meged apple-oauth2

2023-03-06 15:30:35 +02:00
parent 19b7a7a74f 8728161288
commit 6a60bc1df3
69 changed files with 1194 additions and 323 deletions
@@ -0,0 +1,221 @@
+package auth
+
+import (
+	"context"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"math/big"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/spf13/cast"
+	"golang.org/x/oauth2"
+)
+
+var _ Provider = (*Apple)(nil)
+
+// NameApple is the unique name of the Apple provider.
+const NameApple string = "apple"
+
+// Apple allows authentication via Apple OAuth2.
+//
+// [OIDC differences]: https://bitbucket.org/openid/connect/src/master/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md
+type Apple struct {
+	*baseProvider
+
+	jwksUrl string
+}
+
+// NewAppleProvider creates a new Apple provider instance with some defaults.
+func NewAppleProvider() *Apple {
+	return &Apple{
+		baseProvider: &baseProvider{
+			ctx:      context.Background(),
+			authUrl:  "https://appleid.apple.com/auth/authorize",
+			tokenUrl: "https://appleid.apple.com/auth/token",
+		},
+		jwksUrl: "https://appleid.apple.com/auth/keys",
+	}
+}
+
+// FetchAuthUser returns an AuthUser instance based on the provided token.
+//
+// API reference: https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse.
+func (p *Apple) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
+	data, err := p.FetchRawUserData(token)
+	if err != nil {
+		return nil, err
+	}
+
+	rawUser := map[string]any{}
+	if err := json.Unmarshal(data, &rawUser); err != nil {
+		return nil, err
+	}
+
+	extracted := struct {
+		Id            string `json:"sub"`
+		Email         string `json:"email"`
+		EmailVerified any    `json:"email_verified"` // could be string or bool
+	}{}
+	if err := json.Unmarshal(data, &extracted); err != nil {
+		return nil, err
+	}
+
+	user := &AuthUser{
+		Id:           extracted.Id,
+		RawUser:      rawUser,
+		AccessToken:  token.AccessToken,
+		RefreshToken: token.RefreshToken,
+	}
+
+	if cast.ToBool(extracted.EmailVerified) {
+		user.Email = extracted.Email
+	}
+
+	return user, nil
+}
+
+// FetchRawUserData implements Provider.FetchRawUserData interface.
+//
+// Apple doesn't have a UserInfo endpoint and claims about users
+// are instead included in the "id_token" (https://openid.net/specs/openid-connect-core-1_0.html#id_tokenExample)
+func (p *Apple) FetchRawUserData(token *oauth2.Token) ([]byte, error) {
+	idToken, _ := token.Extra("id_token").(string)
+
+	claims, err := p.parseAndVerifyIdToken(idToken)
+	if err != nil {
+		return nil, err
+	}
+
+	return json.Marshal(claims)
+}
+
+// -------------------------------------------------------------------
+
+func (p *Apple) parseAndVerifyIdToken(idToken string) (jwt.MapClaims, error) {
+	if idToken == "" {
+		return nil, errors.New("empty id_token")
+	}
+
+	// extract the token header params and claims
+	// ---
+	claims := jwt.MapClaims{}
+	t, _, err := jwt.NewParser().ParseUnverified(idToken, claims)
+	if err != nil {
+		return nil, err
+	}
+
+	// validate common claims per https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user#3383769
+	// ---
+	if !claims.VerifyIssuer("https://appleid.apple.com", true) {
+		return nil, errors.New("iss must be https://appleid.apple.com")
+	}
+
+	if !claims.VerifyAudience(p.clientId, true) {
+		return nil, errors.New("aud must be the developer's client_id")
+	}
+
+	// fetch the public key set
+	// ---
+	kid, _ := t.Header["kid"].(string)
+	if kid == "" {
+		return nil, errors.New("missing kid header value")
+	}
+
+	key, err := p.fetchJWK(kid)
+	if err != nil {
+		return nil, err
+	}
+
+	// decode the key params per RFC 7518 (https://tools.ietf.org/html/rfc7518#section-6.3)
+	// and construct a valid publicKey from them
+	// ---
+	exponent, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(key.E, "="))
+	if err != nil {
+		return nil, err
+	}
+
+	modulus, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(key.N, "="))
+	if err != nil {
+		return nil, err
+	}
+
+	publicKey := &rsa.PublicKey{
+		// https://tools.ietf.org/html/rfc7517#appendix-A.1
+		E: int(big.NewInt(0).SetBytes(exponent).Uint64()),
+		N: big.NewInt(0).SetBytes(modulus),
+	}
+
+	// verify the id_token
+	// ---
+	parser := jwt.NewParser(jwt.WithValidMethods([]string{key.Alg}))
+
+	parsedToken, err := parser.Parse(idToken, func(t *jwt.Token) (any, error) {
+		return publicKey, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if claims, ok := parsedToken.Claims.(jwt.MapClaims); ok && parsedToken.Valid {
+		return claims, nil
+	}
+
+	return nil, errors.New("the parsed id_token is invalid")
+}
+
+type jwk struct {
+	Kty string
+	Kid string
+	Use string
+	Alg string
+	N   string
+	E   string
+}
+
+func (p *Apple) fetchJWK(kid string) (*jwk, error) {
+	req, err := http.NewRequestWithContext(p.ctx, "GET", p.jwksUrl, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+
+	rawBody, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// http.Client.Get doesn't treat non 2xx responses as error
+	if res.StatusCode >= 400 {
+		return nil, fmt.Errorf(
+			"failed to verify the provided id_token (%d):\n%s",
+			res.StatusCode,
+			string(rawBody),
+		)
+	}
+
+	jwks := struct {
+		Keys []*jwk
+	}{}
+	if err := json.Unmarshal(rawBody, &jwks); err != nil {
+		return nil, err
+	}
+
+	for _, key := range jwks.Keys {
+		if key.Kid == kid {
+			return key, nil
+		}
+	}
+
+	return nil, fmt.Errorf("jwk with kid %q was not found", kid)
+}
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"errors"
 	"net/http"

@@ -21,6 +22,12 @@ type AuthUser struct {

 // Provider defines a common interface for an OAuth2 client.
 type Provider interface {
+	// Scopes returns the context associated with the provider (if any).
+	Context() context.Context
+
+	// SetContext assigns the specified context to the current provider.
+	SetContext(ctx context.Context)
+
 	// Scopes returns the provider access permissions that will be requested.
 	Scopes() []string

@@ -120,6 +127,8 @@ func NewProviderByName(name string) (Provider, error) {
 		return NewOIDCProvider(), nil
 	case NameOIDC + "3":
 		return NewOIDCProvider(), nil
+	case NameApple:
+		return NewAppleProvider(), nil
 	default:
 		return nil, errors.New("Missing provider " + name)
 	}
@@ -171,4 +171,13 @@ func TestNewProviderByName(t *testing.T) {
 	if _, ok := p.(*auth.OIDC); !ok {
 		t.Error("Expected to be instance of *auth.OIDC")
 	}
+
+	// apple
+	p, err = auth.NewProviderByName(auth.NameApple)
+	if err != nil {
+		t.Errorf("Expected nil, got error %v", err)
+	}
+	if _, ok := p.(*auth.Apple); !ok {
+		t.Error("Expected to be instance of *auth.Apple")
+	}
 }
@@ -11,6 +11,7 @@ import (

 // baseProvider defines common fields and methods used by OAuth2 client providers.
 type baseProvider struct {
+	ctx          context.Context
 	scopes       []string
 	clientId     string
 	clientSecret string
@@ -20,94 +21,104 @@ type baseProvider struct {
 	userApiUrl   string
 }

-// Scopes implements Provider.Scopes interface.
+// Context implements Provider.Context() interface method.
+func (p *baseProvider) Context() context.Context {
+	return p.ctx
+}
+
+// SetContext implements Provider.SetContext() interface method.
+func (p *baseProvider) SetContext(ctx context.Context) {
+	p.ctx = ctx
+}
+
+// Scopes implements Provider.Scopes() interface method.
 func (p *baseProvider) Scopes() []string {
 	return p.scopes
 }

-// SetScopes implements Provider.SetScopes interface.
+// SetScopes implements Provider.SetScopes() interface method.
 func (p *baseProvider) SetScopes(scopes []string) {
 	p.scopes = scopes
 }

-// ClientId implements Provider.ClientId interface.
+// ClientId implements Provider.ClientId() interface method.
 func (p *baseProvider) ClientId() string {
 	return p.clientId
 }

-// SetClientId implements Provider.SetClientId interface.
+// SetClientId implements Provider.SetClientId() interface method.
 func (p *baseProvider) SetClientId(clientId string) {
 	p.clientId = clientId
 }

-// ClientSecret implements Provider.ClientSecret interface.
+// ClientSecret implements Provider.ClientSecret() interface method.
 func (p *baseProvider) ClientSecret() string {
 	return p.clientSecret
 }

-// SetClientSecret implements Provider.SetClientSecret interface.
+// SetClientSecret implements Provider.SetClientSecret() interface method.
 func (p *baseProvider) SetClientSecret(secret string) {
 	p.clientSecret = secret
 }

-// RedirectUrl implements Provider.RedirectUrl interface.
+// RedirectUrl implements Provider.RedirectUrl() interface method.
 func (p *baseProvider) RedirectUrl() string {
 	return p.redirectUrl
 }

-// SetRedirectUrl implements Provider.SetRedirectUrl interface.
+// SetRedirectUrl implements Provider.SetRedirectUrl() interface method.
 func (p *baseProvider) SetRedirectUrl(url string) {
 	p.redirectUrl = url
 }

-// AuthUrl implements Provider.AuthUrl interface.
+// AuthUrl implements Provider.AuthUrl() interface method.
 func (p *baseProvider) AuthUrl() string {
 	return p.authUrl
 }

-// SetAuthUrl implements Provider.SetAuthUrl interface.
+// SetAuthUrl implements Provider.SetAuthUrl() interface method.
 func (p *baseProvider) SetAuthUrl(url string) {
 	p.authUrl = url
 }

-// TokenUrl implements Provider.TokenUrl interface.
+// TokenUrl implements Provider.TokenUrl() interface method.
 func (p *baseProvider) TokenUrl() string {
 	return p.tokenUrl
 }

-// SetTokenUrl implements Provider.SetTokenUrl interface.
+// SetTokenUrl implements Provider.SetTokenUrl() interface method.
 func (p *baseProvider) SetTokenUrl(url string) {
 	p.tokenUrl = url
 }

-// UserApiUrl implements Provider.UserApiUrl interface.
+// UserApiUrl implements Provider.UserApiUrl() interface method.
 func (p *baseProvider) UserApiUrl() string {
 	return p.userApiUrl
 }

-// SetUserApiUrl implements Provider.SetUserApiUrl interface.
+// SetUserApiUrl implements Provider.SetUserApiUrl() interface method.
 func (p *baseProvider) SetUserApiUrl(url string) {
 	p.userApiUrl = url
 }

-// BuildAuthUrl implements Provider.BuildAuthUrl interface.
+// BuildAuthUrl implements Provider.BuildAuthUrl() interface method.
 func (p *baseProvider) BuildAuthUrl(state string, opts ...oauth2.AuthCodeOption) string {
 	return p.oauth2Config().AuthCodeURL(state, opts...)
 }

-// FetchToken implements Provider.FetchToken interface.
+// FetchToken implements Provider.FetchToken() interface method.
 func (p *baseProvider) FetchToken(code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
-	return p.oauth2Config().Exchange(context.Background(), code, opts...)
+	return p.oauth2Config().Exchange(p.ctx, code, opts...)
 }

-// Client implements Provider.Client interface.
+// Client implements Provider.Client() interface method.
 func (p *baseProvider) Client(token *oauth2.Token) *http.Client {
-	return p.oauth2Config().Client(context.Background(), token)
+	return p.oauth2Config().Client(p.ctx, token)
 }

-// FetchRawUserData implements Provider.FetchRawUserData interface.
+// FetchRawUserData implements Provider.FetchRawUserData() interface method.
 func (p *baseProvider) FetchRawUserData(token *oauth2.Token) ([]byte, error) {
-	req, err := http.NewRequest("GET", p.userApiUrl, nil)
+	req, err := http.NewRequestWithContext(p.ctx, "GET", p.userApiUrl, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -119,23 +130,23 @@ func (p *baseProvider) FetchRawUserData(token *oauth2.Token) ([]byte, error) {
 func (p *baseProvider) sendRawUserDataRequest(req *http.Request, token *oauth2.Token) ([]byte, error) {
 	client := p.Client(token)

-	response, err := client.Do(req)
+	res, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
-	defer response.Body.Close()
+	defer res.Body.Close()

-	result, err := io.ReadAll(response.Body)
+	result, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}

 	// http.Client.Get doesn't treat non 2xx responses as error
-	if response.StatusCode >= 400 {
+	if res.StatusCode >= 400 {
 		return nil, fmt.Errorf(
-			"Failed to fetch OAuth2 user profile via %s (%d):\n%s",
+			"failed to fetch OAuth2 user profile via %s (%d):\n%s",
 			p.userApiUrl,
-			response.StatusCode,
+			res.StatusCode,
 			string(result),
 		)
 	}
@@ -1,11 +1,28 @@
 package auth

 import (
+	"context"
 	"testing"

 	"golang.org/x/oauth2"
 )

+func TestContext(t *testing.T) {
+	b := baseProvider{}
+
+	before := b.Scopes()
+	if before != nil {
+		t.Errorf("Expected nil context, got %v", before)
+	}
+
+	b.SetContext(context.Background())
+
+	after := b.Scopes()
+	if after != nil {
+		t.Error("Expected non-nil context")
+	}
+}
+
 func TestScopes(t *testing.T) {
 	b := baseProvider{}

@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"fmt"

@@ -22,6 +23,7 @@ func NewDiscordProvider() *Discord {
 	// https://discord.com/developers/docs/topics/oauth2
 	// https://discord.com/developers/docs/resources/user#get-current-user
 	return &Discord{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"identify", "email"},
 		authUrl:    "https://discord.com/api/oauth2/authorize",
 		tokenUrl:   "https://discord.com/api/oauth2/token",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -20,6 +21,7 @@ type Facebook struct {
 // NewFacebookProvider creates new Facebook provider instance with some defaults.
 func NewFacebookProvider() *Facebook {
 	return &Facebook{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"email"},
 		authUrl:    facebook.Endpoint.AuthURL,
 		tokenUrl:   facebook.Endpoint.TokenURL,
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"strconv"

@@ -20,6 +21,7 @@ type Gitea struct {
 // NewGiteaProvider creates new Gitea provider instance with some defaults.
 func NewGiteaProvider() *Gitea {
 	return &Gitea{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"read:user", "user:email"},
 		authUrl:    "https://gitea.com/login/oauth/authorize",
 		tokenUrl:   "https://gitea.com/login/oauth/access_token",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"io"
 	"strconv"
@@ -22,6 +23,7 @@ type Gitee struct {
 // NewGiteeProvider creates new Gitee provider instance with some defaults.
 func NewGiteeProvider() *Gitee {
 	return &Gitee{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"user_info", "emails"},
 		authUrl:    "https://gitee.com/oauth/authorize",
 		tokenUrl:   "https://gitee.com/oauth/token",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"io"
 	"strconv"
@@ -22,6 +23,7 @@ type Github struct {
 // NewGithubProvider creates new Github provider instance with some defaults.
 func NewGithubProvider() *Github {
 	return &Github{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"read:user", "user:email"},
 		authUrl:    github.Endpoint.AuthURL,
 		tokenUrl:   github.Endpoint.TokenURL,
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"strconv"

@@ -20,6 +21,7 @@ type Gitlab struct {
 // NewGitlabProvider creates new Gitlab provider instance with some defaults.
 func NewGitlabProvider() *Gitlab {
 	return &Gitlab{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"read_user"},
 		authUrl:    "https://gitlab.com/oauth/authorize",
 		tokenUrl:   "https://gitlab.com/oauth/token",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -19,6 +20,7 @@ type Google struct {
 // NewGoogleProvider creates new Google provider instance with some defaults.
 func NewGoogleProvider() *Google {
 	return &Google{&baseProvider{
+		ctx: context.Background(),
 		scopes: []string{
 			"https://www.googleapis.com/auth/userinfo.profile",
 			"https://www.googleapis.com/auth/userinfo.email",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"strconv"

@@ -21,6 +22,7 @@ type Kakao struct {
 // NewKakaoProvider creates a new Kakao provider instance with some defaults.
 func NewKakaoProvider() *Kakao {
 	return &Kakao{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"account_email", "profile_nickname", "profile_image"},
 		authUrl:    kakao.Endpoint.AuthURL,
 		tokenUrl:   kakao.Endpoint.TokenURL,
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -19,6 +20,7 @@ type Livechat struct {
 // NewLivechatProvider creates new Livechat provider instance with some defaults.
 func NewLivechatProvider() *Livechat {
 	return &Livechat{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{}, // default scopes are specified from the provider dashboard
 		authUrl:    "https://accounts.livechat.com/",
 		tokenUrl:   "https://accounts.livechat.com/token",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -21,6 +22,7 @@ type Microsoft struct {
 func NewMicrosoftProvider() *Microsoft {
 	endpoints := microsoft.AzureADEndpoint("")
 	return &Microsoft{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"User.Read"},
 		authUrl:    endpoints.AuthURL,
 		tokenUrl:   endpoints.TokenURL,
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -19,6 +20,7 @@ type OIDC struct {
 // NewOIDCProvider creates new OpenID Connect (OIDC) provider instance with some defaults.
 func NewOIDCProvider() *OIDC {
 	return &OIDC{&baseProvider{
+		ctx: context.Background(),
 		scopes: []string{
 			"openid", // minimal requirement to return the id
 			"email",
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -20,6 +21,7 @@ type Spotify struct {
 // NewSpotifyProvider creates a new Spotify provider instance with some defaults.
 func NewSpotifyProvider() *Spotify {
 	return &Spotify{&baseProvider{
+		ctx: context.Background(),
 		scopes: []string{
 			"user-read-private",
 			// currently Spotify doesn't return information whether the email is verified or not
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"strconv"

@@ -20,6 +21,7 @@ type Strava struct {
 // NewStravaProvider creates new Strava provider instance with some defaults.
 func NewStravaProvider() *Strava {
 	return &Strava{&baseProvider{
+		ctx: context.Background(),
 		scopes: []string{
 			"profile:read_all",
 		},
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
@@ -22,6 +23,7 @@ type Twitch struct {
 // NewTwitchProvider creates new Twitch provider instance with some defaults.
 func NewTwitchProvider() *Twitch {
 	return &Twitch{&baseProvider{
+		ctx:        context.Background(),
 		scopes:     []string{"user:read:email"},
 		authUrl:    twitch.Endpoint.AuthURL,
 		tokenUrl:   twitch.Endpoint.TokenURL,
@@ -1,6 +1,7 @@
 package auth

 import (
+	"context"
 	"encoding/json"

 	"golang.org/x/oauth2"
@@ -19,6 +20,7 @@ type Twitter struct {
 // NewTwitterProvider creates new Twitter provider instance with some defaults.
 func NewTwitterProvider() *Twitter {
 	return &Twitter{&baseProvider{
+		ctx: context.Background(),
 		scopes: []string{
 			"users.read",