| 
									
										
										
										
											2023-08-31 08:39:16 +02:00
										 |  |  | package apple | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							|  |  |  | 	"crypto/x509" | 
					
						
							|  |  |  | 	"encoding/pem" | 
					
						
							|  |  |  | 	"time" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-10-17 18:19:51 +03:00
										 |  |  | 	"github.com/go-jose/go-jose/v3" | 
					
						
							|  |  |  | 	"github.com/zitadel/oidc/v3/pkg/crypto" | 
					
						
							|  |  |  | 	openid "github.com/zitadel/oidc/v3/pkg/oidc" | 
					
						
							| 
									
										
										
										
											2023-08-31 08:39:16 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	"github.com/zitadel/zitadel/internal/idp" | 
					
						
							|  |  |  | 	"github.com/zitadel/zitadel/internal/idp/providers/oidc" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | const ( | 
					
						
							|  |  |  | 	name   = "Apple" | 
					
						
							|  |  |  | 	issuer = "https://appleid.apple.com" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var _ idp.Provider = (*Provider)(nil) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Provider is the [idp.Provider] implementation for Apple | 
					
						
							|  |  |  | type Provider struct { | 
					
						
							|  |  |  | 	*oidc.Provider | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func New(clientID, teamID, keyID, callbackURL string, key []byte, scopes []string, options ...oidc.ProviderOpts) (*Provider, error) { | 
					
						
							|  |  |  | 	secret, err := clientSecretFromPrivateKey(key, teamID, clientID, keyID) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	options = append(options, oidc.WithResponseMode("form_post")) | 
					
						
							|  |  |  | 	rp, err := oidc.New(name, issuer, clientID, secret, callbackURL, scopes, oidc.DefaultMapper, options...) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return &Provider{ | 
					
						
							|  |  |  | 		Provider: rp, | 
					
						
							|  |  |  | 	}, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // clientSecretFromPrivateKey uses the private key to create and sign a JWT, which has to be used as client_secret at Apple. | 
					
						
							|  |  |  | func clientSecretFromPrivateKey(key []byte, teamID, clientID, keyID string) (string, error) { | 
					
						
							|  |  |  | 	block, _ := pem.Decode(key) | 
					
						
							|  |  |  | 	b := block.Bytes | 
					
						
							|  |  |  | 	pk, err := x509.ParsePKCS8PrivateKey(b) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return "", err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	signingKey := jose.SigningKey{ | 
					
						
							|  |  |  | 		Algorithm: jose.ES256, | 
					
						
							|  |  |  | 		Key:       &jose.JSONWebKey{Key: pk, KeyID: keyID}, | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{}) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return "", err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	iat := time.Now() | 
					
						
							|  |  |  | 	exp := iat.Add(time.Hour) | 
					
						
							|  |  |  | 	return crypto.Sign(&openid.JWTTokenRequest{ | 
					
						
							|  |  |  | 		Issuer:    teamID, | 
					
						
							|  |  |  | 		Subject:   clientID, | 
					
						
							|  |  |  | 		Audience:  []string{issuer}, | 
					
						
							|  |  |  | 		ExpiresAt: openid.FromTime(exp), | 
					
						
							|  |  |  | 		IssuedAt:  openid.FromTime(iat), | 
					
						
							|  |  |  | 	}, signer) | 
					
						
							|  |  |  | } |