azimolabs / apple-sign-in-php-sdk Goto Github PK

View Code? Open in Web Editor NEW

88.0 7.0 30.0 96 KB

PHP library to verify and validate Apple IdentityToken and authenticate a user with Apple ID.

License: MIT License

PHP 100.00%

apple jwt php apple-sign-in sign-in-with-apple sign-in jwk ios php7 php-library

apple-sign-in-php-sdk's Introduction

Sign-in with Apple SDK

Installation

Recommended and easiest way to installing library is through Composer.

composer require azimolabs/apple-sign-in-php-sdk

Requirements

PHP 7.1+
OpenSSL Extension

PHP support

PHP version	Library version
`5.x`	`NOT SUPPORTED`
`> 7.0 <= 7.3`	`1.4.x`
`>= 7.4 < 8.0`	`1.5.x`
`>= 8.0 & ^7.4`	`2.0.x`
`>= 8.1`	`3.0.x`

Versioning follows semver standard.

How it works

This description assumes that you already have generated identityToken . Remember that token is valid ONLY for 10 minutes.

The first step to verify the identity token is to generate a public key. To generate public key exponent and modulus values are required. Both information are exposed in Apple API endpoint. Those values differ depending on the algorithm.

The second step is verification if provided identityToken is valid against generated public key. If so we are sure that identityToken wasn't malformed.

The third step is validation if token is not expired. Additionally it is worth to check issuer and audience, examples are shown below.

Basic usage

Once you have cloned repository, make sure that composer dependencies are installed running composer install -o.

$appleJwtFetchingService = new Auth\Service\AppleJwtFetchingService(
            new Auth\Jwt\JwtParser(new \Lcobucci\JWT\Token\Parser(new \Lcobucci\JWT\Encoding\JoseEncoder())),
            new Auth\Jwt\JwtVerifier(
                new Api\AppleApiClient(
                    new GuzzleHttp\Client(
                        [
                            'base_uri'        => 'https://appleid.apple.com',
                            'timeout'         => 5,
                            'connect_timeout' => 5,
                        ]
                    ),
                    new Api\Factory\ResponseFactory()
                ),
                new \Lcobucci\JWT\Validation\Validator(),
                new \Lcobucci\JWT\Signer\Rsa\Sha256()
            ),
            new Auth\Jwt\JwtValidator(
                new \Lcobucci\JWT\Validation\Validator(),
                [
                    new \Lcobucci\JWT\Validation\Constraint\IssuedBy('https://appleid.apple.com'),
                    new \Lcobucci\JWT\Validation\Constraint\PermittedFor('com.c.azimo.stage'),
                ]
            ),
            new Auth\Factory\AppleJwtStructFactory()
        );

$appleJwtFetchingService->getJwtPayload('your.identity.token');

If you don't want to copy-paste above code you can paste freshly generated identityToken in tests/E2e/Auth/AppleJwtFetchingServiceTest.php:53 and run tests with simple command php vendor/bin/phpunit tests/E2e.

$ php vendor/bin/phpunit tests/E2e
PHPUnit 9.2.5 by Sebastian Bergmann and contributors.

Random seed:   1594414420

.                                                                   1 / 1 (100%)

Time: 00:00.962, Memory: 8.00 MB

OK (1 test, 1 assertion)

Todo

It is welcome to open a pull request with a fix for any issue:

Upgrade phpseclib/phpseclib to version 3.0.7
Upgrade lcobucci/jwt to version 4.x. Reported in: Implicit conversion of keys from strings is deprecated. #2
Make library compatible with PHP 7.4.3. Reported in Uncaught JsonException: Malformed UTF-8 characters
Make library compatible with PHP 8.0.0
Refactor \Azimo\Apple\Api\Enum\CryptographicAlgorithmEnum, so algorithms are fetched dynamically from https://appleid.apple.com/auth/keys
Create contribution guide

Miscellaneous

apple-sign-in-php-sdk's People

Contributors

Stargazers

Watchers

apple-sign-in-php-sdk's Issues

Unsupported cryptographic algorithm passed `eXaunmL

Hi!

Can you add new cryptographic algorithm eXaunmL?

Uncaught JsonException: Malformed UTF-8 characters, possibly incorrectly encoded

Hi! I'm using PHP 7.4.3 and trying to verify identity token. The response I get: Uncaught JsonException: Malformed UTF-8 characters, possibly incorrectly encoded in /home/x/domains/domain.com/public_html/apple/lcobucci/jwt/src/Parsing/Decoder.php:50. Changing to older PHP version helps, but is there any solution to make it working on >7.4.3? Thanks

Unsupported cryptographic algorithm

I have error frequently 30% happen at 1st time sign with apple
"Cryptographic algorithm W6WcOKB is not supported. Supported algorithms: 86D88Kf,eXaunmL,YuyXoY"

I use your lib code for Apple Sign feature!
Next times when I revoke apple id on app and sign again 2nd, it could be passed.

Cryptographic algorithm `fh6Bs8C` is not supported

Hello,

currently we have an issue relating to the cryptographic algorithm fh6Bs8C.
We are using package version 1.3.0 currently.
Would it be possible to integrate this in the package? Or does it exist already?

Any chances for this library to use lcobucci 3.4 or 4?

Because my project dependencies depend on ^3.4|^4.0 so i can't use this library for my project.

And i know this is huge breaking change if this library switch to latest lcobucci : (

Validation of given token failed. Possibly token expired.

Even trying with php vendor/bin/phpunit vendor/azimolabs/apple-sign-in-php-sdk/tests/E2e/Auth/AppleJwtFetchingServiceTest.php with a recent token I'm only getting Validation of given token failed. Possibly token expired.

$validationData = new ValidationData();
$validationData->setIssuer('https://appleid.apple.com');
$validationData->setAudience('com.********');

$appleJwtFetchingService = new Auth\Service\AppleJwtFetchingService(
    new Auth\Jwt\JwtParser(new Parser()),
    new Auth\Jwt\JwtVerifier(
        new Api\AppleApiClient(
            new GuzzleHttp\Client(
                [
                    'base_uri'        => 'https://appleid.apple.com',
                    'timeout'         => 5,
                    'connect_timeout' => 5,
                ]
            ),
            new Api\Factory\ResponseFactory()
        ),
        new RSA(),
        new Sha256()
    ),
    new Auth\Jwt\JwtValidator($validationData),
    new Auth\Factory\AppleJwtStructFactory()
);

$payload = $appleJwtFetchingService->getJwtPayload($request->id_token);

Correction to Installation

Hi! Should be composer require azimolabs/apple-sign-in-php-sdk:1.2.0 in README.md

Way to handle multiple audience?

Hi, if I have two app (dev and prod) and they have different audience how can I handle that in this library?

At first I have tried this approach but it doesn't work since this library will throw exception when audience doesn't match.

new Auth\Jwt\JwtValidator(
                new \Lcobucci\JWT\Validation\Validator(),
                [
                    new \Lcobucci\JWT\Validation\Constraint\IssuedBy('https://appleid.apple.com'),
                    new \Lcobucci\JWT\Validation\Constraint\PermittedFor('com.c.azimo.stage'),
                   new \Lcobucci\JWT\Validation\Constraint\PermittedFor('com.c.azimo.stage2'),
                ]
      ),

Cryptographic algorithm `fh6Bs8C` is not supported.

Can you add new cryptographic algorithm fh6Bs8C?

We use v3 version.

Implicit conversion of keys from strings is deprecated.

Hi,

I got the error while getting access token from apple.
Implicit conversion of keys from strings is deprecated. Please use InMemory or LocalFileReference classes.

I find it cause by the problem from lcobucci/jwt 3.4.* , so I use "lcobucci/jwt": "3.3.*" in my project and it work perfectly.

The latest version of lcobucci/jwt is 4.1.x, but not released, I hasn't test it too.

If someone needs php8 version.

I updated code to PHP8. If you need php8 right now, you can temporary use version from my repo. I didn't make PR because I dramatically changed the root service.

https://github.com/alxbndrs/apple-sign-in-php-sdk

[COMMIT] alxbndrs@c3166ce

email_verified and is_private_email now returned as boolean by Apple's API?

Hi,

It looks like there was a possible change in Apple's API. It now seems the is_private_email and email_verified fields are now returned as boolean rather than a string. So the code in vendor/azimolabs/apple-sign-in-php-sdk/src/Auth/Factory/AppleJwtStructFactory.php:27 is not right anymore.

See response below: (I var_dumped $claims variable)
["email_verified"]=> bool(true) ["auth_time"]=> int(REDACTED) ["nonce_supported"]=> bool(true)

Not sure what's the best way to fix this, so submitting an issue. Possible a boolval() works?

Add support for lcobucci/jwt ^5.0

Hello! The lcobucci/jwt package has a new major version that is currently not supported (see https://packagist.org/packages/lcobucci/jwt). Can we please release a new version that adds support for it? Thank you!

`YuyXoY` is not supported

https://appleid.apple.com/auth/keys

Cryptographic algorithm YuyXoY is not supported. Supported algorithms: 86D88Kf,eXaunmL

Cryptographic algorithm `YuyXoY` is not supported. Supported algorithms: `86D88Kf,eXaunmL`

Hi!

Can you add new cryptographic algorithm YuyXoY?

Azimo\Apple\Api\Exception\UnsupportedCryptographicAlgorithmException Cryptographic algorithm `fh6Bs8C` is not supported. Supported algorithms: `86D88Kf,eXaunmL,YuyXoY,W6WcOKB`

We are using 1.1.2 version. What is the solution? Do you have idea?
Azimo\Apple\Api\Exception\UnsupportedCryptographicAlgorithmException
Cryptographic algorithm fh6Bs8C is not supported. Supported algorithms: 86D88Kf,eXaunmL,YuyXoY,W6WcOKB

Does README Example work?

Does the example in the README even work? What / where is "JoseEncoder"?