From 8b70eded6c9cc3b9cf634356239701fe65779791 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Fri, 13 Jan 2023 15:46:48 +0300
Subject: Specify explicit list of claims expected in JWT verification

---
 .../com/github/scribejava/apis/AppleSignInApi.java   | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'src/main/java/com/github/scribejava/apis/AppleSignInApi.java')

diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
index 84bd781f..5d11a2a6 100644
--- a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
+++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
@@ -27,22 +27,29 @@ import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jose.proc.JWSKeySelector;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
 import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.text.ParseException;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 
 public class AppleSignInApi extends DefaultApi20 {
 
+    private static final Logger logger = LoggerFactory.getLogger("JWT");
     private final AppleClientSecretGenerator clientSecretGenerator;
+    private final String applicationId;
 
-    public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator) {
+    public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator, String applicationId) {
         this.clientSecretGenerator = clientSecretGenerator;
+        this.applicationId = applicationId;
     }
 
     @Override
@@ -89,17 +96,24 @@ public class AppleSignInApi extends DefaultApi20 {
         jwtProcessor.setJWSKeySelector(keySelector);
 
 // Set the required JWT claims for access tokens issued by the server
-        jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>());
+        jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>(
+                new JWTClaimsSet.Builder()
+                        .issuer("https://appleid.apple.com")
+                        .audience(applicationId)
+                        .build(),
+                Set.of("exp", "iat", "aud", "email")
+        ));
 
 // Process the token
         Map<String, Object> claimsSet;
         try {
             claimsSet = jwtProcessor.process(idToken, null).toJSONObject();
         } catch (ParseException | BadJOSEException | JOSEException e) {
+            logger.error(e.getMessage(), e);
             return Optional.empty();
         }
 
-        String email = (String)claimsSet.get("email");
+        String email = (String) claimsSet.get("email");
         boolean verified = claimsSet.get("email_verified").equals("true");
         return verified ? Optional.of(email) : Optional.empty();
     }
-- 
cgit v1.2.3