This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
💣 Improve mechanism for generating SSO client secrets for Apple login #9220
Assignees
Labels
A-Social Login
Login via external identity providers
T-Enhancement
New features, changes in functionality, improvements in performance, or user-facing enhancements.
Comments
anoadragon453
added
the
T-Enhancement
|
this currently works, but only by hardcoding a token in the config, which has a maximum lifetime of 6 months. (ie, this is a timebomb and will stop working in a few months). |
|
Secrets can be created with the following hacky python: import argparse
import sys
import time
from authlib.jose import jwt
parser = argparse.ArgumentParser(description="Generate Apple client secret")
parser.add_argument("key", nargs="?", type=argparse.FileType("r",), default=sys.stdin)
args = parser.parse_args()
key = args.key.read()
# settings from the apple developer setup thingy
KEY_ID = "10CHARKEYID"
TEAM_ID = "10CHARTEAMID"
SERVICE_ID = "org.matrix.synapse.sso.service"
issued_at = int(time.time())
expires_at = issued_at + 180 * 24 * 3600
header = {"alg": "ES256", "kid": KEY_ID}
payload = {
"iss": TEAM_ID,
"iat": issued_at,
"exp": expires_at,
"aud": "https://appleid.apple.com",
"sub": SERVICE_ID,
}
print(jwt.encode(header, payload, key).decode("ascii")) |
|
est 1d |
richvdh
changed the title
richvdh
changed the title
richvdh
changed the title
richvdh
added a commit
that referenced
this issue
Mar 9, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
"Sign in with Apple ID" requires an oidc client secret which is an encoded JSON Web Token (https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens#3262048). It would be good to add support for calculating such secrets.
The text was updated successfully, but these errors were encountered: