@@ -60,230 +60,230 @@ |
||
60 | 60 | */ |
61 | 61 | class Apple extends OAuth2 |
62 | 62 | { |
63 | - /** |
|
64 | - * {@inheritdoc} |
|
65 | - */ |
|
66 | - protected $scope = 'name email'; |
|
67 | - |
|
68 | - /** |
|
69 | - * {@inheritdoc} |
|
70 | - */ |
|
71 | - protected $apiBaseUrl = 'https://appleid.apple.com/auth/'; |
|
72 | - |
|
73 | - /** |
|
74 | - * {@inheritdoc} |
|
75 | - */ |
|
76 | - protected $authorizeUrl = 'https://appleid.apple.com/auth/authorize'; |
|
77 | - |
|
78 | - /** |
|
79 | - * {@inheritdoc} |
|
80 | - */ |
|
81 | - protected $accessTokenUrl = 'https://appleid.apple.com/auth/token'; |
|
82 | - |
|
83 | - /** |
|
84 | - * {@inheritdoc} |
|
85 | - */ |
|
86 | - protected $apiDocumentation = 'https://developer.apple.com/documentation/sign_in_with_apple'; |
|
87 | - |
|
88 | - /** |
|
89 | - * {@inheritdoc} |
|
90 | - * The Sign in with Apple servers require percent encoding (or URL encoding) |
|
91 | - * for its query parameters. If you are using the Sign in with Apple REST API, |
|
92 | - * you must provide values with encoded spaces (`%20`) instead of plus (`+`) signs. |
|
93 | - */ |
|
94 | - protected $AuthorizeUrlParametersEncType = PHP_QUERY_RFC3986; |
|
95 | - |
|
96 | - /** |
|
97 | - * {@inheritdoc} |
|
98 | - */ |
|
99 | - protected function initialize() |
|
100 | - { |
|
101 | - parent::initialize(); |
|
102 | - $this->AuthorizeUrlParameters['response_mode'] = 'form_post'; |
|
103 | - } |
|
104 | - |
|
105 | - /** |
|
106 | - * {@inheritdoc} |
|
107 | - */ |
|
108 | - protected function configure() |
|
109 | - { |
|
110 | - $keys = $this->config->get('keys'); |
|
111 | - $keys['secret'] = $this->getSecret(); |
|
112 | - $this->config->set('keys', $keys); |
|
113 | - return parent::configure(); |
|
114 | - } |
|
115 | - |
|
116 | - /** |
|
117 | - * {@inheritdoc} |
|
118 | - * |
|
119 | - * include id_token $tokenNames |
|
120 | - */ |
|
121 | - public function getAccessToken() |
|
122 | - { |
|
123 | - $tokenNames = [ |
|
124 | - 'access_token', |
|
125 | - 'id_token', |
|
126 | - 'access_token_secret', |
|
127 | - 'token_type', |
|
128 | - 'refresh_token', |
|
129 | - 'expires_in', |
|
130 | - 'expires_at', |
|
131 | - ]; |
|
132 | - |
|
133 | - $tokens = []; |
|
134 | - |
|
135 | - foreach ($tokenNames as $name) { |
|
136 | - if ($this->getStoredData($name)) { |
|
137 | - $tokens[$name] = $this->getStoredData($name); |
|
138 | - } |
|
139 | - } |
|
140 | - |
|
141 | - return $tokens; |
|
142 | - } |
|
143 | - |
|
144 | - /** |
|
145 | - * {@inheritdoc} |
|
146 | - */ |
|
147 | - protected function validateAccessTokenExchange($response) |
|
148 | - { |
|
149 | - $collection = parent::validateAccessTokenExchange($response); |
|
150 | - |
|
151 | - $this->storeData('id_token', $collection->get('id_token')); |
|
152 | - |
|
153 | - return $collection; |
|
154 | - } |
|
155 | - |
|
156 | - public function getUserProfile() |
|
157 | - { |
|
158 | - $id_token = $this->getStoredData('id_token'); |
|
159 | - |
|
160 | - $verifyTokenSignature = |
|
161 | - $this->config->exists('verifyTokenSignature') ? $this->config->get('verifyTokenSignature') : true; |
|
162 | - |
|
163 | - if (!$verifyTokenSignature) { |
|
164 | - // payload extraction by https://github.com/omidborjian |
|
165 | - // https://github.com/hybridauth/hybridauth/issues/1095#issuecomment-626479263 |
|
166 | - // JWT splits the string to 3 components 1) first is header 2) is payload 3) is signature |
|
167 | - $payload = explode('.', $id_token)[1]; |
|
168 | - $payload = json_decode(base64_decode($payload)); |
|
169 | - } else { |
|
170 | - // validate the token signature and get the payload |
|
171 | - $publicKeys = $this->apiRequest('keys'); |
|
172 | - |
|
173 | - \Firebase\JWT\JWT::$leeway = 120; |
|
174 | - |
|
175 | - $error = false; |
|
176 | - $payload = null; |
|
177 | - |
|
178 | - foreach ($publicKeys->keys as $publicKey) { |
|
179 | - try { |
|
180 | - $rsa = new RSA(); |
|
181 | - $jwk = (array)$publicKey; |
|
182 | - |
|
183 | - $rsa->loadKey( |
|
184 | - [ |
|
185 | - 'e' => new BigInteger(base64_decode($jwk['e']), 256), |
|
186 | - 'n' => new BigInteger(base64_decode(strtr($jwk['n'], '-_', '+/'), true), 256) |
|
187 | - ] |
|
188 | - ); |
|
189 | - $pem = $rsa->getPublicKey(); |
|
190 | - |
|
191 | - $payload = JWT::decode($id_token, $pem, ['RS256']); |
|
192 | - break; |
|
193 | - } catch (\Exception $e) { |
|
194 | - $error = $e->getMessage(); |
|
195 | - if ($e instanceof \Firebase\JWT\ExpiredException) { |
|
196 | - break; |
|
197 | - } |
|
198 | - } |
|
199 | - } |
|
200 | - |
|
201 | - if ($error && !$payload) { |
|
202 | - throw new \Exception($error); |
|
203 | - } |
|
204 | - } |
|
205 | - |
|
206 | - $data = new Data\Collection($payload); |
|
207 | - |
|
208 | - if (!$data->exists('sub')) { |
|
209 | - throw new UnexpectedValueException('Missing token payload.'); |
|
210 | - } |
|
211 | - |
|
212 | - $userProfile = new User\Profile(); |
|
213 | - $userProfile->identifier = $data->get('sub'); |
|
214 | - $userProfile->email = $data->get('email'); |
|
215 | - $this->storeData('expires_at', $data->get('exp')); |
|
216 | - |
|
217 | - if (!empty($_REQUEST['user'])) { |
|
218 | - $objUser = json_decode($_REQUEST['user']); |
|
219 | - $user = new Data\Collection($objUser); |
|
220 | - if (!$user->isEmpty()) { |
|
221 | - $name = $user->get('name'); |
|
222 | - $userProfile->firstName = $name->firstName; |
|
223 | - $userProfile->lastName = $name->lastName; |
|
224 | - $userProfile->displayName = join(' ', [$userProfile->firstName, $userProfile->lastName]); |
|
225 | - } |
|
226 | - } |
|
227 | - |
|
228 | - return $userProfile; |
|
229 | - } |
|
230 | - |
|
231 | - /** |
|
232 | - * @return string secret token |
|
233 | - */ |
|
234 | - private function getSecret() |
|
235 | - { |
|
236 | - // Your 10-character Team ID |
|
237 | - if (!$team_id = $this->config->filter('keys')->get('team_id')) { |
|
238 | - throw new InvalidApplicationCredentialsException( |
|
239 | - 'Missing parameter team_id: your team id is required to generate the JWS token.' |
|
240 | - ); |
|
241 | - } |
|
242 | - |
|
243 | - // Your Services ID, e.g. com.aaronparecki.services |
|
244 | - if (!$client_id = $this->config->filter('keys')->get('id') ?: $this->config->filter('keys')->get('key')) { |
|
245 | - throw new InvalidApplicationCredentialsException( |
|
246 | - 'Missing parameter id: your client id is required to generate the JWS token.' |
|
247 | - ); |
|
248 | - } |
|
249 | - |
|
250 | - // Find the 10-char Key ID value from the portal |
|
251 | - if (!$key_id = $this->config->filter('keys')->get('key_id')) { |
|
252 | - throw new InvalidApplicationCredentialsException( |
|
253 | - 'Missing parameter key_id: your key id is required to generate the JWS token.' |
|
254 | - ); |
|
255 | - } |
|
256 | - |
|
257 | - // Find the 10-char Key ID value from the portal |
|
258 | - $key_content = $this->config->filter('keys')->get('key_content'); |
|
259 | - |
|
260 | - // Save your private key from Apple in a file called `key.txt` |
|
261 | - if (!$key_content) { |
|
262 | - if (!$key_file = $this->config->filter('keys')->get('key_file')) { |
|
263 | - throw new InvalidApplicationCredentialsException( |
|
264 | - 'Missing parameter key_content or key_file: your key is required to generate the JWS token.' |
|
265 | - ); |
|
266 | - } |
|
267 | - |
|
268 | - if (!file_exists($key_file)) { |
|
269 | - throw new InvalidApplicationCredentialsException( |
|
270 | - "Your key file $key_file does not exist." |
|
271 | - ); |
|
272 | - } |
|
273 | - |
|
274 | - $key_content = file_get_contents($key_file); |
|
275 | - } |
|
276 | - |
|
277 | - $data = [ |
|
278 | - 'iat' => time(), |
|
279 | - 'exp' => time() + 86400 * 180, |
|
280 | - 'iss' => $team_id, |
|
281 | - 'aud' => 'https://appleid.apple.com', |
|
282 | - 'sub' => $client_id |
|
283 | - ]; |
|
284 | - |
|
285 | - $secret = JWT::encode($data, $key_content, 'ES256', $key_id); |
|
286 | - |
|
287 | - return $secret; |
|
288 | - } |
|
63 | + /** |
|
64 | + * {@inheritdoc} |
|
65 | + */ |
|
66 | + protected $scope = 'name email'; |
|
67 | + |
|
68 | + /** |
|
69 | + * {@inheritdoc} |
|
70 | + */ |
|
71 | + protected $apiBaseUrl = 'https://appleid.apple.com/auth/'; |
|
72 | + |
|
73 | + /** |
|
74 | + * {@inheritdoc} |
|
75 | + */ |
|
76 | + protected $authorizeUrl = 'https://appleid.apple.com/auth/authorize'; |
|
77 | + |
|
78 | + /** |
|
79 | + * {@inheritdoc} |
|
80 | + */ |
|
81 | + protected $accessTokenUrl = 'https://appleid.apple.com/auth/token'; |
|
82 | + |
|
83 | + /** |
|
84 | + * {@inheritdoc} |
|
85 | + */ |
|
86 | + protected $apiDocumentation = 'https://developer.apple.com/documentation/sign_in_with_apple'; |
|
87 | + |
|
88 | + /** |
|
89 | + * {@inheritdoc} |
|
90 | + * The Sign in with Apple servers require percent encoding (or URL encoding) |
|
91 | + * for its query parameters. If you are using the Sign in with Apple REST API, |
|
92 | + * you must provide values with encoded spaces (`%20`) instead of plus (`+`) signs. |
|
93 | + */ |
|
94 | + protected $AuthorizeUrlParametersEncType = PHP_QUERY_RFC3986; |
|
95 | + |
|
96 | + /** |
|
97 | + * {@inheritdoc} |
|
98 | + */ |
|
99 | + protected function initialize() |
|
100 | + { |
|
101 | + parent::initialize(); |
|
102 | + $this->AuthorizeUrlParameters['response_mode'] = 'form_post'; |
|
103 | + } |
|
104 | + |
|
105 | + /** |
|
106 | + * {@inheritdoc} |
|
107 | + */ |
|
108 | + protected function configure() |
|
109 | + { |
|
110 | + $keys = $this->config->get('keys'); |
|
111 | + $keys['secret'] = $this->getSecret(); |
|
112 | + $this->config->set('keys', $keys); |
|
113 | + return parent::configure(); |
|
114 | + } |
|
115 | + |
|
116 | + /** |
|
117 | + * {@inheritdoc} |
|
118 | + * |
|
119 | + * include id_token $tokenNames |
|
120 | + */ |
|
121 | + public function getAccessToken() |
|
122 | + { |
|
123 | + $tokenNames = [ |
|
124 | + 'access_token', |
|
125 | + 'id_token', |
|
126 | + 'access_token_secret', |
|
127 | + 'token_type', |
|
128 | + 'refresh_token', |
|
129 | + 'expires_in', |
|
130 | + 'expires_at', |
|
131 | + ]; |
|
132 | + |
|
133 | + $tokens = []; |
|
134 | + |
|
135 | + foreach ($tokenNames as $name) { |
|
136 | + if ($this->getStoredData($name)) { |
|
137 | + $tokens[$name] = $this->getStoredData($name); |
|
138 | + } |
|
139 | + } |
|
140 | + |
|
141 | + return $tokens; |
|
142 | + } |
|
143 | + |
|
144 | + /** |
|
145 | + * {@inheritdoc} |
|
146 | + */ |
|
147 | + protected function validateAccessTokenExchange($response) |
|
148 | + { |
|
149 | + $collection = parent::validateAccessTokenExchange($response); |
|
150 | + |
|
151 | + $this->storeData('id_token', $collection->get('id_token')); |
|
152 | + |
|
153 | + return $collection; |
|
154 | + } |
|
155 | + |
|
156 | + public function getUserProfile() |
|
157 | + { |
|
158 | + $id_token = $this->getStoredData('id_token'); |
|
159 | + |
|
160 | + $verifyTokenSignature = |
|
161 | + $this->config->exists('verifyTokenSignature') ? $this->config->get('verifyTokenSignature') : true; |
|
162 | + |
|
163 | + if (!$verifyTokenSignature) { |
|
164 | + // payload extraction by https://github.com/omidborjian |
|
165 | + // https://github.com/hybridauth/hybridauth/issues/1095#issuecomment-626479263 |
|
166 | + // JWT splits the string to 3 components 1) first is header 2) is payload 3) is signature |
|
167 | + $payload = explode('.', $id_token)[1]; |
|
168 | + $payload = json_decode(base64_decode($payload)); |
|
169 | + } else { |
|
170 | + // validate the token signature and get the payload |
|
171 | + $publicKeys = $this->apiRequest('keys'); |
|
172 | + |
|
173 | + \Firebase\JWT\JWT::$leeway = 120; |
|
174 | + |
|
175 | + $error = false; |
|
176 | + $payload = null; |
|
177 | + |
|
178 | + foreach ($publicKeys->keys as $publicKey) { |
|
179 | + try { |
|
180 | + $rsa = new RSA(); |
|
181 | + $jwk = (array)$publicKey; |
|
182 | + |
|
183 | + $rsa->loadKey( |
|
184 | + [ |
|
185 | + 'e' => new BigInteger(base64_decode($jwk['e']), 256), |
|
186 | + 'n' => new BigInteger(base64_decode(strtr($jwk['n'], '-_', '+/'), true), 256) |
|
187 | + ] |
|
188 | + ); |
|
189 | + $pem = $rsa->getPublicKey(); |
|
190 | + |
|
191 | + $payload = JWT::decode($id_token, $pem, ['RS256']); |
|
192 | + break; |
|
193 | + } catch (\Exception $e) { |
|
194 | + $error = $e->getMessage(); |
|
195 | + if ($e instanceof \Firebase\JWT\ExpiredException) { |
|
196 | + break; |
|
197 | + } |
|
198 | + } |
|
199 | + } |
|
200 | + |
|
201 | + if ($error && !$payload) { |
|
202 | + throw new \Exception($error); |
|
203 | + } |
|
204 | + } |
|
205 | + |
|
206 | + $data = new Data\Collection($payload); |
|
207 | + |
|
208 | + if (!$data->exists('sub')) { |
|
209 | + throw new UnexpectedValueException('Missing token payload.'); |
|
210 | + } |
|
211 | + |
|
212 | + $userProfile = new User\Profile(); |
|
213 | + $userProfile->identifier = $data->get('sub'); |
|
214 | + $userProfile->email = $data->get('email'); |
|
215 | + $this->storeData('expires_at', $data->get('exp')); |
|
216 | + |
|
217 | + if (!empty($_REQUEST['user'])) { |
|
218 | + $objUser = json_decode($_REQUEST['user']); |
|
219 | + $user = new Data\Collection($objUser); |
|
220 | + if (!$user->isEmpty()) { |
|
221 | + $name = $user->get('name'); |
|
222 | + $userProfile->firstName = $name->firstName; |
|
223 | + $userProfile->lastName = $name->lastName; |
|
224 | + $userProfile->displayName = join(' ', [$userProfile->firstName, $userProfile->lastName]); |
|
225 | + } |
|
226 | + } |
|
227 | + |
|
228 | + return $userProfile; |
|
229 | + } |
|
230 | + |
|
231 | + /** |
|
232 | + * @return string secret token |
|
233 | + */ |
|
234 | + private function getSecret() |
|
235 | + { |
|
236 | + // Your 10-character Team ID |
|
237 | + if (!$team_id = $this->config->filter('keys')->get('team_id')) { |
|
238 | + throw new InvalidApplicationCredentialsException( |
|
239 | + 'Missing parameter team_id: your team id is required to generate the JWS token.' |
|
240 | + ); |
|
241 | + } |
|
242 | + |
|
243 | + // Your Services ID, e.g. com.aaronparecki.services |
|
244 | + if (!$client_id = $this->config->filter('keys')->get('id') ?: $this->config->filter('keys')->get('key')) { |
|
245 | + throw new InvalidApplicationCredentialsException( |
|
246 | + 'Missing parameter id: your client id is required to generate the JWS token.' |
|
247 | + ); |
|
248 | + } |
|
249 | + |
|
250 | + // Find the 10-char Key ID value from the portal |
|
251 | + if (!$key_id = $this->config->filter('keys')->get('key_id')) { |
|
252 | + throw new InvalidApplicationCredentialsException( |
|
253 | + 'Missing parameter key_id: your key id is required to generate the JWS token.' |
|
254 | + ); |
|
255 | + } |
|
256 | + |
|
257 | + // Find the 10-char Key ID value from the portal |
|
258 | + $key_content = $this->config->filter('keys')->get('key_content'); |
|
259 | + |
|
260 | + // Save your private key from Apple in a file called `key.txt` |
|
261 | + if (!$key_content) { |
|
262 | + if (!$key_file = $this->config->filter('keys')->get('key_file')) { |
|
263 | + throw new InvalidApplicationCredentialsException( |
|
264 | + 'Missing parameter key_content or key_file: your key is required to generate the JWS token.' |
|
265 | + ); |
|
266 | + } |
|
267 | + |
|
268 | + if (!file_exists($key_file)) { |
|
269 | + throw new InvalidApplicationCredentialsException( |
|
270 | + "Your key file $key_file does not exist." |
|
271 | + ); |
|
272 | + } |
|
273 | + |
|
274 | + $key_content = file_get_contents($key_file); |
|
275 | + } |
|
276 | + |
|
277 | + $data = [ |
|
278 | + 'iat' => time(), |
|
279 | + 'exp' => time() + 86400 * 180, |
|
280 | + 'iss' => $team_id, |
|
281 | + 'aud' => 'https://appleid.apple.com', |
|
282 | + 'sub' => $client_id |
|
283 | + ]; |
|
284 | + |
|
285 | + $secret = JWT::encode($data, $key_content, 'ES256', $key_id); |
|
286 | + |
|
287 | + return $secret; |
|
288 | + } |
|
289 | 289 | } |
@@ -160,7 +160,7 @@ discard block |
||
160 | 160 | $verifyTokenSignature = |
161 | 161 | $this->config->exists('verifyTokenSignature') ? $this->config->get('verifyTokenSignature') : true; |
162 | 162 | |
163 | - if (!$verifyTokenSignature) { |
|
163 | + if ( ! $verifyTokenSignature) { |
|
164 | 164 | // payload extraction by https://github.com/omidborjian |
165 | 165 | // https://github.com/hybridauth/hybridauth/issues/1095#issuecomment-626479263 |
166 | 166 | // JWT splits the string to 3 components 1) first is header 2) is payload 3) is signature |
@@ -178,7 +178,7 @@ discard block |
||
178 | 178 | foreach ($publicKeys->keys as $publicKey) { |
179 | 179 | try { |
180 | 180 | $rsa = new RSA(); |
181 | - $jwk = (array)$publicKey; |
|
181 | + $jwk = (array) $publicKey; |
|
182 | 182 | |
183 | 183 | $rsa->loadKey( |
184 | 184 | [ |
@@ -198,14 +198,14 @@ discard block |
||
198 | 198 | } |
199 | 199 | } |
200 | 200 | |
201 | - if ($error && !$payload) { |
|
201 | + if ($error && ! $payload) { |
|
202 | 202 | throw new \Exception($error); |
203 | 203 | } |
204 | 204 | } |
205 | 205 | |
206 | 206 | $data = new Data\Collection($payload); |
207 | 207 | |
208 | - if (!$data->exists('sub')) { |
|
208 | + if ( ! $data->exists('sub')) { |
|
209 | 209 | throw new UnexpectedValueException('Missing token payload.'); |
210 | 210 | } |
211 | 211 | |
@@ -214,10 +214,10 @@ discard block |
||
214 | 214 | $userProfile->email = $data->get('email'); |
215 | 215 | $this->storeData('expires_at', $data->get('exp')); |
216 | 216 | |
217 | - if (!empty($_REQUEST['user'])) { |
|
217 | + if ( ! empty($_REQUEST['user'])) { |
|
218 | 218 | $objUser = json_decode($_REQUEST['user']); |
219 | 219 | $user = new Data\Collection($objUser); |
220 | - if (!$user->isEmpty()) { |
|
220 | + if ( ! $user->isEmpty()) { |
|
221 | 221 | $name = $user->get('name'); |
222 | 222 | $userProfile->firstName = $name->firstName; |
223 | 223 | $userProfile->lastName = $name->lastName; |
@@ -234,21 +234,21 @@ discard block |
||
234 | 234 | private function getSecret() |
235 | 235 | { |
236 | 236 | // Your 10-character Team ID |
237 | - if (!$team_id = $this->config->filter('keys')->get('team_id')) { |
|
237 | + if ( ! $team_id = $this->config->filter('keys')->get('team_id')) { |
|
238 | 238 | throw new InvalidApplicationCredentialsException( |
239 | 239 | 'Missing parameter team_id: your team id is required to generate the JWS token.' |
240 | 240 | ); |
241 | 241 | } |
242 | 242 | |
243 | 243 | // Your Services ID, e.g. com.aaronparecki.services |
244 | - if (!$client_id = $this->config->filter('keys')->get('id') ?: $this->config->filter('keys')->get('key')) { |
|
244 | + if ( ! $client_id = $this->config->filter('keys')->get('id') ?: $this->config->filter('keys')->get('key')) { |
|
245 | 245 | throw new InvalidApplicationCredentialsException( |
246 | 246 | 'Missing parameter id: your client id is required to generate the JWS token.' |
247 | 247 | ); |
248 | 248 | } |
249 | 249 | |
250 | 250 | // Find the 10-char Key ID value from the portal |
251 | - if (!$key_id = $this->config->filter('keys')->get('key_id')) { |
|
251 | + if ( ! $key_id = $this->config->filter('keys')->get('key_id')) { |
|
252 | 252 | throw new InvalidApplicationCredentialsException( |
253 | 253 | 'Missing parameter key_id: your key id is required to generate the JWS token.' |
254 | 254 | ); |
@@ -258,14 +258,14 @@ discard block |
||
258 | 258 | $key_content = $this->config->filter('keys')->get('key_content'); |
259 | 259 | |
260 | 260 | // Save your private key from Apple in a file called `key.txt` |
261 | - if (!$key_content) { |
|
262 | - if (!$key_file = $this->config->filter('keys')->get('key_file')) { |
|
261 | + if ( ! $key_content) { |
|
262 | + if ( ! $key_file = $this->config->filter('keys')->get('key_file')) { |
|
263 | 263 | throw new InvalidApplicationCredentialsException( |
264 | 264 | 'Missing parameter key_content or key_file: your key is required to generate the JWS token.' |
265 | 265 | ); |
266 | 266 | } |
267 | 267 | |
268 | - if (!file_exists($key_file)) { |
|
268 | + if ( ! file_exists($key_file)) { |
|
269 | 269 | throw new InvalidApplicationCredentialsException( |
270 | 270 | "Your key file $key_file does not exist." |
271 | 271 | ); |