sources/oauth: Fixed the incorrect padding issue in apple.py (#1773)

* Fixed the incorrect padding issue in apple.py

Fixed the incorrect padding issue in apple.py by adding proper padding to the raw_payload.

* Fixed the incorrect encoding of client_secret in apple.py

In the get_client_secret() method, the "sub" in the payload must be only the client ID. So I have changed self.source.consumer_key to parts[0]

* Added the decode method for the id_token

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Rizwan Ahmed 2021-11-12 16:21:12 +05:30 committed by Jens Langhammer
parent 3a51bcd890
commit e4a5e86c93
1 changed files with 3 additions and 7 deletions

View File

@ -1,10 +1,8 @@
"""Apple OAuth Views""" """Apple OAuth Views"""
from base64 import b64decode
from json import loads
from time import time from time import time
from typing import Any, Optional from typing import Any, Optional
from jwt import encode from jwt import decode, encode
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.sources.oauth.clients.oauth2 import OAuth2Client from authentik.sources.oauth.clients.oauth2 import OAuth2Client
@ -40,7 +38,7 @@ class AppleOAuthClient(OAuth2Client):
"iat": now, "iat": now,
"exp": now + 86400 * 180, "exp": now + 86400 * 180,
"aud": "https://appleid.apple.com", "aud": "https://appleid.apple.com",
"sub": self.source.consumer_key, "sub": parts[0],
} }
# pyright: reportGeneralTypeIssues=false # pyright: reportGeneralTypeIssues=false
jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]}) jwt = encode(payload, self.source.consumer_secret, "ES256", {"kid": parts[2]})
@ -49,9 +47,7 @@ class AppleOAuthClient(OAuth2Client):
def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]: def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
id_token = token.get("id_token") id_token = token.get("id_token")
_, raw_payload, _ = id_token.split(".") return decode(id_token, options={"verify_signature": False})
payload = loads(b64decode(raw_payload.encode().decode()))
return payload
class AppleOAuthRedirect(OAuthRedirect): class AppleOAuthRedirect(OAuthRedirect):