Class: StandardId::Providers::Apple

Inherits:

Base

• Object
• Base
• StandardId::Providers::Apple

Defined in:

lib/standard_id/apple/providers/apple.rb

Constant Summary

ISSUER =

"https://appleid.apple.com".freeze

AUTH_ENDPOINT =

"#{ISSUER}/auth/authorize".freeze

TOKEN_ENDPOINT =

"#{ISSUER}/auth/token".freeze

JWKS_URI =

"#{ISSUER}/auth/keys".freeze

DEFAULT_SCOPE =

"name email".freeze

DEFAULT_RESPONSE_MODE =

"form_post".freeze

AUTHORIZATION_PARAM_DEFAULTS =

{
  scope: DEFAULT_SCOPE,
  response_mode: DEFAULT_RESPONSE_MODE
}.freeze

Class Method Summary

• .authorization_url(state:, redirect_uri:, **options) ⇒ Object
• .config_schema ⇒ Object
• .default_scope ⇒ Object
• .exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil) ⇒ Object
• .get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options) ⇒ Object
• .provider_name ⇒ Object
• .resolve_params(params, context: {}) ⇒ Object
• .skip_csrf? ⇒ Boolean
• .supported_authorization_params ⇒ Object
• .supports_mobile_callback? ⇒ Boolean
• .verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil) ⇒ Object

Class Method Details

.authorization_url(state:, redirect_uri:, **options) ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 29

def authorization_url(state:, redirect_uri:, **options)
  ensure_basic_credentials!

  query = {
    client_id: StandardId.config.apple_client_id,
    redirect_uri:,
    response_type: "code",
    state:
  }

  supported_authorization_params.each do |param|
    query[param] = options[param] || AUTHORIZATION_PARAM_DEFAULTS[param]
  end

  "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query.compact)}"
end

.config_schema ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 63

def config_schema
  {
    apple_client_id: { type: :string, default: nil },
    apple_mobile_client_id: { type: :string, default: nil },
    apple_private_key: { type: :string, default: nil },
    apple_key_id: { type: :string, default: nil },
    apple_team_id: { type: :string, default: nil }
  }
end

.default_scope ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 73

def default_scope
  DEFAULT_SCOPE
end

.exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil) ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 92

def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id, nonce: nil)
  ensure_full_credentials!(client_id: client_id)
  raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?

  token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
                                          client_id: client_id,
                                          client_secret: generate_client_secret(client_id: client_id),
                                          code: code,
                                          grant_type: "authorization_code",
                                          redirect_uri: redirect_uri
                                        })

  unless token_response.is_a?(Net::HTTPSuccess)
    error_body = begin
      JSON.parse(token_response.body)
    rescue StandardError
      {}
    end
    raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body["error"]}"
  end

  parsed_token = JSON.parse(token_response.body)
  id_token = parsed_token["id_token"]
  raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?

  tokens = extract_token_payload(parsed_token)
  user_info = verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce)

  build_response(user_info, tokens: tokens)
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)

  raise StandardId::OAuthError, e.message, cause: e
end

.get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options) ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 46

def get_user_info(code: nil, id_token: nil, access_token: nil, redirect_uri: nil, nonce: nil, **options)
  client_id = options[:client_id] || StandardId.config.apple_client_id

  if id_token.present?
    build_response(
      verify_id_token(id_token: id_token, client_id: client_id, nonce: nonce),
      tokens: { id_token: id_token }
    )
  elsif code.present?
    exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id, nonce: nonce)
  elsif access_token.present?
    raise StandardId::InvalidRequestError, "Access token login flow is not supported for Apple"
  else
    raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
  end
end

.provider_name ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 21

def provider_name
  "apple"
end

.resolve_params(params, context: {}) ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 85

def resolve_params(params, context: {})
  flow = context[:flow] || :web
  client_id = flow == :mobile ? StandardId.config.apple_mobile_client_id : StandardId.config.apple_client_id

  params.merge(client_id: client_id)
end

.skip_csrf? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/standard_id/apple/providers/apple.rb', line 77

def skip_csrf?
  true
end

.supported_authorization_params ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 25

def supported_authorization_params
  [:nonce, :scope, :response_mode]
end

.supports_mobile_callback? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/standard_id/apple/providers/apple.rb', line 81

def supports_mobile_callback?
  true
end

.verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil) ⇒ Object

# File 'lib/standard_id/apple/providers/apple.rb', line 127

def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id, nonce: nil)
  raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
  raise StandardId::InvalidRequestError, "Apple client_id is not configured" if client_id.blank?

  decoded_token = JWT.decode(id_token, nil, false)
  header = decoded_token[1]

  jwk = fetch_jwk(kid: header["kid"])

  verified_payload, = JWT.decode(
    id_token,
    jwk.public_key,
    true,
    algorithm: "RS256",
    iss: ISSUER,
    verify_iss: true,
    aud: client_id,
    verify_aud: true
  )

  # Validate nonce if provided (web flow with server-generated nonce)
  if nonce.present?
    token_nonce = verified_payload["nonce"]
    if token_nonce != nonce
      raise StandardId::InvalidRequestError,
            "ID token nonce mismatch. Expected: #{nonce}, got: #{token_nonce}"
    end
  end

  {
    "sub" => verified_payload["sub"],
    "email" => verified_payload["email"],
    "email_verified" => verified_payload["email_verified"],
    "is_private_email" => verified_payload["is_private_email"]
  }.compact
rescue JWT::InvalidAudError => e
  raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
rescue JWT::DecodeError => e
  raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)

  raise StandardId::OAuthError, e.message, cause: e
end