Support login from iOS app about omniauth-apple HOT 11 CLOSED

Hi all,

Here's what I am doing:

1. I am using a WKWebView for sign-in/sign-up, so when the user clicks the "Sign In With Apple" button, it goes to users/auth/apple (the omniauth-apple plugin), which redirects to appleid.apple.com. which I deny.

2. At that point, I grab the state and nonce from the URL and build a ASAuthorizationAppleIDProvider request using the native SDK.

3. Once that succeeds, it gives me an authorization code which I can then pass on to users/auth/apple/callback in my webview, together with the state, and that logs me in successfully.

Please note you need to use your app ID as client ID in the omniauth-apple config!

Best,
Eric

from omniauth-apple.

I also had to insert the following into libomniauth/strategies/apple.rb :

This skips all effective authentication and allows anyone in possession of a valid id_token to login to your site as that account. Id tokens are not secret and are only signed to prove validity and detect tampering.

Without the one-time-use code it's not possible for the app-server running omniauth to validate the id_token provided in the callback.

https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user

from omniauth-apple.

Indeed, I had not seen the information, thanks for correcting me.

How would you go about handling this case then ?
I tried sending the ˋcodeˋ alongside the ˋid_token but this didn’t work. I often encountered a ˋinvalid_grant or ˋinvalid_request` in all my trials and errors.

An important point to note : the iOS app provides a ˋstate ˋ parameter, user data and ˋid_token ˋ but that’s about it. State and user data seem to be null after first connection.

Another point : the iOS app provides its App ID as a client id, and I have not been able to access a matching secret PEM key, which seems to be required to transform the code into an access token ?

I’m available to try multiple scenarios but I have to say I’m a bit lost on where to go from here.

from omniauth-apple.

@btalbot
Is there an effective way to make this work? I was able to work it the way he (@dvkch) suggested.

from omniauth-apple.

It seems to be correct to use authorization code. Resolved.

from omniauth-apple.

@yamarkz Have you been able to use the authotization code given by an iOS device ? If so what configuration did you use (key_id, pem, etc) ?

from omniauth-apple.

does anybody have any progress with this?

from omniauth-apple.

I was able to get this to work with a flutter app using the native flow.
The primary app ID is configured with the service ID for the web-based authentication.
The native app bundle ID is passed to authorized_client_ids.
When creating a call to the callback endpoint need to ensure that the id_token and code are both passed as received from the original SDK response.

from omniauth-apple.

I guess no issues anymore?

from omniauth-apple.

Hi @donaldpiret @dvkch ,
am facing the same challenge and would like to ask you how you were able to resolve it.

So far I have:

• added my bundle id to the list of authorized clients in devise.rb: com.myapp.app
• Send the identityToken as id_token and authorizationCode as code to the backend as a POST request. 
  I keep getting the error(apple) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected whenever the request is sent.

Any help would be appreciated.

from omniauth-apple.

from omniauth-apple.