use token and algo from jwt header #6416
Conversation
|
I'm not sure what to do about those failing tests. They don't seem related, I'm guessing they pass locally because I don't have an actual replicaset and redis cache? |
Codecov Report
@@ Coverage Diff @@
## master #6416 +/- ##
==========================================
- Coverage 93.96% 93.29% -0.68%
==========================================
Files 169 169
Lines 11801 11989 +188
==========================================
+ Hits 11089 11185 +96
- Misses 712 804 +92
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Thanks for the PR. I have a few suggestions.
At some point we should move from node-rsa to jwks-rsa. As mentioned in the apple documentation, to get the public keys, we need to deal properly with json web keys (jwks) to get the signin keys.
Here is what jwks-rsa implementation looks like.
https://auth0.com/blog/implement-sign-in-with-apple-using-auth0-extensibility/
|
Hi, for those like myself who don’t have the skillset to contribute to this issue (apologies) is there a workaround from iOS or having this fixed is the only way? Because Apple are starting to enforce the iOS13 SDK which would unfortunately mandate the sign in with Apple. Thanks |
|
@chriscborg signin with Apple is already supported. https://docs.parseplatform.org/parse-server/guide/#apple-authdata This PR is to improve the existing implementation. Can you post a link about a mandate / require this? |
|
@dplewis thanks for the reply. please find the link to the Apple review guidelines mandating the Sign In with Apple if the app uses other social logins https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple I am having an issue when doing the sign in with Apple and I thought that it was related to this issue. When I attempt the login, some times, I'm getting the below error from the server. Sometimes it succeeds, sometimes it fails with the below. Do you think this is related to this issue or is it something else? |
Ok I though you meant it was required in every app I’m not sure if this will fix your issue. Feel free to pull down this branch fork and try it in your app. I left a comment above about another implementation for Sign In with Apple that may solve all our issues |
|
@dplewis thanks for your suggestion. @andrewking0207 @dplewis I can confirm that after forking this branch, the issue mentioned above was resolved. I look forward to seeing this merged and released. I wish I could help so if there's a way let me know. |
|
I consistently get nil sessionToken from my server deployed on Heroku because of this i get error 206. Could that be due to this issue? it works consistently on my local server. I have tried searching answer for nil token everywhere but no luck. If this fix will solve the problem then would be great. |
|
This fixes the problem for me as well. Please merge. :) |
|
@andrewking0207 have you had the chance to look at @dplewis comments? |
|
Yes, sorry for the delay. I'll get those changes implemented. |
latest from upstream
… test for coverage
|
I think we should be all set here. I'm not sure why it's showing a code coverage change for RestWrite or MongoStorageAdapter, I didn't touch those. Let me know if you want me to add tests for those as part of this PR. |
src/Adapters/Auth/apple.js
Outdated
| options.client_id, | ||
| options.cacheMaxEntries, | ||
| options.cacheMaxAge | ||
| ); |
There was a problem hiding this comment.
A quick nit. Functions should have 2 parameters max. Just pass in options.
Also if I pass in { clientID: “something” } you default values would never be set. Use the or operator.
options.cacheMaxEntries || 5 ( if the first expression is false or undefined use the second) just a quick trick for setting defaults.
There was a problem hiding this comment.
Good feedback thanks. I got that changed.
There was a problem hiding this comment.
LGTM! Thanks @andrewking0207 and everybody for testing this.
|
Excited for this one, going to roll it out to all of my clients that use Sign In with Apple ASAP. Thanks for everyone's work on this! |
|
Thank you @andrewking0207 and @dplewis for your work on this. This is going to be extremely helpful to a majority of our apps! |
|
Here too. Thx a lot. |
|
Thank you for the fix! Works way better now. |
|
Any thoughts on when we might see a new release with this change? I have a couple of projects I’m eager to update but I know it’s a busy time for all. |
* use token and algo from jwt header * change node-rsa out for jwks-rsa, reflect change in tests and add one test for coverage * remove superfluous cache, allow jwks cache parameters to be passed to validateAuthData * remove package lock * regenerate package lock * try fixing package-lock with copy from master * manual changes for merge conflict * whitespace * pass options as object * fix inconsistent variable name
Fixes: #6408
The appleid auth token endpoint https://appleid.apple.com/auth/keys returns three different keys. The current apple auth adapter implementation always selects the first key to verify the token. This works often but if the client did not encode using the first key then the verification will fail. This fix checks the header of the token to get the key ID used for the encoding and then selects the correct public key with which to perform verification of the token.
Also selects the encryption algorithm from the header in case Apple changes what they use in the future.