Class: StandardId::SocialProviders::Apple

Inherits:

Object

Object
StandardId::SocialProviders::Apple

show all

Includes:: ResponseBuilder

Defined in:: lib/standard_id/social_providers/apple.rb

Constant Summary collapse

ISSUER =

"https://appleid.apple.com".freeze

AUTH_ENDPOINT =

"#{ISSUER}/auth/authorize".freeze

TOKEN_ENDPOINT =

"#{ISSUER}/auth/token".freeze

JWKS_URI =

"#{ISSUER}/auth/keys".freeze

DEFAULT_SCOPE =

"name email".freeze

DEFAULT_RESPONSE_MODE =

"form_post".freeze

Class Method Summary collapse

.authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE) ⇒ Object
.exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id) ⇒ Object
.get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id) ⇒ Object
.verify_id_token(id_token:, client_id: StandardId.config.apple_client_id) ⇒ Object

Class Method Details

.authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE) ⇒ `Object`

# File 'lib/standard_id/social_providers/apple.rb', line 20

def authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE)
  ensure_basic_credentials!

  query = {
    client_id: StandardId.config.apple_client_id,
    redirect_uri: redirect_uri,
    response_type: "code",
    scope: scope,
    response_mode: response_mode,
    state: state
  }

  "#{AUTH_ENDPOINT}?#{URI.encode_www_form(query)}"
end

.exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id) ⇒ `Object`

# File 'lib/standard_id/social_providers/apple.rb', line 48

def exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id)
  ensure_full_credentials!(client_id: client_id)
  raise StandardId::InvalidRequestError, "Missing authorization code" if code.blank?

  token_response = HttpClient.post_form(TOKEN_ENDPOINT, {
    client_id: client_id,
    client_secret: generate_client_secret(client_id: client_id),
    code: code,
    grant_type: "authorization_code",
    redirect_uri: redirect_uri
  })

  unless token_response.is_a?(Net::HTTPSuccess)
    error_body = JSON.parse(token_response.body) rescue {}
    raise StandardId::InvalidRequestError, "Failed to exchange Apple authorization code: #{error_body['error']}"
  end

  parsed_token = JSON.parse(token_response.body)
  id_token = parsed_token["id_token"]
  raise StandardId::InvalidRequestError, "Apple response missing id_token" if id_token.blank?

  tokens = extract_token_payload(parsed_token)
  user_info = verify_id_token(id_token: id_token, client_id: client_id)

  build_response(user_info, tokens: tokens)
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)
  raise StandardId::OAuthError, e.message, cause: e
end

.get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id) ⇒ `Object`

# File 'lib/standard_id/social_providers/apple.rb', line 35

def get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id)
  if id_token.present?
    build_response(
      verify_id_token(id_token: id_token, client_id: client_id),
      tokens: { id_token: id_token }
    )
  elsif code.present?
    exchange_code_for_user_info(code: code, redirect_uri: redirect_uri, client_id: client_id)
  else
    raise StandardId::InvalidRequestError, "Either code or id_token must be provided"
  end
end

.verify_id_token(id_token:, client_id: StandardId.config.apple_client_id) ⇒ `Object`

# File 'lib/standard_id/social_providers/apple.rb', line 78

def verify_id_token(id_token:, client_id: StandardId.config.apple_client_id)
  raise StandardId::InvalidRequestError, "Missing id_token" if id_token.blank?
  if client_id.blank?
    raise StandardId::InvalidRequestError, "Apple client_id is not configured"
  end

  decoded_token = JWT.decode(id_token, nil, false)
  header = decoded_token[1]

  jwk = fetch_jwk(kid: header["kid"])

  verified_payload, = JWT.decode(
    id_token,
    jwk.public_key,
    true,
    algorithm: "RS256",
    iss: ISSUER,
    verify_iss: true,
    aud: client_id,
    verify_aud: true
  )

  {
    "sub" => verified_payload["sub"],
    "email" => verified_payload["email"],
    "email_verified" => verified_payload["email_verified"],
    "is_private_email" => verified_payload["is_private_email"]
  }.compact
rescue JWT::InvalidAudError => e
  raise StandardId::InvalidRequestError, "Invalid Apple ID token audience: #{e.message}"
rescue JWT::DecodeError => e
  raise StandardId::InvalidRequestError, "Invalid Apple ID token: #{e.message}"
rescue StandardError => e
  raise e if e.is_a?(StandardId::OAuthError)
  raise StandardId::OAuthError, e.message, cause: e
end

Class: StandardId::SocialProviders::Apple

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE) ⇒ Object

.exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id) ⇒ Object

.get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id) ⇒ Object

.verify_id_token(id_token:, client_id: StandardId.config.apple_client_id) ⇒ Object

.authorization_url(state:, redirect_uri:, scope: DEFAULT_SCOPE, response_mode: DEFAULT_RESPONSE_MODE) ⇒ `Object`

.exchange_code_for_user_info(code:, redirect_uri:, client_id: StandardId.config.apple_client_id) ⇒ `Object`

.get_user_info(code: nil, id_token: nil, redirect_uri: nil, client_id: StandardId.config.apple_client_id) ⇒ `Object`

.verify_id_token(id_token:, client_id: StandardId.config.apple_client_id) ⇒ `Object`