Skip to content

Allow using a separate key file when setting up 'Sign in with Apple' #4393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Apr 16, 2025
Merged

Allow using a separate key file when setting up 'Sign in with Apple' #4393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0e50c44
Add private_key_file option for apple sso and edit docs
defaultdino Apr 14, 2025
fd9b5ca
Fix indent
defaultdino Apr 14, 2025
a27ccba
Merge branch 'element-hq:main' into main
defaultdino Apr 14, 2025
a9693c8
Simplify credentials getter and just add new provider error for dupe …
defaultdino Apr 14, 2025
754c0d8
Format project and run misc/update.sh
defaultdino Apr 14, 2025
43273d2
Populate private key for SIWA in sync.rs so it is simply storing priv…
defaultdino Apr 14, 2025
d00e05b
Fix incorrect async usage on client_credentials_for_provider
defaultdino Apr 14, 2025
512208f
Add comment to explain sync workflow
defaultdino Apr 14, 2025
f17f2a4
Merge branch 'element-hq:main' into main
defaultdino Apr 14, 2025
dade499
Merge pull request #3 from adisve/feat/populate-priv-key-sync
defaultdino Apr 14, 2025
351c1e7
Format project
defaultdino Apr 14, 2025
f8114be
Merge branch 'element-hq:main' into main
defaultdino Apr 16, 2025
41b460b
Format project with nightly toolchain
defaultdino Apr 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions crates/cli/src/sync.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,10 +189,18 @@ pub async fn config_sync(
let encrypted_client_secret =
if let Some(client_secret) = provider.client_secret.as_deref() {
Some(encrypter.encrypt_to_string(client_secret.as_bytes())?)
} else if let Some(siwa) = provider.sign_in_with_apple.as_ref() {
// For SIWA, we JSON-encode the config and encrypt it, reusing the client_secret
// field in the database
let encoded = serde_json::to_vec(siwa)?;
} else if let Some(mut siwa) = provider.sign_in_with_apple.clone() {
// if private key file is defined and not private key (raw), we populate the
// private key to hold the content of the private key file.
// private key (raw) takes precedence so both can be defined
// without issues
if siwa.private_key.is_none() {
if let Some(private_key_file) = siwa.private_key_file.take() {
let key = tokio::fs::read_to_string(private_key_file).await?;
siwa.private_key = Some(key);
}
}
let encoded = serde_json::to_vec(&siwa)?;
Comment on lines +192 to +203
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does mean that it's possible to end up in the database with no private key if none are set. But I'm fine with that, SiWA is sufficiently niche anyway :)

Some(encrypter.encrypt_to_string(&encoded)?)
} else {
None
Expand Down
9 changes: 8 additions & 1 deletion crates/config/src/sections/upstream_oauth2.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use std::collections::BTreeMap;

use camino::Utf8PathBuf;
use mas_iana::jose::JsonWebSignatureAlg;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize, de::Error};
Expand Down Expand Up @@ -383,8 +384,14 @@ fn signed_response_alg_default() -> JsonWebSignatureAlg {

#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct SignInWithApple {
/// The private key file used to sign the `id_token`
#[serde(skip_serializing_if = "Option::is_none")]
#[schemars(with = "Option<String>")]
pub private_key_file: Option<Utf8PathBuf>,

/// The private key used to sign the `id_token`
pub private_key: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub private_key: Option<String>,

/// The Team ID of the Apple Developer Portal
pub team_id: String,
Expand Down
5 changes: 4 additions & 1 deletion docs/config.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2158,10 +2158,13 @@
"type": "object",
"required": [
"key_id",
"private_key",
"team_id"
],
"properties": {
"private_key_file": {
"description": "The private key file used to sign the `id_token`",
"type": "string"
},
"private_key": {
"description": "The private key used to sign the `id_token`",
"type": "string"
Expand Down
19 changes: 12 additions & 7 deletions docs/setup/sso.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,18 +84,23 @@ Sign-in with Apple uses special non-standard for authenticating clients, which r
```yaml
upstream_oauth2:
providers:
- client_id: 01JAYS74TCG3BTWKADN5Q4518C
client_name: "<Service ID>" # TO BE FILLED
- id: 01JAYS74TCG3BTWKADN5Q4518C
issuer: "https://appleid.apple.com"
human_name: "Apple"
brand_name: "apple"
client_id: "<Service ID>" # TO BE FILLED
scope: "openid name email"
response_mode: "form_post"

token_endpoint_auth_method: "sign_in_with_apple"
sign_in_with_apple:
private_key: |
# Content of the PEM-encoded private key file, TO BE FILLED

# Only one of the below should be filled for the private key
private_key_file: "<Location of the PEM-encoded private key file>" # TO BE FILLED
private_key: | # TO BE FILLED
# <Contents of the private key>

team_id: "<Team ID>" # TO BE FILLED
key_id: "<Key ID>" # TO BE FILLED

claims_imports:
localpart:
action: ignore
Expand Down Expand Up @@ -549,4 +554,4 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
"access_token_signed_response_alg": "RS256",
"id_token_signed_response_alg": "RS256"
}
```
```
Loading