"Sign in With Apple" provider #318
Conversation
|
Working demo now available at https://signinwithapple.azurewebsites.net/ |
|
Note that in Azure App Service, you have to set |
martincostello
force-pushed
the
Sign-In-With-Apple
branch
from
39e8258
to
2a0bc93
Compare
|
Works on Windows but fails on macOS and Linux. Needs refactoring to account for |
|
Have you try with |
|
Yeah, I found a comment that lead me to For now I've forked the implementation so Windows supports Now the tests pass: https://travis-ci.com/martincostello/AspNet.Security.OAuth.Providers/builds/114862873 .NET Core 3.0 supports |
|
ASP.NET Core 3.0 branch of the Apple provider is here. The code is simpler and supports Tests: https://travis-ci.com/martincostello/AspNet.Security.OAuth.Providers/builds/114865903 |
|
I've done a blog post about the implementation here: https://blog.martincostello.com/sign-in-with-apple-prototype-for-aspnet-core/ |
|
@martincostello any update on this issue? |
|
@epoyraz None as of yet, unless Apple have updated anything since the initial announcement? |
|
@martincostello ah, i see. Thanks for the info! 👍 |
|
Hey @martincostello I'm not sure on how the non-windows flow works with the pfx. It looks like setting the key name to a key.pfx instead of key.p8 will still attempt to read the cert content as a base64 string which fails. Could you please give some guidance on how it's intended to work? If I manually read the cert via 509Certificate2 passing in the password and using that rawBytes value as the base64 string I get a crypto failure later on |
|
Hi @dylanbevandotnet - does the Cross-platform Support section of my blog post explain things? Essentially, the underlying cryptographic APIs in .NET Core 2.2 behave differently, so there's a different approach per-platform. This won't be a problem in 3.0 as the APIs have feature parity in this area. |
|
@martincostello not really I'm afraid. I don't see how a password protected pfx is read in as a base64 string. Following your blog I would expect that I replace the UsePrivateKey delegate to point to the pfx instead of the p8, and supply the certificate password. However doing that will cause the exception to be thrush in the extension method as it tries to convert that pfx content to a base 64 string. |
|
Is it possible you've generated the pfx file in an incorrect format? Does your pfx look like a similar file format to the one in the tests? https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/99dadcdba64b3a8b8ed1e477c54e052abfb68e9f/test/AspNet.Security.OAuth.Providers.Tests/Apple/test.pfx |
|
@martincostello so the root issue is that if you use a non Windows os you have to set the |
|
Catching an exception at runtime seems a bit bleurgh, and ultimately is a hack to workaround the different API surfaces. For 2.2, the caller is the owner of the key material and knows their own runtime environment, so should make the appropriate decision on how to configure things. There's an equally-hacky way to do this here: https://github.com/martincostello/SignInWithAppleSample/blob/50d0c6eb04dca53d0cd69f16d3005bf631291af0/src/SignInWithApple/Apple/AppleAuthenticationOptionsExtensions.cs#L39-L57 For 3.0 the need to do that becomes redundant as all platforms can natively use the That said, I can always re-review things once I do further work on this whenever Apple provide the capability to get the user claims for the token and this code can progress further towards being feature-complete. |
|
Sounds reasonable. Thanks @martincostello |
|
@martincostello is there any x-plat issue preventing you from using Importing the private key bytes certainly works, but you won't be able to use HSM-backed EC certificates using this approach. |
|
@PinpointTownes There was an issue with using a pfx cert with no password on it (admittedly, not a secure practice, my test cert found it), so it wasn't 100% compatible. That's what lead to me forking the setup code for 2.2 after I hit a brick wall trying to get The 3.0 version can be nicer as it can use the Relevant excerpt from my blog post:
This required me to add a further option to support specifying a password for the certificate, which on reflection I should have done anyway. I was just being lazy in my tests. With that change done, finally everything was working as expected on both Windows, Linux and macOS! |
|
Looks like Apple have changed something. I now see |
|
Yeah, my test site has stopped working too. I’ll have to investigate when I get the time over the weekend. |
|
So the protected override string BuildChallengeUrl(AuthenticationProperties properties, string redirectUri)
{
string challengeUrl = base.BuildChallengeUrl(properties, redirectUri);
return QueryHelpers.AddQueryString(challengeUrl, "response_mode", "form_post");
} |
Fix the build by enabling the latest version of C#.
Get the user's name and email address, if available, as claims after signing in with an Apple ID. These details are only available the first time the user signs in; if they are not persisted they cannot currently be obtained again.
martincostello
force-pushed
the
Sign-In-With-Apple
branch
from
a5df29a
to
4a93eb6
Compare
|
Thanks @martincostello you're a star. This whole thing reminds me of the xkcd 'one more standard' comic |
|
This pull request is great and completely fulfills requirements to use Apple Sign In, but are there any plans to finally merge it, due to upcoming Apple Event WWDC 19? |
|
@YuriiNskyi There are no plans to merge this PR or release the provider until after Apple officially launch the service and the API surface is definitely stable. |
|
@martincostello That's very disappointing fact, checking the last paragraph in this news, we want to be prepared with already implemented Apple Sign In, when it goes to be commercially available. |
|
@YuriiNskyi You're welcome to build the provider from source if you want to ship early, but this won't be merged until the Apple API surface is declared stable. As you can see, I've already had to make breaking changes to the provider code over the weekend, and Apple's documentation is quite lacking and hasn't been updated since Sign In with Apple was first announced. |
Use "Sign in with Apple" instead of "Sign In with Apple".
Use the same approach as the other OAuth handlers and access the Events property via the Options property.
Remove TODO comment. Check whether Trace logging is enabled before logging the Apple token response.
martincostello
changed the title
|
With iOS 13 scheduled for release next Thursday (the 19th September), I think this is basically "done" now and the service is probably unlikely to change further, at least as an initial release. As this one's more involved that the other providers, would you mind giving this a review please @PinpointTownes if you get some time this coming week? |
|
I’ll look into merging this either later today or over the weekend so it can also be incorporated into the 3.0.0 branch for Monday. |
Comment out the Apple provider as it causes the application to fail to start if the values aren't set and/or the key file does not exist.
|
A prerelease version of this package ( |
|
There's also a version available for ASP.NET Core 3.0 RC1: |
|
Hi Martin, this is awesome! Will you be able to help? I'm using OpenId Connect at ASP.NET Web Forms to integrate with Sign in with Apple? I've got it to authenticate, but when returning to the Return URI https://iluvrun.com/signin-apple, it hits the 404 error. How do I get the site to handle this? |
The provider is designed for ASP.NET Core, so I'm not sure how much success you'd get trying to get it to work as part of a ASP.NET Web Forms application. The endpoints are provided as middleware, so I'm not sure how you'd go about trying to run that as part of a Web Forms app. I haven't worked with Web Forms since about 2013, so I don't really have the experience or bandwidth to help you out trying to get it to work with it either I'm afraid! |
|
Hi Martin, it's ok. It's been a great reference. I'll keep searching for the answer :) |
Adds a Sign In with Apple provider based on currently available information.
Reference sources were:
Relates to #314.
All the provider does at present is set the
NameIdentifierclaim in the claims principal to the value of the subject of the JWT returned from the token endpoint.No information about a user information endpoint is yet available, but the docs suggest this will come at a later point: