From e4a5e86c933d3a132c69f60d6bbb19c7d9a48d5f Mon Sep 17 00:00:00 2001 From: Rizwan Ahmed Date: Fri, 12 Nov 2021 16:21:12 +0530 Subject: [PATCH] sources/oauth: Fixed the incorrect padding issue in apple.py (#1773) * Fixed the incorrect padding issue in apple.py Fixed the incorrect padding issue in apple.py by adding proper padding to the raw_payload. * Fixed the incorrect encoding of client_secret in apple.py In the get_client_secret() method, the "sub" in the payload must be only the client ID. So I have changed self.source.consumer_key to parts[0] * Added the decode method for the id_token Signed-off-by: Jens Langhammer --- authentik/sources/oauth/types/apple.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/authentik/sources/oauth/types/apple.py b/authentik/sources/oauth/types/apple.py index d829f62f9..254c9da10 100644 --- a/authentik/sources/oauth/types/apple.py +++ b/authentik/sources/oauth/types/apple.py @@ -1,10 +1,8 @@ """Apple OAuth Views""" -from base64 import b64decode -from json import loads from time import time from typing import Any, Optional -from jwt import encode +from jwt import decode, encode from structlog.stdlib import get_logger from authentik.sources.oauth.clients.oauth2 import OAuth2Client @@ -40,7 +38,7 @@ class AppleOAuthClient(OAuth2Client): "iat": now, "exp": now + 86400 * 180, "aud": "https://appleid.apple.com", - "sub": self.source.consumer_key, + "sub": parts[0], } # pyright: reportGeneralTypeIssues=false jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]}) @@ -49,9 +47,7 @@ class AppleOAuthClient(OAuth2Client): def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]: id_token = token.get("id_token") - _, raw_payload, _ = id_token.split(".") - payload = loads(b64decode(raw_payload.encode().decode())) - return payload + return decode(id_token, options={"verify_signature": False}) class AppleOAuthRedirect(OAuthRedirect):