RubyGems - omniauth-apple - Versions diffs - 1.1.0 → 1.2.1 - Mend

omniauth-apple 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +18 -3
data/README.md +71 -0
data/lib/omniauth/apple/version.rb +1 -1
data/lib/omniauth/strategies/apple.rb +30 -18
data/omniauth-apple.gemspec +0 -1
metadata +2 -16

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: feebd01d5717de66bfd00f8587459642d203ca2ffaf0b2057c5cd002993d3531
-  data.tar.gz: 2febe43a836eb2232c011b7f87996bbc837ce56f94ebe03f8eb57378ead44530
+  metadata.gz: 31e8e9835b469abca7611926aaa4da9b1f3e35804ea9c4e9fa5b06a1791dcdd1
+  data.tar.gz: c916fa50a22971da3f2f71a72566e43771531945b7d9e83bbaf0914a04a6253a
 SHA512:
-  metadata.gz: 4c91f969f3e89c2bfd272d8c8df82287b964d3bb636c8dde97b037edb3b6030e415e79715ff940175c0c807a518c1279470fbe73b69a6bb752acb84774db358b
-  data.tar.gz: 619709528b5b0e683ea0f9938268a9443cb273788dea3ae98f557cf828d539b35dd898c7c73efcfb04115944f003bfd29702916403a40d3e715ef8fb5c53fbe6
+  metadata.gz: 02bde67e85651dc85bacdb548248d240d9a3c501f24a204ad572253af8cd6468914fe3de86ee30bbc7a174bb6249d77ee6ae82222573beb829dc9b4f7f690099
+  data.tar.gz: 57a0b49a53f55a77470ad280c27acdb11bccfa93e43170ed0c34730b3fdb9918bb0d43a1ac20ae30f10eb101ef161bac5a79a90e54bee7186c8c813e7923f733

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,18 @@
 ## [Unreleased]
+## [1.2.1] - 2022-10-25
+### Fixed
+- [#94](https://github.com/nhosoya/omniauth-apple/pull/94) rack-protection.rb is back in rack-protection v3.0.1
+- [#96](https://github.com/nhosoya/omniauth-apple/pull/96) handle JWKS fetch failures
+## [1.2.0] - 2022-09-27
+### Fixed
+- [#91](https://github.com/nhosoya/omniauth-apple/pull/91) explicitly specify auth_scheme for oauth2 v2+ support
 ## [1.1.0] - 2022-09-26
 ### Added
@@ -56,7 +69,9 @@
 ## [0.0.1] - 2019-06-07
-[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...master
-[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0
-[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[Unreleased]: https://github.com/nhosoya/omniauth-apple/compare/v1.2.0...master
+[1.2.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.2...v1.1.0
 [1.0.2]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/nhosoya/omniauth-apple/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/nhosoya/omniauth-apple/compare/v0.0.3...v1.0.0

data/README.md CHANGED Viewed

@@ -34,6 +34,77 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
+## Configuring "Sign In with Apple"
+_other Sign In with Apple guides:_
+- ["How To" by janak amarasena (2019)](https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003)
+- [the docs, by Apple](https://developer.apple.com/sign-in-with-apple/)
+### Look out for the values you need for your config
+  1. your domain and subdomains, something like: `myapp.com`, `www.myapp.com`
+  2. your redirect uri, something like: `https://myapp.com/users/auth/apple/callback` (check `rails routes` to be sure)
+  3. omniauth's "client id" will be Apple's "bundle id", something like: `com.myapp`
+  4. you will get the "team id" value from Apple when you create your _**App Id**_, something like: `H000000B`
+  5. Apple will give you a `.p8` file, which you'll use to GENERATE your `:pem` value
+### Steps
+1. Log into your [Apple Developer Account](https://idmsa.apple.com/IDMSWebAuth/signin?appIdKey=891bd3417a7776362562d2197f89480a8547b108fd934911bcbea0110d07f757&path=%2Faccount%2F&rv=1)
+    (if you don't have one, you can [create one here](https://appleid.apple.com/account?appId=632&returnUrl=https%3A%2F%2Fdeveloper.apple.com%2Faccount%2F))
+2. Get an App Id with the "Sign In with Apple" capability
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**App IDs**_ and click _**continue**_
+    - select _**App**_ and _**continue**_
+    - enter a description and a bundle id
+    - check the **_"Sign In with Apple"_** capability
+    - save it
+3. Get a Services Id (which we will use as our client id)
+    - go to your [Identifiers](https://developer.apple.com/account/resources/identifiers/list) list
+    - [start a new Identifier](https://developer.apple.com/account/resources/identifiers/add/bundleId) by clicking on the + sign in the Identifiers List
+    - select _**Services IDs**_ and click _**continue**_
+    - enter a description and a bundle id
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    -  enter all the subdomains you might use (comma delimited):
+        example.com,www.example.com
+    - enter all the redirect URLS you might use (comma delimited):
+       https://example.com/users/auth/apple/callback,https://example.com/users/auth/apple/callback
+    -  save the "Sign In with Apple" capability config and the Service Id
+4. Get a Secret Key
+    - go to your [Keys](https://developer.apple.com/account/resources/authkeys/list) list
+    - [start a new Key](https://developer.apple.com/account/resources/authkeys/add) by clicking on the + sign in the Keys List
+    - enter a name
+    - make sure **_"Sign In with Apple"_** is checked, then click _**configure**_
+    - make sure the Primary App ID matches the App ID you configured earlier
+    - save the "Sign In with Apple" capability
+    - click "continue" to finish the Key config (you will be prompted to _**Download Your Key**_)
+    - Apple will give you a `.p8` file, keep it safe and secure (don't commit it).
+### Mapping Apple Values to OmniAuth Values
+  - your `:team_id` is in the top-right of your App Id config (aka _**App ID Prefix**_), it looks like: `H000000B`
+  - your `:client_id` is in the top-right of your Services Id config (aka _**Identifier**_), it looks like: `com.example`
+  - your `:key_id` is on the left side of your Key Details page, it looks like: `XYZ000000`
+  - your `:pem` is the content of the `.p8` file you got from Apple, _**with an extra newline at the end**_
+  - example from a Devise config:
+      ```ruby
+        config.omniauth :apple, ENV['APPLE_SERVICE_BUNDLE_ID'], '', {
+          scope: 'email name',
+          team_id: ENV['APPLE_APP_ID_PREFIX'],
+          key_id: ENV['APPLE_KEY_ID'],
+          pem: ENV['APPLE_P8_FILE_CONTENT_WITH_EXTRA_NEWLINE']
+        }
+      ```
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/nhosoya/omniauth-apple.

data/lib/omniauth/apple/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module Apple
-    VERSION = "1.1.0"
+    VERSION = "1.2.1"
   end
 end

data/lib/omniauth/strategies/apple.rb CHANGED Viewed

@@ -11,7 +11,8 @@ module OmniAuth
       option :client_options,
              site: 'https://appleid.apple.com',
              authorize_url: '/auth/authorize',
-             token_url: '/auth/token'
+             token_url: '/auth/token',
+             auth_scheme: :request_body
       option :authorize_params,
              response_mode: 'form_post',
              scope: 'email name'
@@ -73,27 +74,38 @@ module OmniAuth
       def id_info
         @id_info ||= if request.params&.key?('id_token') || access_token&.params&.key?('id_token')
                        id_token = request.params['id_token'] || access_token.params['id_token']
-                       jwt_options = {
-                         verify_iss: true,
-                         iss: 'https://appleid.apple.com',
-                         verify_iat: true,
-                         verify_aud: true,
-                         aud: [options.client_id].concat(options.authorized_client_ids),
-                         algorithms: ['RS256'],
-                         jwks: fetch_jwks
-                       }
-                       payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
-                       verify_nonce!(payload)
-                       payload
+                       if (verification_key = fetch_jwks)
+                         jwt_options = {
+                           verify_iss: true,
+                           iss: 'https://appleid.apple.com',
+                           verify_iat: true,
+                           verify_aud: true,
+                           aud: [options.client_id].concat(options.authorized_client_ids),
+                           algorithms: ['RS256'],
+                           jwks: verification_key
+                         }
+                         payload, _header = ::JWT.decode(id_token, nil, true, jwt_options)
+                         verify_nonce!(payload)
+                         payload
+                       else
+                         {}
+                       end
                      end
       end
       def fetch_jwks
-        http = Net::HTTP.new('appleid.apple.com', 443)
-        http.use_ssl = true
-        request = Net::HTTP::Get.new('/auth/keys', 'User-Agent' => 'ruby/omniauth-apple')
-        response = http.request(request)
-        JSON.parse(response.body, symbolize_names: true)
+        conn = Faraday.new(headers: {user_agent: 'ruby/omniauth-apple'}) do |c|
+          c.response :json, parser_options: { symbolize_names: true }
+          c.adapter Faraday.default_adapter
+        end
+        res = conn.get 'https://appleid.apple.com/auth/keys'
+        if res.success?
+          res.body
+        else
+          fail!(:jwks_fetching_failed, CallbackError.new(:jwks_fetching_failed, 'HTTP Error when fetching JWKs'))
+        end
+      rescue Faraday::Error => e
+        fail!(:jwks_fetching_failed, e)
       end
       def verify_nonce!(payload)

data/omniauth-apple.gemspec CHANGED Viewed

@@ -38,7 +38,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'omniauth-oauth2'
   spec.add_dependency 'jwt'
-  spec.add_dependency 'rack-protection', '~> 2.0'
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.9"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-apple
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - nhosoya
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-26 00:00:00.000000000 Z
+date: 2022-10-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -39,20 +39,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: rack-protection
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement