This is a sample application which includes a SIWA backend process using Ruby on Rails.
| version | |
|---|---|
| Ruby | 2.6.3 |
$ bundle install --path vendor/bundle$ cp .env/sample .envFor how to gain values for the environment variables, the following blog post might be useful.
https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003
$ bundle exec rails sPOST /auth/apple
| params | type | required? | explanation | sample |
|---|---|---|---|---|
| name | String | false | name for the enduser | "y4m4p" |
| authorization_code | String | true | code used for retrieving the enduser's id_token directly from Apple | "xxxx.0.yyyy.zzzz" |
| id_token | String | true | JWT token from the client | "aaa.bbb.ccc" |
$ curl -X POST -H "Content-Type:application/json"\
-d '{"name": "y4m4p", "authorization_code": "xxxx.0.yyyy.zzzz", "id_token": "aaa.bbb.ccc"}'\
http://localhost:3000/auth/apple
=> decoded id_token
The core processing for SIWA is written inside the following file.
app/services/apple/sign_in_with_apple_service.rb
This file processes the authorization_code and id_token (from client app) in the following order.
- Verify that the hashed
authorization_codevalue is equal with decodedid_token (from client app)'sc_hashvalue. This step is specified in https://openid.net/specs/openid-connect-core-1_0.html#CodeValidation - Request the enduser's
id_tokendirectly from Apple using theauthorization_codeby sending the code tohttps://appleid.apple.com/auth/tokenwith the specially crafted client_secret values. - Retrieve Apple's public key. This public key is used to decrypt the
id_token (from Apple)requested in step 2. - Verify the
id_token (from client app)'s attribute values withid_token (from Apple). If any of the value is incorrect or missing, the request should be disregarded. If all value was correct, return the decodedid_token (from client app).
-
This sample application only returns the
payload (id_token returned from Apple)from the authentication endpoint. Usually for most backend application for iOS app clients, the endpoint would return some form ofaccess_tokenor simply anuserobject to the client. -
If you are concerned that the endpoint is receiving a raw
id_token, the client and server should have some form of encryption/decryption scheme for that value.
For more informations about how the authorization step works, the following blog post might be useful.
https://sarunw.com/posts/sign-in-with-apple-1/