aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/com/github/scribejava/apis
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/com/github/scribejava/apis')
-rw-r--r--src/main/java/com/github/scribejava/apis/AppleSignInApi.java62
1 files changed, 62 insertions, 0 deletions
diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
index be14ef16..14b7f0e6 100644
--- a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
+++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
@@ -18,7 +18,25 @@
package com.github.scribejava.apis;
import com.github.scribejava.core.builder.api.DefaultApi20;
+import com.github.scribejava.core.model.OAuth2AccessToken;
import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.jwk.source.RemoteJWKSet;
+import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.proc.JWSKeySelector;
+import com.nimbusds.jose.proc.JWSVerificationKeySelector;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
+import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import net.minidev.json.JSONObject;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.text.ParseException;
+import java.util.Optional;
public class AppleSignInApi extends DefaultApi20 {
@@ -42,4 +60,48 @@ public class AppleSignInApi extends DefaultApi20 {
public ClientAuthentication getClientAuthentication() {
return new AppleClientAuthentication(clientSecretGenerator);
}
+
+ public Optional<String> validateToken(String idToken) {
+
+// Create a JWT processor for the access tokens
+ ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
+ new DefaultJWTProcessor<>();
+
+// The public RSA keys to validate the signatures will be sourced from the
+// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet
+// object caches the retrieved keys to speed up subsequent look-ups and can
+// also handle key-rollover
+ JWKSource<SecurityContext> keySource =
+ null;
+ try {
+ keySource = new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys"));
+ } catch (MalformedURLException e) {
+ return Optional.empty();
+ }
+
+// The expected JWS algorithm of the access tokens (agreed out-of-band)
+ JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
+
+// Configure the JWT processor with a key selector to feed matching public
+// RSA keys sourced from the JWK set URL
+ JWSKeySelector<SecurityContext> keySelector =
+ new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
+
+ jwtProcessor.setJWSKeySelector(keySelector);
+
+// Set the required JWT claims for access tokens issued by the server
+ jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>());
+
+// Process the token
+ JSONObject claimsSet = null;
+ try {
+ claimsSet = jwtProcessor.process(idToken, null).toJSONObject();
+ } catch (ParseException | BadJOSEException | JOSEException e) {
+ return Optional.empty();
+ }
+
+ var email = claimsSet.getAsString("email");
+ var verified = claimsSet.getAsString("email_verified").equals("true");
+ return verified ? Optional.of(email) : Optional.empty();
+ }
}