From 6ab06aa249e759b9939d3fadb6d0fcea71539fc8 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Fri, 26 Apr 2024 17:46:15 +0200
Subject: [PATCH] fix: improve secret generation for apple idp (#7843)

* fix: improve secret generation for apple idp

* remove accidental commit

* change exp time

* change exp time

* change exp time

* change exp time
---
 cmd/setup/config.go                                | 2 --
 internal/api/ui/login/external_provider_handler.go | 4 ++++
 internal/idp/providers/apple/apple.go              | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/cmd/setup/config.go b/cmd/setup/config.go
index 00ab64e2b9..f5547d21ca 100644
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -18,7 +18,6 @@ import (
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/config/hook"
 	"github.com/zitadel/zitadel/internal/config/systemdefaults"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
@@ -70,7 +69,6 @@ func MustNewConfig(v *viper.Viper) *Config {
 			hook.EnumHookFunc(authz.MemberTypeString),
 			actions.HTTPConfigDecodeHook,
 			hooks.MapTypeStringDecode[string, *authz.SystemAPIUser],
-			hooks.MapTypeStringDecode[string, crypto.HasherConfig],
 			hooks.SliceTypeStringDecode[authz.RoleMapping],
 		)),
 	)
diff --git a/internal/api/ui/login/external_provider_handler.go b/internal/api/ui/login/external_provider_handler.go
index 98c2dde6ff..3cd14c0a72 100644
--- a/internal/api/ui/login/external_provider_handler.go
+++ b/internal/api/ui/login/external_provider_handler.go
@@ -336,6 +336,10 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 
 	user, err := session.FetchUser(r.Context())
 	if err != nil {
+		logging.WithFields(
+			"instance", authz.GetInstance(r.Context()).InstanceID(),
+			"providerID", identityProvider.ID,
+		).WithError(err).Info("external authentication failed")
 		l.externalAuthFailed(w, r, authReq, tokens(session), user, err)
 		return
 	}
diff --git a/internal/idp/providers/apple/apple.go b/internal/idp/providers/apple/apple.go
index 65debed1a3..57023410d1 100644
--- a/internal/idp/providers/apple/apple.go
+++ b/internal/idp/providers/apple/apple.go
@@ -56,7 +56,7 @@ func clientSecretFromPrivateKey(key []byte, teamID, clientID, keyID string) (str
 	if err != nil {
 		return "", err
 	}
-	iat := time.Now()
+	iat := time.Now().Add(-2 * time.Second)
 	exp := iat.Add(time.Hour)
 	return crypto.Sign(&openid.JWTTokenRequest{
 		Issuer:    teamID,