omniauth-apple2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2ad52fcdf800abdbd15cdcac8562772a46789e397a76676a024a6d4191d4663a
+  data.tar.gz: 06f8523bf5fe15369050d1d3a3945df365c49ea51def9e80922dfd7b3f1fefb6
+SHA512:
+  metadata.gz: c9c95ee2731850f2bc2361250dfdbe3c7205bd34381bd42c632e9f1fd63ce72ab3f6698a5c8cd5a2f13c90bebaabb481ad302b8d129e47a4b5a438fce226423f
+  data.tar.gz: f1077a68f8797ec68b77957878cdf4717243fe3eb63ba69a222313277759c404f6c38bfed5ebaa885ec8bfdc1d2db90c10e2f45b2574c97e07ceeffe93080b5c

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 icoretech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,129 @@
+# OmniAuth Apple2 Strategy
+
+[![Test](https://github.com/icoretech/omniauth-apple2/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/icoretech/omniauth-apple2/actions/workflows/test.yml?query=branch%3Amain)
+[![Gem Version](https://badge.fury.io/rb/omniauth-apple2.svg)](https://badge.fury.io/rb/omniauth-apple2)
+
+`omniauth-apple2` provides a Sign in with Apple OAuth2 strategy for OmniAuth.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-apple2'
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+## Usage
+
+Configure OmniAuth in your Rack/Rails app:
+
+```ruby
+use OmniAuth::Builder do
+  # Second positional arg is intentionally nil:
+  # client secret is generated internally from team_id/key_id/pem.
+  provider :apple,
+           ENV.fetch('APPLE_CLIENT_ID'),
+           nil,
+           team_id: ENV.fetch('APPLE_TEAM_ID'),
+           key_id: ENV.fetch('APPLE_KEY_ID'),
+           pem: ENV.fetch('APPLE_PRIVATE_KEY_PEM').gsub('\\n', "\n")
+end
+```
+
+`provider :apple2` is also supported. `provider :apple` exists for drop-in compatibility.
+
+## Apple Key PEM Handling
+
+Apple private keys are often stored in env vars with escaped newlines (`\\n`), which Ruby/OpenSSL cannot parse as a valid PEM until you normalize them.
+
+Use this pattern:
+
+```ruby
+pem: ENV.fetch('APPLE_PRIVATE_KEY_PEM').gsub('\\n', "\n")
+```
+
+If your secret manager supports multiline values, store the key as real multiline text and pass it directly without `gsub`.
+
+Common parsing failures caused by unnormalized keys:
+
+- `OpenSSL::PKey::ECError`
+- `Neither PUB key nor PRIV key`
+- `invalid curve name`
+
+## Provider App Setup
+
+- Apple Developer docs (Sign in with Apple REST API): <https://developer.apple.com/documentation/signinwithapplerestapi>
+- Register callback URL (example): `https://your-app.example.com/auth/apple/callback`
+
+## Options
+
+- `scope`: default `email name`
+- `response_mode`: default `form_post`
+- `response_type`: default `code`
+- `authorized_client_ids`: additional accepted `aud` values for `id_token` verification
+- `callback_url` / `redirect_uri`: force exact redirect URI for token exchange
+
+## Auth Hash
+
+Example payload from `request.env['omniauth.auth']` (real flow shape, anonymized):
+
+```json
+{
+  "uid": "apple-user-id",
+  "info": {
+    "name": "Sample User",
+    "email": "sample@example.test",
+    "first_name": "Sample",
+    "last_name": "User",
+    "email_verified": true,
+    "is_private_email": false
+  },
+  "credentials": {
+    "token": "sample-access-token",
+    "refresh_token": "sample-refresh-token",
+    "expires": true,
+    "expires_at": 1773000000,
+    "scope": "email name"
+  },
+  "extra": {
+    "raw_info": {
+      "id_info": {
+        "sub": "apple-user-id",
+        "aud": "com.example.web",
+        "iss": "https://appleid.apple.com",
+        "email": "sample@example.test"
+      },
+      "user_info": {
+        "name": {
+          "firstName": "Sample",
+          "lastName": "User"
+        }
+      },
+      "id_token": "sample-id-token"
+    }
+  }
+}
+```
+
+## Ruby and Rails Compatibility
+
+- Ruby: `>= 3.2`
+- Rails integration lanes in CI: `7.1`, `7.2`, `8.0`, `8.1`
+
+## Development
+
+```bash
+bundle install
+bundle exec rake lint test_unit
+RAILS_VERSION='~> 8.1.0' bundle exec rake test_rails_integration
+```
+
+## License
+
+MIT

data/lib/omniauth/apple2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Apple2
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth/apple2.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/apple2/version'
+require 'omniauth/strategies/apple2'

data/lib/omniauth/strategies/apple2.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'jwt'
+require 'net/http'
+require 'omniauth-oauth2'
+require 'openssl'
+require 'securerandom'
+require 'uri'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for Sign in with Apple.
+    class Apple2 < OmniAuth::Strategies::OAuth2
+      ISSUER = 'https://appleid.apple.com'
+      JWKS_URL = 'https://appleid.apple.com/auth/keys'
+
+      option :name, 'apple2'
+      option :authorize_options, %i[scope state response_mode response_type nonce]
+      option :scope, 'email name'
+      option :response_mode, 'form_post'
+      option :response_type, 'code'
+      option :authorized_client_ids, []
+
+      option :client_options,
+             site: ISSUER,
+             authorize_url: '/auth/authorize',
+             token_url: '/auth/token',
+             auth_scheme: :request_body,
+             connection_opts: {
+               headers: {
+                 user_agent: 'icoretech-omniauth-apple2 gem',
+                 accept: 'application/json'
+               }
+             }
+
+      uid { id_info['sub'] }
+
+      info do
+        {
+          name: full_name,
+          email: id_info['email'],
+          first_name: user_info.dig('name', 'firstName'),
+          last_name: user_info.dig('name', 'lastName'),
+          email_verified: true_claim?(id_info['email_verified']),
+          is_private_email: true_claim?(id_info['is_private_email'])
+        }.compact
+      end
+
+      credentials do
+        {
+          'token' => access_token.token,
+          'refresh_token' => access_token.refresh_token,
+          'expires_at' => access_token.expires_at,
+          'expires' => access_token.expires?,
+          'scope' => token_scope
+        }.compact
+      end
+
+      extra do
+        {
+          'raw_info' => {
+            'id_info' => id_info,
+            'user_info' => user_info,
+            'id_token' => raw_id_token
+          }.compact
+        }
+      end
+
+      def authorize_params
+        super.tap do |params|
+          params[:response_mode] ||= options[:response_mode]
+          params[:response_type] ||= options[:response_type]
+          params[:scope] ||= options[:scope]
+          params[:nonce] ||= new_nonce
+        end
+      end
+
+      def callback_url
+        options[:callback_url] || options[:redirect_uri] || super
+      end
+
+      def query_string
+        return '' if request.params['code']
+
+        super
+      end
+
+      def client
+        ::OAuth2::Client.new(client_id, client_secret, deep_symbolize(options.client_options))
+      end
+
+      private
+
+      def id_info
+        @id_info ||= begin
+          token = raw_id_token
+          raise CallbackError.new(:id_token_missing, 'id_token is missing') if blank?(token)
+
+          decode_and_verify_id_token(token)
+        end
+      end
+
+      def user_info
+        raw_user = request.params['user']
+        return {} if blank?(raw_user)
+
+        @user_info ||= JSON.parse(raw_user)
+      rescue JSON::ParserError
+        {}
+      end
+
+      def raw_id_token
+        request.params['id_token'] || access_token&.params&.dig('id_token')
+      end
+
+      def full_name
+        parts = [user_info.dig('name', 'firstName'), user_info.dig('name', 'lastName')].compact
+        return parts.join(' ') unless parts.empty?
+
+        id_info['email']
+      end
+
+      def token_scope
+        token_params = access_token.respond_to?(:params) ? access_token.params : {}
+        token_params['scope'] || (access_token['scope'] if access_token.respond_to?(:[]))
+      end
+
+      def decode_and_verify_id_token(token)
+        jwk = fetch_jwk(extract_kid(token))
+        payload = decode_payload(token, jwk)
+
+        verify_nonce!(payload)
+
+        payload
+      rescue JSON::ParserError, ArgumentError, JWT::DecodeError => e
+        raise CallbackError.new(:id_token_invalid, e.message)
+      end
+
+      def verify_nonce!(payload)
+        return unless payload.key?('nonce')
+
+        expected_nonce = stored_nonce
+        return if payload['nonce'] == expected_nonce
+
+        raise CallbackError.new(:id_token_nonce_invalid, 'nonce does not match')
+      end
+
+      def fetch_jwk(expected_kid)
+        jwks = fetch_jwks_keys
+        matching_key = jwks.find { |key| key['kid'] == expected_kid }
+        raise CallbackError.new(:jwks_key_not_found, expected_kid) unless matching_key
+
+        JWT::JWK.import(matching_key)
+      rescue JSON::ParserError, SocketError, SystemCallError => e
+        raise CallbackError.new(:jwks_fetch_failed, e.message)
+      end
+
+      def fetch_jwks_keys
+        uri = URI(JWKS_URL)
+        response = Net::HTTP.get_response(uri)
+        raise CallbackError.new(:jwks_fetch_failed, response.code) unless response.is_a?(Net::HTTPSuccess)
+
+        JSON.parse(response.body).fetch('keys', [])
+      end
+
+      def valid_audiences
+        [options.client_id, *Array(options.authorized_client_ids)].compact
+      end
+
+      def extract_kid(token)
+        header_segment = token.split('.').first
+        decoded_header = Base64.urlsafe_decode64(pad_base64(header_segment))
+        JSON.parse(decoded_header)['kid']
+      end
+
+      def decode_payload(token, jwk)
+        payload, = JWT.decode(
+          token,
+          jwk.public_key,
+          true,
+          decode_options
+        )
+        payload
+      end
+
+      def decode_options
+        {
+          algorithms: ['RS256'],
+          iss: ISSUER,
+          verify_iss: true,
+          aud: valid_audiences,
+          verify_aud: true,
+          verify_iat: true,
+          verify_expiration: true
+        }
+      end
+
+      def client_id
+        options.client_id
+      end
+
+      def client_secret
+        JWT.encode(client_secret_claims, private_key, 'ES256', client_secret_headers)
+      end
+
+      def private_key
+        OpenSSL::PKey::EC.new(options.pem)
+      end
+
+      def client_secret_claims
+        now = Time.now.to_i
+        {
+          iss: options.team_id,
+          iat: now,
+          exp: now + 60,
+          aud: ISSUER,
+          sub: client_id
+        }
+      end
+
+      def client_secret_headers
+        {
+          kid: options.key_id
+        }
+      end
+
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
+      end
+
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+
+      def true_claim?(value)
+        [true, 'true'].include?(value)
+      end
+
+      def blank?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+
+      def pad_base64(value)
+        value + ('=' * ((4 - (value.length % 4)) % 4))
+      end
+    end
+
+    # Backward-compatible strategy name for existing callback paths.
+    class Apple < Apple2
+      option :name, 'apple'
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'apple2', 'Apple2'
+OmniAuth.config.add_camelization 'apple', 'Apple'

data/lib/omniauth-apple2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'omniauth/apple2'

data/omniauth-apple2.gemspec

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/apple2/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'omniauth-apple2'
+  spec.version = OmniAuth::Apple2::VERSION
+  spec.authors = ['Claudio Poli']
+  spec.email = ['masterkain@gmail.com']
+
+  spec.summary = 'OmniAuth strategy for Sign in with Apple authentication.'
+  spec.description = 'OAuth2 strategy for OmniAuth that authenticates users with Sign in with Apple.'
+  spec.homepage = 'https://github.com/icoretech/omniauth-apple2'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.2'
+
+  spec.metadata['source_code_uri'] = 'https://github.com/icoretech/omniauth-apple2'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/icoretech/omniauth-apple2/issues'
+  spec.metadata['changelog_uri'] = 'https://github.com/icoretech/omniauth-apple2/releases'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir[
+    'lib/**/*.rb',
+    'README*',
+    'LICENSE*',
+    '*.gemspec'
+  ]
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'cgi', '>= 0.3.6'
+  spec.add_dependency 'jwt', '>= 2.8'
+  spec.add_dependency 'omniauth-oauth2', '>= 1.8', '< 2.0'
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-apple2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Claudio Poli
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: OAuth2 strategy for OmniAuth that authenticates users with Sign in with
+  Apple.
+email:
+- masterkain@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/omniauth-apple2.rb
+- lib/omniauth/apple2.rb
+- lib/omniauth/apple2/version.rb
+- lib/omniauth/strategies/apple2.rb
+- omniauth-apple2.gemspec
+homepage: https://github.com/icoretech/omniauth-apple2
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/icoretech/omniauth-apple2
+  bug_tracker_uri: https://github.com/icoretech/omniauth-apple2/issues
+  changelog_uri: https://github.com/icoretech/omniauth-apple2/releases
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: OmniAuth strategy for Sign in with Apple authentication.
+test_files: []