diff options
| author |  Vitaly Takmazov | 2023-01-13 15:46:48 +0300 |
|---|---|---|
| committer | Vitaly Takmazov | 2023-01-13 15:46:48 +0300 |
| commit | 8b70eded6c9cc3b9cf634356239701fe65779791 (patch) | |
| tree | b82c69a70c574c0ae482863c3a8ca33cf5fa6297 /src/main/java/com/github/scribejava/apis/AppleSignInApi.java | |
| parent | e8c00d21df450198707a361bb57f983de3025f26 (diff) | |
Specify explicit list of claims expected in JWT verification
Diffstat (limited to 'src/main/java/com/github/scribejava/apis/AppleSignInApi.java')
| -rw-r--r-- | src/main/java/com/github/scribejava/apis/AppleSignInApi.java | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java index 84bd781f..5d11a2a6 100644 --- a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java +++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java @@ -27,22 +27,29 @@ import com.nimbusds.jose.proc.BadJOSEException; import com.nimbusds.jose.proc.JWSKeySelector; import com.nimbusds.jose.proc.JWSVerificationKeySelector; import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.proc.ConfigurableJWTProcessor; import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import java.net.MalformedURLException; import java.net.URL; import java.text.ParseException; import java.util.Map; import java.util.Optional; +import java.util.Set; public class AppleSignInApi extends DefaultApi20 { + private static final Logger logger = LoggerFactory.getLogger("JWT"); private final AppleClientSecretGenerator clientSecretGenerator; + private final String applicationId; - public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator) { + public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator, String applicationId) { this.clientSecretGenerator = clientSecretGenerator; + this.applicationId = applicationId; } @Override @@ -89,17 +96,24 @@ public class AppleSignInApi extends DefaultApi20 { jwtProcessor.setJWSKeySelector(keySelector); // Set the required JWT claims for access tokens issued by the server - jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>()); + jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>( + new JWTClaimsSet.Builder() + .issuer("https://appleid.apple.com") + .audience(applicationId) + .build(), + Set.of("exp", "iat", "aud", "email") + )); // Process the token Map<String, Object> claimsSet; try { claimsSet = jwtProcessor.process(idToken, null).toJSONObject(); } catch (ParseException | BadJOSEException | JOSEException e) { + logger.error(e.getMessage(), e); return Optional.empty(); } - String email = (String)claimsSet.get("email"); + String email = (String) claimsSet.get("email"); boolean verified = claimsSet.get("email_verified").equals("true"); return verified ? Optional.of(email) : Optional.empty(); } |