diff options
author | Vitaly Takmazov | 2019-12-25 16:17:43 +0300 |
---|---|---|
committer | Vitaly Takmazov | 2019-12-25 16:17:43 +0300 |
commit | df812aa75aac92ff4685dcf052b9ac4ed8d12fe6 (patch) | |
tree | dcb3a0b86611fe24079694e37f1ca174f1474df9 /src/main/java/com/github | |
parent | 15419fe34b6dd92223eff7c9f64b34f044eb0133 (diff) |
Cleanup SocialLogin
Diffstat (limited to 'src/main/java/com/github')
-rw-r--r-- | src/main/java/com/github/scribejava/apis/AppleSignInApi.java | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java index be14ef16..14b7f0e6 100644 --- a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java +++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java @@ -18,7 +18,25 @@ package com.github.scribejava.apis; import com.github.scribejava.core.builder.api.DefaultApi20; +import com.github.scribejava.core.model.OAuth2AccessToken; import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.jwk.source.JWKSource; +import com.nimbusds.jose.jwk.source.RemoteJWKSet; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.JWSKeySelector; +import com.nimbusds.jose.proc.JWSVerificationKeySelector; +import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.proc.ConfigurableJWTProcessor; +import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; +import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import net.minidev.json.JSONObject; + +import java.net.MalformedURLException; +import java.net.URL; +import java.text.ParseException; +import java.util.Optional; public class AppleSignInApi extends DefaultApi20 { @@ -42,4 +60,48 @@ public class AppleSignInApi extends DefaultApi20 { public ClientAuthentication getClientAuthentication() { return new AppleClientAuthentication(clientSecretGenerator); } + + public Optional<String> validateToken(String idToken) { + +// Create a JWT processor for the access tokens + ConfigurableJWTProcessor<SecurityContext> jwtProcessor = + new DefaultJWTProcessor<>(); + +// The public RSA keys to validate the signatures will be sourced from the +// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet +// object caches the retrieved keys to speed up subsequent look-ups and can +// also handle key-rollover + JWKSource<SecurityContext> keySource = + null; + try { + keySource = new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys")); + } catch (MalformedURLException e) { + return Optional.empty(); + } + +// The expected JWS algorithm of the access tokens (agreed out-of-band) + JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256; + +// Configure the JWT processor with a key selector to feed matching public +// RSA keys sourced from the JWK set URL + JWSKeySelector<SecurityContext> keySelector = + new JWSVerificationKeySelector<>(expectedJWSAlg, keySource); + + jwtProcessor.setJWSKeySelector(keySelector); + +// Set the required JWT claims for access tokens issued by the server + jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>()); + +// Process the token + JSONObject claimsSet = null; + try { + claimsSet = jwtProcessor.process(idToken, null).toJSONObject(); + } catch (ParseException | BadJOSEException | JOSEException e) { + return Optional.empty(); + } + + var email = claimsSet.getAsString("email"); + var verified = claimsSet.getAsString("email_verified").equals("true"); + return verified ? Optional.of(email) : Optional.empty(); + } } |