Apple OAuth2 strategy for Überauth.
Because of how Überauth handles CSRF - it gets turned off in this plugin and handled manually via cookies. This handles the problem that the current system is looking in the url for state data and since Apple uses a POST - it isn't where it is expects.
Second - if you are using Phoenix - you may need to turn off CSRF checking of the POST callback since the client doesn't know how to provide this information. You can pull the csrf part out of the browser pipeline and then do the following:
pipeline :browser_with_no_csrf do
#Copy your browser plugin and comment out the following line
# plug :protect_from_forgery
endThen you can scope the issue to just the POST callbacks.
scope "/auth" do
pipe_through :browser_no_csrf
post "/:provider/callback", AuthController, :callback
end-
Setup your application at Apple Developer Console.
-
Add
:ueberauth_appleto your list of dependencies inmix.exs:def deps do [{:ueberauth_apple, "~> 0.4"}] end
-
Add the strategy to your applications:
def application do [applications: [:ueberauth_apple]] end
-
Add Apple to your Überauth configuration:
config :ueberauth, Ueberauth, providers: [ apple: {Ueberauth.Strategy.Apple, []} ]
-
Update your provider configuration:
Option 1 - Generate secret manually:
If you don't have the client secret, generate the client secret:
UeberauthApple.generate_client_secret(%{ client_id: "com.example.service", key_id: "10digitkey", team_id: "teamid", private_key: "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----" })
Use that if you want to read client ID/secret from the environment variables in the compile time:
config :ueberauth, Ueberauth.Strategy.Apple.OAuth, client_id: System.get_env("APPLE_CLIENT_ID"), client_secret: System.get_env("APPLE_CLIENT_SECRET")
Option 2 - Generate secret programmatically:
config :ueberauth, Ueberauth.Strategy.Apple.OAuth, client_id: System.get_env("APPLE_CLIENT_ID"), client_secret: {YourApp.SomeModule, :secret_function}
And implement the function to generate the secret, once you generate the secret, store it in Redis so the secret does not generate every time.
function secret_function(ueberauth_config) do secret = get_secret_from_redis() if secret do secret else secret = UeberauthApple.generate_client_secret(%{ client_id: opts[:client_id], key_id: Application.get_env(:naboo, Naboo.Auth.Apple)[:key_id], team_id: Application.get_env(:naboo, Naboo.Auth.Apple)[:team_id], private_key: Application.get_env(:naboo, Naboo.Auth.Apple)[:private_key] }) set_secret_to_redis(secret) secret end end
-
Include the Überauth plug in your controller:
defmodule MyApp.AuthController do use MyApp.Web, :controller plug Ueberauth ... end
-
Create the request and callback routes if you haven't already:
scope "/auth", MyApp do pipe_through :browser get "/:provider", AuthController, :request get "/:provider/callback", AuthController, :callback end
-
Your controller needs to implement callbacks to deal with
Ueberauth.AuthandUeberauth.Failureresponses.
For an example implementation see the Überauth Example application.
Since Apple only supports form post, you need to create a Sign-in button:
<html>
<head>
</head>
<body>
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div>
<script type="text/javascript">
AppleID.auth.init({
clientId : '<%= Application.get_env(:ueberauth, Ueberauth.Strategy.Apple.OAuth)[:client_id] %>',
scope : 'email name',
redirectURI : '<%= Routes.auth_url(@conn, :callback, "apple") %>',
state : '[STATE]',
usePopup : true //or false defaults to false
});
</script>
</body>
</html>Scope can be configured either explicitly as a scope query value on the request path or in your configuration:
config :ueberauth, Ueberauth,
providers: [
apple: {Ueberauth.Strategy.Apple, [default_scope: "name email", callback_methods: ["POST"]]}
]To guard against client-side request modification, it's important to still check the domain in info.urls[:website] within the Ueberauth.Auth struct if you want to limit sign-in to a specific domain.
Please see LICENSE for licensing details.