接上次 苹果 Web 登录,这次来肝一个更加常用的场景:App 集成苹果三方登录
1. 准备
这部分随便找个教程去看,要截太多的图了。所以,这些全部都交给产品。让他最后给个bundle_id就行。
2. 稍微设计一下子
步骤:
- 客户端集成SDK,用户点击使用苹果登录
- 客户端调转去苹果账号让用户进行授权
- 用户授权成功后,苹果会把identifyToken,code和其他参数给客户端
- 服务端有两条路能走: 4.1 走授权码模式:code+client_id+client_secret 去获取access_token 和 identify_token Generate and validate tokens | Apple Developer Documentation 4.2 既然苹果都把identifyToken给到了,为什么我们还走授权码呢?属实是脱裤子放屁了 Fetch Apple's public key for verifying token signature | Apple Developer Documentation
- 验证identify_token 的真实性,他是一个JWT,苹果使用他的私钥进行签名,我们只要得到公钥,就能给确定这个JWT是不是苹果发的。
- 验证完真实性,还要验证这个 JWT 发放的对象是不是我们
所以服务端需要提供一个接口,接收客户端提交的identifyToken,解析完成后,将用户登录上系统。
3. 正片上代码
我只提供服务端的代码,毕竟要我开发客户端是不可能的。绝对不可能
如果你不只要开发服务端还要开发客户端。哈哈哈哈哈哈哈哈哈哈哈哈哈哈........
3.1 导入依赖
xml
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.22.1</version>
</dependency>
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
<version>0.9.3</version>
</dependency>
jwks-rsa
:是用来根据kid和公钥列表获取到对于的公钥的
jose4j
:才是真正负责使用公钥对 JWT 进行校验,也可以使用其他库进行替换。
3.2 配置
OAuth 登录配置
properties
oauth.apple.teamId=<teamId>
oauth.apple.bundleId=<bundleId>
java
@Configuration
@ConfigurationProperties(prefix = "oauth.apple")
@Data
public class OauthAppleConfig {
private String teamId;
private String bundleId;
}
接下来是 JWK 配置
来都来了,不整个高内聚低耦合?这实在不符合我这种喜欢装x的性格 苹果都做了,谷歌也给配置上。最爽的时刻就是同事看到你代码的时候感叹:他好帅啊
java
public interface IdTokenConfig {
// 获取 JWK 公钥列表的接口
String JWKsUri();
// 获取 JWT 颁发人
String issuer();
}
java
public enum IdTokenConfigEnum implements IdTokenConfig {
// https://accounts.google.com/.well-known/openid-configuration
GOOGLE("https://www.googleapis.com/oauth2/v3/certs",
"https://accounts.google.com"),
// https://appleid.apple.com/.well-known/openid-configuration
APPLE("https://appleid.apple.com/auth/keys",
"https://appleid.apple.com");
private final String JWKsUri;
private final String issuer;
IdTokenConfigEnum(String JWKsUri, String issuer) {
this.JWKsUri = JWKsUri;
this.issuer = issuer;
}
@Override
public String JWKsUri() {
return JWKsUri;
}
@Override
public String issuer() {
return issuer;
}
}
3.3 解析identifyToken
刚刚装得不够久不够持续,再装一波
java
public interface IdTokenParser {
JwtClaims parse(String idToken, PublicKey publicKey, String issuer, String audience) throws InvalidJwtException;
JwtClaims parse(String idToken, PublicKey publicKey) throws InvalidJwtException;
JwtClaims parse(String idToken, String jwksUri) throws MalformedURLException, JwkException, InvalidJwtException;
JwtClaims parse(String idToken, String jwksUri, String issuer, String audience) throws MalformedURLException, JwkException, InvalidJwtException;
}
虽然说我们只需要第四个方法。但是,其他的方法我们也得提供上,万一要用是吧?绝不是为了装x。
java
@Slf4j
public class IdTokenParserImpl implements IdTokenParser {
@Override
public JwtClaims parse(String idToken, PublicKey publicKey, String issuer, String audience) throws InvalidJwtException {
JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder()
.setRequireExpirationTime() // the JWT must have an expiration time
.setMaxFutureValidityInMinutes((int) TimeUnit.HOURS.toMinutes(24))// but the expiration time can't be too crazy
.setAllowedClockSkewInSeconds(60) // allow some leeway in validating time based claims to account for clock skew
.setRequireSubject()
.setVerificationKey(publicKey); // verify the signature with the public key
if (StringUtils.isNotBlank(issuer)) {
jwtConsumerBuilder.setExpectedIssuer(issuer); // whom the JWT needs to have been issued by
}
if (StringUtils.isNotBlank(audience)) {
jwtConsumerBuilder.setExpectedAudience(audience); // to whom the JWT is intended for
}
JwtConsumer jwtConsumer = jwtConsumerBuilder.build();
return jwtConsumer.processToClaims(idToken);
}
@Override
public JwtClaims parse(String idToken, PublicKey publicKey) throws InvalidJwtException {
return parse(idToken, publicKey, null, null);
}
@Override
public JwtClaims parse(String idToken, String jwksUri) throws MalformedURLException, JwkException, InvalidJwtException {
String header = idToken.split("\\.")[0];
String decode = BASE64Utils.decode(header);
JsonNode jsonNode = JacksonUtils.parseJson(decode);
String key = jsonNode.get("kid").asText();
JwkProvider provider = new JwkProviderBuilder(new URL(jwksUri)).build();
Jwk jwk = provider.get(key);
PublicKey publicKey = jwk.getPublicKey();
return parse(idToken, publicKey, null, null);
}
@Override
public JwtClaims parse(String idToken, String jwksUri, String issuer, String audience) throws MalformedURLException, JwkException, InvalidJwtException {
return parse(idToken, getPublicKey(jwksUri, idToken), issuer, audience);
}
private PublicKey getPublicKey(String jwksUri, String idToken) throws MalformedURLException, JwkException {
String header = idToken.split("\\.")[0];
String decode = BASE64Utils.decode(header);
JsonNode jsonNode = JacksonUtils.parseJson(decode);
String kid = jsonNode.get("kid").asText();
return publicKey(jwksUri, kid);
}
private PublicKey publicKey(String jwksUri, String kid) throws MalformedURLException, JwkException {
JwkProvider provider = new JwkProviderBuilder(new URL(jwksUri)).build();
Jwk jwk = provider.get(kid);
return jwk.getPublicKey();
}
}
3.4 使用
java
public AuthUser login(String idToken, OauthClientConfig config) {
JwtClaims claims = null;
try {
claims = idTokenParser.parse(idToken, jwksUri, issuer, bundleId);
} catch (Exception e) {
log.error("failed to parse id token {}", idToken, e);
ServiceException.throwInternalServerEx("failed to parse id token");
}
return AuthUser.builder()
.uuid(claims.getClaimValueAsString("sub"))
.username(claims.getClaimValueAsString("email"))
.nickname(claims.getClaimValueAsString("name"))
.avatar(claims.getClaimValueAsString("picture"))
.email(claims.getClaimValueAsString("email"))
.location(claims.getClaimValueAsString("location"))
.rawUserInfo(new JSONObject(claims.getClaimsMap()))
.build();
}
Ref
Sign in with Apple REST API | Apple Developer Documentation
Fetch Apple's public key for verifying token signature | Apple Developer Documentation
Generate and validate tokens | Apple Developer Documentation