aboutsummaryrefslogblamecommitdiff
path: root/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
blob: 84bd781f201ddc3c3023544c8eb1150e4c58bcfb (plain) (tree)
1
2
  
                                 

















                                                                                   









                                                         


                                      
                     
                          





















                                                                                  































                                                                                           
                                      




                                                                           
                                                                          
                                                                
 
/*
 * Copyright (C) 2008-2020, Juick
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

package com.github.scribejava.apis;

import com.github.scribejava.core.builder.api.DefaultApi20;
import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;

import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Map;
import java.util.Optional;

public class AppleSignInApi extends DefaultApi20 {

    private final AppleClientSecretGenerator clientSecretGenerator;

    public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator) {
        this.clientSecretGenerator = clientSecretGenerator;
    }

    @Override
    public String getAccessTokenEndpoint() {
        return "https://appleid.apple.com/auth/token";
    }

    @Override
    protected String getAuthorizationBaseUrl() {
        return "https://appleid.apple.com/auth/authorize?response_mode=form_post";
    }

    @Override
    public ClientAuthentication getClientAuthentication() {
        return new AppleClientAuthentication(clientSecretGenerator);
    }

    public Optional<String> validateToken(String idToken) {

// Create a JWT processor for the access tokens
        ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
                new DefaultJWTProcessor<>();

// The public RSA keys to validate the signatures will be sourced from the
// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet
// object caches the retrieved keys to speed up subsequent look-ups and can
// also handle key-rollover
        JWKSource<SecurityContext> keySource =
                null;
        try {
            keySource = new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys"));
        } catch (MalformedURLException e) {
            return Optional.empty();
        }

// The expected JWS algorithm of the access tokens (agreed out-of-band)
        JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;

// Configure the JWT processor with a key selector to feed matching public
// RSA keys sourced from the JWK set URL
        JWSKeySelector<SecurityContext> keySelector =
                new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);

        jwtProcessor.setJWSKeySelector(keySelector);

// Set the required JWT claims for access tokens issued by the server
        jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>());

// Process the token
        Map<String, Object> claimsSet;
        try {
            claimsSet = jwtProcessor.process(idToken, null).toJSONObject();
        } catch (ParseException | BadJOSEException | JOSEException e) {
            return Optional.empty();
        }

        String email = (String)claimsSet.get("email");
        boolean verified = claimsSet.get("email_verified").equals("true");
        return verified ? Optional.of(email) : Optional.empty();
    }
}