sources/oauth: Fixed the incorrect padding issue in apple.py (#1773)
* Fixed the incorrect padding issue in apple.py Fixed the incorrect padding issue in apple.py by adding proper padding to the raw_payload. * Fixed the incorrect encoding of client_secret in apple.py In the get_client_secret() method, the "sub" in the payload must be only the client ID. So I have changed self.source.consumer_key to parts[0] * Added the decode method for the id_token Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
3a51bcd890
commit
e4a5e86c93
|
@ -1,10 +1,8 @@
|
||||||
"""Apple OAuth Views"""
|
"""Apple OAuth Views"""
|
||||||
from base64 import b64decode
|
|
||||||
from json import loads
|
|
||||||
from time import time
|
from time import time
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
|
|
||||||
from jwt import encode
|
from jwt import decode, encode
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
|
||||||
from authentik.sources.oauth.clients.oauth2 import OAuth2Client
|
from authentik.sources.oauth.clients.oauth2 import OAuth2Client
|
||||||
|
@ -40,7 +38,7 @@ class AppleOAuthClient(OAuth2Client):
|
||||||
"iat": now,
|
"iat": now,
|
||||||
"exp": now + 86400 * 180,
|
"exp": now + 86400 * 180,
|
||||||
"aud": "https://appleid.apple.com",
|
"aud": "https://appleid.apple.com",
|
||||||
"sub": self.source.consumer_key,
|
"sub": parts[0],
|
||||||
}
|
}
|
||||||
# pyright: reportGeneralTypeIssues=false
|
# pyright: reportGeneralTypeIssues=false
|
||||||
jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]})
|
jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]})
|
||||||
|
@ -49,9 +47,7 @@ class AppleOAuthClient(OAuth2Client):
|
||||||
|
|
||||||
def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
|
def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
|
||||||
id_token = token.get("id_token")
|
id_token = token.get("id_token")
|
||||||
_, raw_payload, _ = id_token.split(".")
|
return decode(id_token, options={"verify_signature": False})
|
||||||
payload = loads(b64decode(raw_payload.encode().decode()))
|
|
||||||
return payload
|
|
||||||
|
|
||||||
|
|
||||||
class AppleOAuthRedirect(OAuthRedirect):
|
class AppleOAuthRedirect(OAuthRedirect):
|
||||||
|
|
Reference in New Issue