sources/oauth: Fixed the incorrect padding issue in apple.py (#1773)

* Fixed the incorrect padding issue in apple.py Fixed the incorrect padding issue in apple.py by adding proper padding to the raw_payload. * Fixed the incorrect encoding of client_secret in apple.py In the get_client_secret() method, the "sub" in the payload must be only the client ID. So I have changed self.source.consumer_key to parts[0] * Added the decode method for the id_token Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-11-12 16:21:12 +05:30 · 2021-11-12 16:21:12 +05:30 · e4a5e86c93
parent 3a51bcd890
commit e4a5e86c93
1 changed files with 3 additions and 7 deletions
--- a/authentik/sources/oauth/types/apple.py
+++ b/authentik/sources/oauth/types/apple.py
@ -1,10 +1,8 @@
 """Apple OAuth Views"""
-from base64 import b64decode
-from json import loads
 from time import time
 from typing import Any, Optional

-from jwt import encode
+from jwt import decode, encode
 from structlog.stdlib import get_logger

 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
@ -40,7 +38,7 @@ class AppleOAuthClient(OAuth2Client):
            "iat": now,
            "exp": now + 86400 * 180,
            "aud": "https://appleid.apple.com",
-            "sub": self.source.consumer_key,
+            "sub": parts[0],
        }
        # pyright: reportGeneralTypeIssues=false
        jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]})
@ -49,9 +47,7 @@ class AppleOAuthClient(OAuth2Client):

    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
        id_token = token.get("id_token")
-        _, raw_payload, _ = id_token.split(".")
-        payload = loads(b64decode(raw_payload.encode().decode()))
-        return payload
+        return decode(id_token, options={"verify_signature": False})


 class AppleOAuthRedirect(OAuthRedirect):