aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/com/github/scribejava/apis/AppleSignInApi.java
blob: 9e487ca09f2f46afdcd993fd15cc0dbe5ebecc16 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
 * Copyright (C) 2008-2020, Juick
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

package com.github.scribejava.apis;

import com.github.scribejava.core.builder.api.DefaultApi20;
import com.github.scribejava.core.oauth2.clientauthentication.ClientAuthentication;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Map;
import java.util.Optional;
import java.util.Set;

public class AppleSignInApi extends DefaultApi20 {

    private static final Logger logger = LoggerFactory.getLogger("JWT");
    private final AppleClientSecretGenerator clientSecretGenerator;
    private final String applicationId;

    public AppleSignInApi(AppleClientSecretGenerator clientSecretGenerator, String applicationId) {
        this.clientSecretGenerator = clientSecretGenerator;
        this.applicationId = applicationId;
    }

    @Override
    public String getAccessTokenEndpoint() {
        return "https://appleid.apple.com/auth/token";
    }

    @Override
    protected String getAuthorizationBaseUrl() {
        return "https://appleid.apple.com/auth/authorize?response_mode=form_post";
    }

    @Override
    public ClientAuthentication getClientAuthentication() {
        return new AppleClientAuthentication(clientSecretGenerator);
    }

    public Optional<String> validateToken(String idToken) {

// Create a JWT processor for the access tokens
        ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
                new DefaultJWTProcessor<>();

// The public RSA keys to validate the signatures will be sourced from the
// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet
// object caches the retrieved keys to speed up subsequent look-ups and can
// also handle key-rollover
        JWKSource<SecurityContext> keySource =
                null;
        try {
            keySource = new RemoteJWKSet<>(new URL("https://appleid.apple.com/auth/keys"));
        } catch (MalformedURLException e) {
            return Optional.empty();
        }

// The expected JWS algorithm of the access tokens (agreed out-of-band)
        JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;

// Configure the JWT processor with a key selector to feed matching public
// RSA keys sourced from the JWK set URL
        JWSKeySelector<SecurityContext> keySelector =
                new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);

        jwtProcessor.setJWSKeySelector(keySelector);

// Set the required JWT claims for access tokens issued by the server
        jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<>(
                new JWTClaimsSet.Builder()
                        .issuer("https://appleid.apple.com")
                        .audience(applicationId)
                        .build(),
                Set.of("exp", "iat", "aud", "email")
        ));

// Process the token
        Map<String, Object> claimsSet;
        try {
            claimsSet = jwtProcessor.process(idToken, null).toJSONObject();
        } catch (ParseException | BadJOSEException | JOSEException e) {
            logger.error(e.getMessage(), e);
            return Optional.empty();
        }

        String email = (String) claimsSet.get("email");
        boolean verified = claimsSet.get("email_verified").equals(true);
        logger.debug("Email {} verified: {}", email, verified);
        return verified ? Optional.of(email) : Optional.empty();
    }
}