44f6061c6f319db5a708e0e407977446252bea63af9e94799df2ce140c93dd7a5be5c1afbbdf3fdcdeafaeb7650cad4de199749d8edb436f21896e8
+  metadata.gz: ecc115718bb19ab99e6b15c05432b19ae73499a8b76f98e05e5cb0b45d61b61549a283709180d0df60b188e3c5db789a5d4c0cfe79d147014ca798df5ecc511a
+  data.tar.gz: eaa439dee2483186d09f0aa24e6e653118ca37545f01d074c098366c24daa8b355c8e24df1e0138e0fcd93efa0946a7ae9141c21e6cee7c3629941dbe59b2a65

data/.github/workflows/rspec.yml

@@ -6,21 +6,22 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  spec:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        ruby: ['2.5', '2.6', '2.7']
+        ruby: ['2.6', '2.7', '3.0', '3.1']
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby ${{ matrix.ruby }}
-      uses: actions/setup-ruby@v1
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
-    - name: Build and test with Rake on Ruby ${{ matrix.ruby }}
-      run: |
-        gem install bundler
-        bundle install --jobs 4 --retry 3
-        bundle exec rake spec
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/CHANGELOG.md

@@ -1,5 +1,36 @@
 ## [Unreleased]
 
+## [1.2.2] - 2022-10-31
+
+### Fixed
+
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/98) handle fail! in correct way
+
+## [1.2.1] - 2022-10-25
+
+### Fixed
+
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/94) rack-protection.rb is back in rack-protection v3.0.1
+- [#96](https://github.com/nhosoya/omniauth-apple/pull/96) handle JWKS fetch failures
+
+## [1.2.0] - 2022-09-27
+
+### Fixed
+
+- [#91](https://github.com/nhosoya/omniauth-apple/pull/91) explicitly specify auth_scheme for oauth2 v2+ support
+
+## [1.1.0] - 2022-09-26
+
+### Added
+
+- [#67](https://github.com/nhosoya/omniauth-apple/pull/67) Add email_verified and is_private_email
+
+### Fixed
+
+- [#74](https://github.com/nhosoya/omniauth-apple/pull/74) rspec failure - callback_path null pointer
+- [#81](https://github.com/nhosoya/omniauth-apple/pull/81) Allow for omniauth 2.0 series
+- [#88](https://github.com/nhosoya/omniauth-apple/pull/88) update github actions config
+
 ## [1.0.2] - 2021-05-19
 
 ### Fixed
@@ -33,7 +64,7 @@
 
 ### Changed
 
-- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency 
+- [#27](https://github.com/nhosoya/omniauth-apple/pull/27) Update development dependency
 - [#28](https://github.com/nhosoya/omniauth-apple/pull/28) Update README.md
 - [#38](https://github.com/nhosoya/omniauth-apple/pull/38) Refine AuthHash
 - [#39](https://github.com/nhosoya/omniauth-apple/pull/39) Set the default scope to 'email name'
@@ -44,7 +75,9 @@
 
 ## [0.0.1] - 2019-06-07
 
-[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...master
-[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
-[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.2.0...master
+[1.2.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...v1.1.0
 [1.0.2]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0

data/README.md

@@ -34,6 +34,77 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+## Configuring "Sign In with Apple"
+
+_other Sign In with Apple guides:_
+- ["How To" by janak amarasena (2019)](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)
+- [the docs, by Apple](https://developer.apple.com/sign-in-with-apple/)
+
+### Look out for the values you need for your config
+  1. your domain and subdomains, something like: `myapp.com`, `www.myapp.com`
+  2. your redirect uri, something like: `https://myapp.com/users/auth/apple/callback` (check `rails routes` to be sure)
+  3. omniauth's "client id" will be Apple's "bundle id", something like: `com.myapp`
+  4. you will get the "team id" value from Apple when you create your _**App Id**_, something like: `H000000B`
+  5. Apple will give you a `.p8` file, which you'll use to GENERATE your `:pem` value
+
+### Steps
+
+1. Log into your [Apple Developer Account](https://idmsa.apple.com/IDMSWebAuth/signin?appIdKey=891bd3417a7776362562d2197f89480a8547b108fd934911bcbea0110d07f757&path=%2Faccount%2F&rv=1)
+    (if you don't have one, you can [create one here](https://appleid.apple.com/account?appId=632&returnUrl=https%3A%2F%2Fdeveloper.apple.com%2Faccount%2F))
+
+2. Get an App Id with the "Sign In with Apple" capability
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**App IDs**_ and click _**continue**_
+    - select _**App**_ and _**continue**_
+    - enter a description and a bundle id
+    - check the **_"Sign In with Apple"_** capability
+    - save it
+
+3. Get a Services Id (which we will use as our client id)
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**Services IDs**_ and click _**continue**_
+    - enter a description and a bundle id
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    -  enter all the subdomains you might use (comma delimited):
+
+        example.com,www.example.com
+
+    - enter all the redirect URLS you might use (comma delimited):
+
+       https://example.com/users/auth/apple/callback,https://example.com/users/auth/apple/callback
+
+    -  save the "Sign In with Apple" capability config and the Service Id
+
+4. Get a Secret Key
+    - go to your [Keys](https://developer.apple.com/account/resources/authkeys/list) list
+    - [start a new Key](https://developer.apple.com/account/resources/authkeys/add) by clicking on the + sign in the Keys List
+    - enter a name
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    - save the "Sign In with Apple" capability
+    - click "continue" to finish the Key config (you will be prompted to _**Download Your Key**_)
+    - Apple will give you a `.p8` file, keep it safe and secure (don't commit it).
+
+### Mapping Apple Values to OmniAuth Values
+  - your `:team_id` is in the top-right of your App Id config (aka _**App ID Prefix**_), it looks like: `H000000B`
+  - your `:client_id` is in the top-right of your Services Id config (aka _**Identifier**_), it looks like: `com.example`
+  - your `:key_id` is on the left side of your Key Details page, it looks like: `XYZ000000`
+  - your `:pem` is the content of the `.p8` file you got from Apple, _**with an extra newline at the end**_
+
+  - example from a Devise config:
+
+      ```ruby
+        config.omniauth :apple, ENV['APPLE_SERVICE_BUNDLE_ID'], '', {
+          scope: 'email name',
+          team_id: ENV['APPLE_APP_ID_PREFIX'],
+          key_id: ENV['APPLE_KEY_ID'],
+          pem: ENV['APPLE_P8_FILE_CONTENT_WITH_EXTRA_NEWLINE']
+        }
+      ```
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/nhosoya/omniauth-apple.

data/lib/omniauth/apple/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.0.2"
+    VERSION = '1.3.0'
   end
 end

data/lib/omniauth/strategies/apple.rb

@@ -1,49 +1,66 @@
 # frozen_string_literal: true
 
 require 'omniauth-oauth2'
-require 'net/https'
+require 'json/jwt'
 
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2
+      ISSUER = 'https://appleid.apple.com'
+
       option :name, 'apple'
 
       option :client_options,
-             site: 'https://appleid.apple.com',
+             site: ISSUER,
              authorize_url: '/auth/authorize',
-             token_url: '/auth/token'
+             token_url: '/auth/token',
+             auth_scheme: :request_body
       option :authorize_params,
              response_mode: 'form_post',
              scope: 'email name'
       option :authorized_client_ids, []
 
-      uid { id_info['sub'] }
+      uid { id_info[:sub] }
 
+      # Documentation on parameters
+      # https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
       info do
         prune!(
-          sub: id_info['sub'],
+          sub: id_info[:sub],
           email: email,
           first_name: first_name,
           last_name: last_name,
           name: (first_name || last_name) ? [first_name, last_name].join(' ') : email,
+          email_verified: email_verified,
+          is_private_email: is_private_email
         )
       end
 
       extra do
-        id_token = request.params['id_token'] || access_token&.params&.dig('id_token')
-        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token})
+        id_token_str = request.params['id_token'] || access_token&.params&.dig('id_token')
+        prune!(raw_info: {id_info: id_info, user_info: user_info, id_token: id_token_str})
       end
 
       def client
         ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
       end
 
+      def email_verified
+        value = id_info[:email_verified]
+        value == true || value == "true"
+      end
+
+      def is_private_email
+        value = id_info[:is_private_email]
+        value == true || value == "true"
+      end
+
       def authorize_params
         super.merge(nonce: new_nonce)
       end
 
       def callback_url
-        options[:redirect_uri] || (full_host + script_name + callback_path)
+        options[:redirect_uri] || (full_host + callback_path)
       end
 
       private
@@ -58,43 +75,68 @@ module OmniAuth
 
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
-                       id_token = request.params['id_token'] || access_token.params['id_token']
-                       jwt_options = {
-                         verify_iss: true,
-                         iss: 'https://appleid.apple.com',
-                         verify_iat: true,
-                         verify_aud: true,
-                         aud: [options.client_id].concat(options.authorized_client_ids),
-                         algorithms: ['RS256'],
-                         jwks: fetch_jwks
-                       }
-                       payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
-                       verify_nonce!(payload)
-                       payload
+                       id_token_str = request.params['id_token'] || access_token.params['id_token']
+                       id_token = JSON::JWT.decode(id_token_str, :skip_verification)
+                       verify_id_token! id_token
+                       id_token
                      end
       end
 
-      def fetch_jwks
-        http = Net::HTTP.new('appleid.apple.com', 443)
-        http.use_ssl = true
-        request = Net::HTTP::Get.new('/auth/keys', 'User-Agent' => 'ruby/omniauth-apple')
-        response = http.request(request)
-        JSON.parse(response.body, symbolize_names: true)
+      def verify_id_token!(id_token)
+        jwk = fetch_jwk! id_token.kid
+        verify_signature! id_token, jwk
+        verify_claims! id_token
       end
 
-      def verify_nonce!(payload)
-        return unless payload['nonce_supported']
+      def fetch_jwk!(kid)
+        JSON::JWK::Set::Fetcher.fetch File.join(ISSUER, 'auth/keys'), kid: kid
+      rescue => e
+        raise CallbackError.new(:jwks_fetching_failed, e)
+      end
 
-        return if payload['nonce'] && payload['nonce'] == stored_nonce
+      def verify_signature!(id_token, jwk)
+        id_token.verify! jwk
+      rescue => e
+        raise CallbackError.new(:id_token_signature_invalid, e)
+      end
+
+      def verify_claims!(id_token)
+        verify_iss!(id_token)
+        verify_aud!(id_token)
+        verify_iat!(id_token)
+        verify_exp!(id_token)
+        verify_nonce!(id_token) if id_token[:nonce_supported]
+      end
+
+      def verify_iss!(id_token)
+        invalid_claim! :iss unless id_token[:iss] == ISSUER
+      end
 
-        fail!(:nonce_mismatch, CallbackError.new(:nonce_mismatch, 'nonce mismatch'))
+      def verify_aud!(id_token)
+        invalid_claim! :aud unless [options.client_id].concat(options.authorized_client_ids).include?(id_token[:aud])
+      end
+
+      def verify_iat!(id_token)
+        invalid_claim! :iat unless id_token[:iat] <= Time.now.to_i
+      end
+
+      def verify_exp!(id_token)
+        invalid_claim! :exp unless id_token[:exp] >= Time.now.to_i
+      end
+
+      def verify_nonce!(id_token)
+        invalid_claim! :nonce unless id_token[:nonce] && id_token[:nonce] == stored_nonce
+      end
+
+      def invalid_claim!(claim)
+        raise CallbackError.new(:id_token_claims_invalid, "#{claim} invalid")
       end
 
       def client_id
         @client_id ||= if id_info.nil?
                          options.client_id
                        else
-                         id_info['aud'] if options.authorized_client_ids.include? id_info['aud']
+                         id_info[:aud] if options.authorized_client_ids.include? id_info[:aud]
                        end
       end
 
@@ -106,7 +148,7 @@ module OmniAuth
       end
 
       def email
-        id_info['email']
+        id_info[:email]
       end
 
       def first_name
@@ -125,16 +167,15 @@ module OmniAuth
       end
 
       def client_secret
-        payload = {
+        jwt = JSON::JWT.new(
           iss: options.team_id,
-          aud: 'https://appleid.apple.com',
+          aud: ISSUER,
           sub: client_id,
-          iat: Time.now.to_i,
-          exp: Time.now.to_i + 60
-        }
-        headers = { kid: options.key_id }
-
-        ::JWT.encode(payload, private_key, 'ES256', headers)
+          iat: Time.now,
+          exp: Time.now + 60
+        )
+        jwt.kid = options.key_id
+        jwt.sign(private_key).to_s
       end
 
       def private_key

data/omniauth-apple.gemspec

@@ -37,10 +37,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'omniauth-oauth2'
-  spec.add_dependency 'jwt'
+  spec.add_dependency 'json-jwt'
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.9"
   spec.add_development_dependency "webmock", "~> 3.8"
-  spec.add_development_dependency 'simplecov', "~> 0.18"
+  spec.add_development_dependency "simplecov", "~> 0.18"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.3.0
 platform: ruby
 authors:
 - nhosoya
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-19 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -26,7 +26,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: OmniAuth strategy for Sign In with Apple