fix: skip apple oidc issuer check (#2053)

hf · issuedat · commit e84a566bd230 · 2025-09-30T19:12:44.000+02:00
Defers issuer check.
diff --git a/internal/api/provider/apple.go b/internal/api/provider/apple.go
@@ -148,7 +148,8 @@ func (p AppleProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*Use
 	}
 
 	_, data, err := ParseIDToken(ctx, p.oidc, &oidc.Config{
-		ClientID: p.ClientID,
+		ClientID:        p.ClientID,
+		SkipIssuerCheck: true,
 	}, idToken.(string), ParseIDTokenOptions{
 		AccessToken: tok.AccessToken,
 	})
diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
@@ -160,7 +160,16 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 		return err
 	}
 
-	idToken, userData, err := provider.ParseIDToken(ctx, oidcProvider, nil, params.IdToken, provider.ParseIDTokenOptions{
+	var oidcConfig *oidc.Config
+
+	if providerType == "apple" {
+		oidcConfig = &oidc.Config{
+			SkipClientIDCheck: true,
+			SkipIssuerCheck:   true,
+		}
+	}
+
+	idToken, userData, err := provider.ParseIDToken(ctx, oidcProvider, oidcConfig, params.IdToken, provider.ParseIDTokenOptions{
 		SkipAccessTokenCheck: params.AccessToken == "",
 		AccessToken:          params.AccessToken,
 	})

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,8 @@ func (p AppleProvider) GetUserData(ctx context.Context, tok oauth2.Token) (Use`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`_, data, err := ParseIDToken(ctx, p.oidc, &oidc.Config{`
`151`		`- ClientID: p.ClientID,`
	`151`	`+ ClientID: p.ClientID,`
	`152`	`+ SkipIssuerCheck: true,`
`152`	`153`	`}, idToken.(string), ParseIDTokenOptions{`
`153`	`154`	`AccessToken: tok.AccessToken,`
`154`	`155`	`})`