Module supertokens_python.recipe.thirdparty.providers.apple
Expand source code
# Copyright (c) 2021, VRAI Labs and/or its affiliates. All rights reserved.
#
# This software is licensed under the Apache License, Version 2.0 (the
# "License") as published by the Apache Software Foundation.
#
# You may not use this file except in compliance with the License. You may
# obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from __future__ import annotations
from re import sub
from time import time
from typing import TYPE_CHECKING, Any, Callable, Dict, List, Union
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
from httpx import AsyncClient
from jwt import decode, encode
from jwt.algorithms import RSAAlgorithm
from supertokens_python.recipe.thirdparty.api.implementation import (
get_actual_client_id_from_development_client_id,
)
from supertokens_python.recipe.thirdparty.constants import APPLE_REDIRECT_HANDLER
from supertokens_python.recipe.thirdparty.provider import Provider
from supertokens_python.recipe.thirdparty.types import (
AccessTokenAPI,
AuthorisationRedirectAPI,
UserInfo,
UserInfoEmail,
)
from supertokens_python.supertokens import Supertokens
if TYPE_CHECKING:
from supertokens_python.framework.request import BaseRequest
class Apple(Provider):
def __init__(
self,
client_id: str,
client_key_id: str,
client_private_key: str,
client_team_id: str,
scope: Union[None, List[str]] = None,
authorisation_redirect: Union[
None, Dict[str, Union[Callable[[BaseRequest], str], str]]
] = None,
is_default: bool = False,
):
super().__init__("apple", is_default)
self.APPLE_PUBLIC_KEY_URL = "https://appleid.apple.com/auth/keys"
self.APPLE_PUBLIC_KEYS: List[RSAPublicKey] = []
self.APPLE_KEY_CACHE_EXP = 60 * 60 * 24
self.apple_last_fetch = 0
default_scopes = ["email"]
if scope is None:
scope = default_scopes
self.client_id = client_id
self.client_key_id = client_key_id
self.client_private_key = client_private_key
self.client_team_id = client_team_id
self.scopes = list(set(scope))
self.access_token_api_url = "https://appleid.apple.com/auth/token"
self.authorisation_redirect_url = "https://appleid.apple.com/auth/authorize"
self.authorisation_redirect_params = {}
if authorisation_redirect is not None:
self.authorisation_redirect_params = authorisation_redirect
def __get_client_secret(self) -> str:
payload = {
"iss": self.client_team_id,
"iat": time(),
"exp": time() + (86400 * 180), # 6 months
"aud": "https://appleid.apple.com",
"sub": get_actual_client_id_from_development_client_id(self.client_id),
}
headers = {"kid": self.client_key_id}
return encode(
payload,
sub(r"\\n", "\n", self.client_private_key),
algorithm="ES256",
headers=headers,
) # type: ignore
async def get_profile_info(
self, auth_code_response: Dict[str, Any], user_context: Dict[str, Any]
) -> UserInfo:
# - Verify the JWS E256 signature using the server’s public key
# - Verify the nonce for the authentication
# - Verify that the iss field contains https://appleid.apple.com
# - Verify that the aud field is the developer’s client_id
# - Verify that the time is earlier than the exp value of the token
await self._verify_apple_id_token(auth_code_response["id_token"])
payload: Union[None, Dict[str, Any]] = decode(
jwt=auth_code_response["id_token"], options={"verify_signature": False}
)
if payload is None:
raise Exception(
"no user info found from user's id token received from apple"
)
if "email" not in payload or payload["email"] is None:
raise Exception(
"no user info found from user's id token received from apple"
)
user_id = payload["sub"]
email = payload["email"]
is_email_verified = (
payload["email_verified"] if "email_verified" in payload else False
)
return UserInfo(user_id, UserInfoEmail(email, is_email_verified))
def get_authorisation_redirect_api_info(
self, user_context: Dict[str, Any]
) -> AuthorisationRedirectAPI:
params = {
"scope": " ".join(self.scopes),
"response_type": "code",
"response_mode": "form_post",
"client_id": self.client_id,
**self.authorisation_redirect_params,
}
return AuthorisationRedirectAPI(self.authorisation_redirect_url, params)
def get_access_token_api_info(
self,
redirect_uri: str,
auth_code_from_request: str,
user_context: Dict[str, Any],
) -> AccessTokenAPI:
params = {
"client_id": self.client_id,
"client_secret": self.__get_client_secret(),
"grant_type": "authorization_code",
"code": auth_code_from_request,
"redirect_uri": redirect_uri,
}
return AccessTokenAPI(self.access_token_api_url, params)
def get_redirect_uri(self, user_context: Dict[str, Any]) -> Union[None, str]:
app_info = Supertokens.get_instance().app_info
redirect_uri = app_info.api_domain.get_as_string_dangerous()
redirect_uri += app_info.api_base_path.get_as_string_dangerous()
redirect_uri += APPLE_REDIRECT_HANDLER
return redirect_uri
async def _fetch_apple_public_keys(self) -> List[RSAPublicKey]:
# Check to see if the public key is unset or is stale before returning
if (self.apple_last_fetch + self.APPLE_KEY_CACHE_EXP) < int(time()) or len(
self.APPLE_PUBLIC_KEYS
) == 0:
async with AsyncClient() as client:
response = await client.get(self.APPLE_PUBLIC_KEY_URL) # type:ignore
key_payload = response.json()
for key in key_payload["keys"]:
self.APPLE_PUBLIC_KEYS.append(RSAAlgorithm.from_jwk(key)) # type: ignore
self.apple_last_fetch = int(time())
return self.APPLE_PUBLIC_KEYS
async def _verify_apple_id_token(self, token: str) -> None:
public_keys = await self._fetch_apple_public_keys()
err = Exception("Id token verification failed")
for key in public_keys:
try:
decode(jwt=token, key=key, audience=[get_actual_client_id_from_development_client_id(self.client_id)], algorithms=["RS256"]) # type: ignore
return
except Exception as e:
err = e
raise err
def get_client_id(self, user_context: Dict[str, Any]) -> str:
return self.client_idClasses
class Apple (client_id: str, client_key_id: str, client_private_key: str, client_team_id: str, scope: Union[None, List[str]] = None, authorisation_redirect: Union[None, Dict[str, Union[Callable[[BaseRequest], str], str]]] = None, is_default: bool = False)-
Helper class that provides a standard way to create an ABC using inheritance.
Expand source code
class Apple(Provider): def __init__( self, client_id: str, client_key_id: str, client_private_key: str, client_team_id: str, scope: Union[None, List[str]] = None, authorisation_redirect: Union[ None, Dict[str, Union[Callable[[BaseRequest], str], str]] ] = None, is_default: bool = False, ): super().__init__("apple", is_default) self.APPLE_PUBLIC_KEY_URL = "https://appleid.apple.com/auth/keys" self.APPLE_PUBLIC_KEYS: List[RSAPublicKey] = [] self.APPLE_KEY_CACHE_EXP = 60 * 60 * 24 self.apple_last_fetch = 0 default_scopes = ["email"] if scope is None: scope = default_scopes self.client_id = client_id self.client_key_id = client_key_id self.client_private_key = client_private_key self.client_team_id = client_team_id self.scopes = list(set(scope)) self.access_token_api_url = "https://appleid.apple.com/auth/token" self.authorisation_redirect_url = "https://appleid.apple.com/auth/authorize" self.authorisation_redirect_params = {} if authorisation_redirect is not None: self.authorisation_redirect_params = authorisation_redirect def __get_client_secret(self) -> str: payload = { "iss": self.client_team_id, "iat": time(), "exp": time() + (86400 * 180), # 6 months "aud": "https://appleid.apple.com", "sub": get_actual_client_id_from_development_client_id(self.client_id), } headers = {"kid": self.client_key_id} return encode( payload, sub(r"\\n", "\n", self.client_private_key), algorithm="ES256", headers=headers, ) # type: ignore async def get_profile_info( self, auth_code_response: Dict[str, Any], user_context: Dict[str, Any] ) -> UserInfo: # - Verify the JWS E256 signature using the server’s public key # - Verify the nonce for the authentication # - Verify that the iss field contains https://appleid.apple.com # - Verify that the aud field is the developer’s client_id # - Verify that the time is earlier than the exp value of the token await self._verify_apple_id_token(auth_code_response["id_token"]) payload: Union[None, Dict[str, Any]] = decode( jwt=auth_code_response["id_token"], options={"verify_signature": False} ) if payload is None: raise Exception( "no user info found from user's id token received from apple" ) if "email" not in payload or payload["email"] is None: raise Exception( "no user info found from user's id token received from apple" ) user_id = payload["sub"] email = payload["email"] is_email_verified = ( payload["email_verified"] if "email_verified" in payload else False ) return UserInfo(user_id, UserInfoEmail(email, is_email_verified)) def get_authorisation_redirect_api_info( self, user_context: Dict[str, Any] ) -> AuthorisationRedirectAPI: params = { "scope": " ".join(self.scopes), "response_type": "code", "response_mode": "form_post", "client_id": self.client_id, **self.authorisation_redirect_params, } return AuthorisationRedirectAPI(self.authorisation_redirect_url, params) def get_access_token_api_info( self, redirect_uri: str, auth_code_from_request: str, user_context: Dict[str, Any], ) -> AccessTokenAPI: params = { "client_id": self.client_id, "client_secret": self.__get_client_secret(), "grant_type": "authorization_code", "code": auth_code_from_request, "redirect_uri": redirect_uri, } return AccessTokenAPI(self.access_token_api_url, params) def get_redirect_uri(self, user_context: Dict[str, Any]) -> Union[None, str]: app_info = Supertokens.get_instance().app_info redirect_uri = app_info.api_domain.get_as_string_dangerous() redirect_uri += app_info.api_base_path.get_as_string_dangerous() redirect_uri += APPLE_REDIRECT_HANDLER return redirect_uri async def _fetch_apple_public_keys(self) -> List[RSAPublicKey]: # Check to see if the public key is unset or is stale before returning if (self.apple_last_fetch + self.APPLE_KEY_CACHE_EXP) < int(time()) or len( self.APPLE_PUBLIC_KEYS ) == 0: async with AsyncClient() as client: response = await client.get(self.APPLE_PUBLIC_KEY_URL) # type:ignore key_payload = response.json() for key in key_payload["keys"]: self.APPLE_PUBLIC_KEYS.append(RSAAlgorithm.from_jwk(key)) # type: ignore self.apple_last_fetch = int(time()) return self.APPLE_PUBLIC_KEYS async def _verify_apple_id_token(self, token: str) -> None: public_keys = await self._fetch_apple_public_keys() err = Exception("Id token verification failed") for key in public_keys: try: decode(jwt=token, key=key, audience=[get_actual_client_id_from_development_client_id(self.client_id)], algorithms=["RS256"]) # type: ignore return except Exception as e: err = e raise err def get_client_id(self, user_context: Dict[str, Any]) -> str: return self.client_idAncestors
- Provider
- abc.ABC
Methods
def get_access_token_api_info(self, redirect_uri: str, auth_code_from_request: str, user_context: Dict[str, Any]) ‑> AccessTokenAPI-
Expand source code
def get_access_token_api_info( self, redirect_uri: str, auth_code_from_request: str, user_context: Dict[str, Any], ) -> AccessTokenAPI: params = { "client_id": self.client_id, "client_secret": self.__get_client_secret(), "grant_type": "authorization_code", "code": auth_code_from_request, "redirect_uri": redirect_uri, } return AccessTokenAPI(self.access_token_api_url, params) -
Expand source code
def get_authorisation_redirect_api_info( self, user_context: Dict[str, Any] ) -> AuthorisationRedirectAPI: params = { "scope": " ".join(self.scopes), "response_type": "code", "response_mode": "form_post", "client_id": self.client_id, **self.authorisation_redirect_params, } return AuthorisationRedirectAPI(self.authorisation_redirect_url, params) def get_client_id(self, user_context: Dict[str, Any]) ‑> str-
Expand source code
def get_client_id(self, user_context: Dict[str, Any]) -> str: return self.client_id async def get_profile_info(self, auth_code_response: Dict[str, Any], user_context: Dict[str, Any]) ‑> UserInfo-
Expand source code
async def get_profile_info( self, auth_code_response: Dict[str, Any], user_context: Dict[str, Any] ) -> UserInfo: # - Verify the JWS E256 signature using the server’s public key # - Verify the nonce for the authentication # - Verify that the iss field contains https://appleid.apple.com # - Verify that the aud field is the developer’s client_id # - Verify that the time is earlier than the exp value of the token await self._verify_apple_id_token(auth_code_response["id_token"]) payload: Union[None, Dict[str, Any]] = decode( jwt=auth_code_response["id_token"], options={"verify_signature": False} ) if payload is None: raise Exception( "no user info found from user's id token received from apple" ) if "email" not in payload or payload["email"] is None: raise Exception( "no user info found from user's id token received from apple" ) user_id = payload["sub"] email = payload["email"] is_email_verified = ( payload["email_verified"] if "email_verified" in payload else False ) return UserInfo(user_id, UserInfoEmail(email, is_email_verified)) def get_redirect_uri(self, user_context: Dict[str, Any]) ‑> Optional[None]-
Expand source code
def get_redirect_uri(self, user_context: Dict[str, Any]) -> Union[None, str]: app_info = Supertokens.get_instance().app_info redirect_uri = app_info.api_domain.get_as_string_dangerous() redirect_uri += app_info.api_base_path.get_as_string_dangerous() redirect_uri += APPLE_REDIRECT_HANDLER return redirect_uri