From df812aa75aac92ff4685dcf052b9ac4ed8d12fe6 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Wed, 25 Dec 2019 16:17:43 +0300 Subject: Cleanup SocialLogin --- .../com/github/scribejava/apis/AppleSignInApi.java | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) (limited to 'src/main/java/com/github/scribejava/apis') diff --git a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java index be14ef16d..14b7f0e6d 100644 --- a/src/main/java/com/github/scribejava/apis/AppleSignInApi.java +++ b/src/main/java/com/github/scribejava/apis/AppleSignInApi.java @@ -18,7 +18,25 @@ package com.github.scribejava.apis; import com.github.scribejava.core.builder.api.DefaultApi20; +import com.github.scribejava.core.model.OAuth2AccessToken; import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.jwk.source.JWKSource; +import com.nimbusds.jose.jwk.source.RemoteJWKSet; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.JWSKeySelector; +import com.nimbusds.jose.proc.JWSVerificationKeySelector; +import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.proc.ConfigurableJWTProcessor; +import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; +import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import net.minidev.json.JSONObject; + +import java.net.MalformedURLException; +import java.net.URL; +import java.text.ParseException; +import java.util.Optional; public class AppleSignInApi extends DefaultApi20 { @@ -42,4 +60,48 @@ public class AppleSignInApi extends DefaultApi20 { public ClientAuthentication getClientAuthentication() { return new AppleClientAuthentication(clientSecretGenerator); } + + public Optional validateToken(String idToken) { + +// Create a JWT processor for the access tokens + ConfigurableJWTProcessor jwtProcessor = + new DefaultJWTProcessor<>(); + +// The public RSA keys to validate the signatures will be sourced from the +// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet +// object caches the retrieved keys to speed up subsequent look-ups and can +// also handle key-rollover + JWKSource keySource = + null; + try { + keySource = new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys")); + } catch (MalformedURLException e) { + return Optional.empty(); + } + +// The expected JWS algorithm of the access tokens (agreed out-of-band) + JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256; + +// Configure the JWT processor with a key selector to feed matching public +// RSA keys sourced from the JWK set URL + JWSKeySelector keySelector = + new JWSVerificationKeySelector<>(expectedJWSAlg, keySource); + + jwtProcessor.setJWSKeySelector(keySelector); + +// Set the required JWT claims for access tokens issued by the server + jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>()); + +// Process the token + JSONObject claimsSet = null; + try { + claimsSet = jwtProcessor.process(idToken, null).toJSONObject(); + } catch (ParseException | BadJOSEException | JOSEException e) { + return Optional.empty(); + } + + var email = claimsSet.getAsString("email"); + var verified = claimsSet.getAsString("email_verified").equals("true"); + return verified ? Optional.of(email) : Optional.empty(); + } } -- cgit v1.2.3