litentry · silva-fj · Oct 20, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
diff --git a/parachain/primitives/src/identity.rs b/parachain/primitives/src/identity.rs
@@ -335,6 +335,9 @@ pub enum Identity {
 
 	#[codec(index = 10)]
 	Passkey(IdentityString),
+
+	#[codec(index = 11)]
+	Apple(IdentityString),
 }
 
 impl Identity {
@@ -348,6 +351,7 @@ impl Identity {
 				| Self::Google(..)
 				| Self::Pumpx(..)
 				| Self::Passkey(..)
+				| Self::Apple(..)
 		)
 	}
 
@@ -383,7 +387,8 @@ impl Identity {
 			| Identity::Email(_)
 			| Identity::Google(_)
 			| Identity::Pumpx(_)
-			| Identity::Passkey(_) => Vec::new(),
+			| Identity::Passkey(_)
+			| Identity::Apple(_) => Vec::new(),
 		}
 	}
 
@@ -402,7 +407,8 @@ impl Identity {
 			| Identity::Email(_)
 			| Identity::Google(_)
 			| Identity::Pumpx(_)
-			| Identity::Passkey(_) => networks.is_empty(),
+			| Identity::Passkey(_)
+			| Identity::Apple(_) => networks.is_empty(),
 		}
 	}
 
@@ -425,6 +431,7 @@ impl Identity {
 			| Identity::Github(_)
 			| Identity::Email(_)
 			| Identity::Google(_)
+			| Identity::Apple(_)
 			| Identity::Pumpx(_)
 			| Identity::Passkey(_) => None,
 		}
@@ -484,6 +491,10 @@ impl Identity {
 				hasher.update(b"google");
 				hasher.update(String::from_utf8(handle.inner.to_vec()).unwrap_or_default());
 			},
+			Identity::Apple(handle) => {
+				hasher.update(b"apple");
+				hasher.update(String::from_utf8(handle.inner.to_vec()).unwrap_or_default());
+			},
 			Identity::Pumpx(handle) => {
 				// TODO: this type will be removed.
 				hasher.update(b"pumpx");
@@ -592,6 +603,11 @@ impl Identity {
 					str::from_utf8(handle.inner_ref())
 						.map_err(|_| "google handle conversion error")?
 				),
+				Identity::Apple(handle) => format!(
+					"apple:{}",
+					str::from_utf8(handle.inner_ref())
+						.map_err(|_| "apple handle conversion error")?
+				),
 				Identity::Pumpx(handle) => format!(
 					"pumpx:{}",
 					str::from_utf8(handle.inner_ref())
@@ -627,6 +643,9 @@ impl Identity {
 			Web2IdentityType::Google => {
 				Identity::Google(IdentityString::new(handle.as_bytes().to_vec()))
 			},
+			Web2IdentityType::Apple => {
+				Identity::Apple(IdentityString::new(handle.as_bytes().to_vec()))
+			},
 			Web2IdentityType::Pumpx => {
 				Identity::Pumpx(IdentityString::new(handle.as_bytes().to_vec()))
 			},
@@ -641,6 +660,7 @@ pub enum Web2IdentityType {
 	Github,
 	Email,
 	Google,
+	Apple,
 	Pumpx,
 }
 
@@ -720,6 +740,7 @@ mod tests {
 					Identity::Bitcoin(..) => false,
 					Identity::Solana(..) => false,
 					Identity::Google(..) => true,
+					Identity::Apple(..) => true,
 					Identity::Pumpx(..) => true,
 					Identity::Passkey(..) => true,
 				}
@@ -742,6 +763,7 @@ mod tests {
 					Identity::Bitcoin(..) => true,
 					Identity::Solana(..) => true,
 					Identity::Google(..) => false,
+					Identity::Apple(..) => false,
 					Identity::Pumpx(..) => false,
 					Identity::Passkey(..) => false,
 				}
@@ -764,6 +786,7 @@ mod tests {
 					Identity::Bitcoin(..) => false,
 					Identity::Solana(..) => false,
 					Identity::Google(..) => false,
+					Identity::Apple(..) => false,
 					Identity::Pumpx(..) => false,
 					Identity::Passkey(..) => false,
 				}
@@ -786,6 +809,7 @@ mod tests {
 					Identity::Bitcoin(..) => false,
 					Identity::Solana(..) => false,
 					Identity::Google(..) => false,
+					Identity::Apple(..) => false,
 					Identity::Pumpx(..) => false,
 					Identity::Passkey(..) => false,
 				}
@@ -808,6 +832,7 @@ mod tests {
 					Identity::Bitcoin(..) => true,
 					Identity::Solana(..) => false,
 					Identity::Google(..) => false,
+					Identity::Apple(..) => false,
 					Identity::Pumpx(..) => false,
 					Identity::Passkey(..) => false,
 				}
@@ -830,6 +855,7 @@ mod tests {
 					Identity::Bitcoin(..) => false,
 					Identity::Solana(..) => true,
 					Identity::Google(..) => false,
+					Identity::Apple(..) => false,
 					Identity::Pumpx(..) => false,
 					Identity::Passkey(..) => false,
 				}

diff --git a/tee-worker/identity/litentry/core/evm-dynamic-assertions/src/lib.rs b/tee-worker/identity/litentry/core/evm-dynamic-assertions/src/lib.rs
@@ -207,6 +207,7 @@ pub fn identity_with_networks_to_token(identity: &IdentityNetworkTuple) -> Token
 		Identity::Google(str) => (8, str.inner_ref().to_vec()),
 		Identity::Pumpx(str) => (9, str.inner_ref().to_vec()),
 		Identity::Passkey(str) => (10, str.inner_ref().to_vec()),
+		Identity::Apple(str) => (11, str.inner_ref().to_vec()),
 	};
 	let networks: Vec<Token> = identity.1.iter().map(network_to_token).collect();
 	Token::Tuple(vec![Token::Uint(type_index.into()), Token::Bytes(value), Token::Array(networks)])

diff --git a/tee-worker/identity/litentry/core/native-task/receiver/src/authentication_utils.rs b/tee-worker/identity/litentry/core/native-task/receiver/src/authentication_utils.rs
@@ -14,6 +14,7 @@ use sp_core::{blake2_256, crypto::AccountId32 as AccountId, H256};
 #[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)]
 pub enum OAuth2Provider {
 	Google,
+	Apple,
 }
 
 #[derive(Encode, Decode, Clone, Debug, PartialEq, Eq)]
@@ -100,6 +101,9 @@ pub fn verify_tca_oauth2_authentication(
 		OAuth2Provider::Google => {
 			verify_google_oauth2(data_providers_config, sender_identity_hash, omni_account, payload)
 		},
+		OAuth2Provider::Apple => Err(AuthenticationError::OAuth2Error(String::from(
+			"Apple OAuth2 not yet supported in identity worker",
+		))),
 	}
 }
 

diff --git a/tee-worker/identity/service/src/prometheus_metrics.rs b/tee-worker/identity/service/src/prometheus_metrics.rs
@@ -300,6 +300,7 @@ fn handle_stf_call_request(req: RequestType, time: f64) {
 			Identity::Bitcoin(_) => "Bitcoin".into(),
 			Identity::Solana(_) => "Solana".into(),
 			Identity::Google(_) => "Google".into(),
+			Identity::Apple(_) => "Apple".into(),
 			Identity::Pumpx(_) => "Pumpx".into(),
 			Identity::Passkey(_) => "Passkey".into(),
 		},

diff --git a/tee-worker/omni-executor/config-loader/src/config.rs b/tee-worker/omni-executor/config-loader/src/config.rs
@@ -85,15 +85,15 @@ impl Default for MailerConfig {
 }
 
 #[derive(Debug, Clone)]
-pub struct GoogleOAuth2Config {
+pub struct OAuth2Config {
 	pub client_id: String,
 	pub client_secret: String,
 }
 
 #[derive(Debug, Clone)]
 pub struct ConfigLoader {
 	pub mailer_configs: HashMap<String, MailerConfig>,
-	pub google_oauth2_configs: HashMap<String, GoogleOAuth2Config>,
+	pub oauth2_configs: HashMap<String, HashMap<String, OAuth2Config>>, // client -> provider -> config
 	pub ethereum_url: String,
 	pub solana_url: String,
 	pub bsc_url: String,
@@ -335,11 +335,11 @@ impl ConfigLoader {
 		let get_opt = |key: &str| get_env_value(&vars[key]);
 
 		let mailer_configs = Self::load_mailer_configs();
-		let google_oauth2_configs = Self::load_google_oauth2_configs();
+		let oauth2_configs = Self::load_oauth2_configs();
 
 		ConfigLoader {
 			mailer_configs,
-			google_oauth2_configs,
+			oauth2_configs,
 			ethereum_url: append_key(&get("ethereum_url")),
 			solana_url: append_key(&get("solana_url")),
 			bsc_url: append_key(&get("bsc_url")),
@@ -452,62 +452,82 @@ impl ConfigLoader {
 		clients
 	}
 
-	/// Load Google OAuth2 configurations for multiple clients from environment variables
-	/// Format: OE_GOOGLE_CLIENT_ID_{CLIENT}, OE_GOOGLE_CLIENT_SECRET_{CLIENT}
+	/// Load OAuth2 configurations for all supported providers from environment variables
+	/// Format: OE_{PROVIDER}_CLIENT_ID_{CLIENT}, OE_{PROVIDER}_CLIENT_SECRET_{CLIENT}
+	/// PROVIDER can be GOOGLE, APPLE, etc.
 	/// CLIENT can be WILDMETA, HEIMA, etc.
-	fn load_google_oauth2_configs() -> HashMap<String, GoogleOAuth2Config> {
-		let mut configs = HashMap::new();
-
-		let env_vars: HashMap<String, String> = std::env::vars().collect();
-
-		let mut clients = std::collections::HashSet::new();
-		for key in env_vars.keys() {
-			if key.starts_with("OE_GOOGLE_CLIENT_ID_") {
-				if let Some(client) = key.strip_prefix("OE_GOOGLE_CLIENT_ID_") {
-					info!("Found Google OAuth2 configuration for client: {}", client);
-					clients.insert(client.to_lowercase());
+	fn load_oauth2_configs() -> HashMap<String, HashMap<String, OAuth2Config>> {
+		let providers = vec!["GOOGLE", "APPLE"];
+		let mut all_configs: HashMap<String, HashMap<String, OAuth2Config>> = HashMap::new();
+
+		for provider in providers {
+			let provider_lower = provider.to_lowercase();
+			let prefix = format!("OE_{}_CLIENT_ID_", provider);
+
+			let env_vars: HashMap<String, String> = std::env::vars().collect();
+			let mut clients = std::collections::HashSet::new();
+
+			for key in env_vars.keys() {
+				if key.starts_with(&prefix) {
+					if let Some(client) = key.strip_prefix(&prefix) {
+						info!(
+							"Found {} OAuth2 configuration for client: {}",
+							provider_lower, client
+						);
+						clients.insert(client.to_lowercase());
+					}
 				}
 			}
-		}
 
-		info!("Total discovered Google OAuth2 clients: {:?}", clients);
+			info!("Total discovered {} OAuth2 clients: {:?}", provider_lower, clients);
 
-		if clients.is_empty() {
-			warn!("No Google OAuth2 configurations found in environment variables.");
-			return configs;
-		}
-
-		for client in clients {
-			let client_upper = client.to_uppercase();
-
-			let client_id =
-				std::env::var(format!("OE_GOOGLE_CLIENT_ID_{}", client_upper)).unwrap_or_default();
-			let client_secret = std::env::var(format!("OE_GOOGLE_CLIENT_SECRET_{}", client_upper))
-				.unwrap_or_default();
-
-			if client_id.is_empty() || client_secret.is_empty() {
+			if clients.is_empty() {
 				warn!(
-					"Incomplete Google OAuth2 config for client '{}': client_id_empty={}, client_secret_empty={}",
-					client,
-					client_id.is_empty(),
-					client_secret.is_empty()
+					"No {} OAuth2 configurations found in environment variables.",
+					provider_lower
 				);
 				continue;
 			}
 
-			let config = GoogleOAuth2Config { client_id, client_secret };
+			for client in clients {
+				let client_upper = client.to_uppercase();
+
+				let client_id =
+					std::env::var(format!("OE_{}_CLIENT_ID_{}", provider, client_upper))
+						.unwrap_or_default();
+				let client_secret =
+					std::env::var(format!("OE_{}_CLIENT_SECRET_{}", provider, client_upper))
+						.unwrap_or_default();
+
+				if client_id.is_empty() || client_secret.is_empty() {
+					warn!(
+						"Incomplete {} OAuth2 config for client '{}': client_id_empty={}, client_secret_empty={}",
+						provider_lower,
+						client,
+						client_id.is_empty(),
+						client_secret.is_empty()
+					);
+					continue;
+				}
 
-			info!("Loaded Google OAuth2 config for client '{}'", client);
+				let config = OAuth2Config { client_id, client_secret };
 
-			configs.insert(client.clone(), config);
+				info!("Loaded {} OAuth2 config for client '{}'", provider_lower, client);
+
+				all_configs
+					.entry(client.clone())
+					.or_default()
+					.insert(provider_lower.clone(), config);
+			}
 		}
 
-		configs
+		all_configs
 	}
 
-	/// Get Google OAuth2 configuration for a specific client
-	pub fn get_google_oauth2_config(&self, client_id: &str) -> Option<GoogleOAuth2Config> {
+	/// Get OAuth2 configuration for a specific client and provider
+	pub fn get_oauth2_config(&self, client_id: &str, provider: &str) -> Option<OAuth2Config> {
 		let client_key = client_id.to_lowercase();
-		self.google_oauth2_configs.get(&client_key).cloned()
+		let provider_key = provider.to_lowercase();
+		self.oauth2_configs.get(&client_key)?.get(&provider_key).cloned()
 	}
 }
diff --git a/tee-worker/omni-executor/config-loader/src/lib.rs b/tee-worker/omni-executor/config-loader/src/lib.rs
@@ -1,3 +1,3 @@
 mod config;
 
-pub use config::{ConfigLoader, GoogleOAuth2Config, MailerConfig, MailerType};
+pub use config::{ConfigLoader, MailerConfig, MailerType, OAuth2Config};