问题描述
我有一个iOS应用,该应用可实现与Apple的登录。 在开发人员门户上为此应用程序生成了一个私钥。 首先,我们的应用服务器从iOS应用接收身份令牌和授权代码。我们在这里使用firebase/jwt-php库来验证带有密钥的身份令牌。完成后,我们对身份令牌进行了如下解码:
标题:
{
"kid": "eXaunmL","alg": "RS256"
}
有效载荷:
{
"iss": "https://appleid.apple.com","aud": "com.mycompany.myapp","exp": 1597336478,"iat": 1597335878,"sub": "000138.77a8b51895c943dcbe1ae4c34721a4c3.1312","nonce": "1597335873132","c_hash": "llDP9yFq6YOQEoi4qDzfDA","email": "useremail@gmail.com","email_verified": "true","auth_time": 1597335878,"nonce_supported": true
}
还将客户端应用程序发送到我们的应用程序服务器的授权代码如下:
c6b4d8ec548014979b7b7e0f4d63a173e.0.mrty.2sZAWSjybSC6MU0PQAxaag
麻烦开始了... 我尝试通过授权码和客户端机密获取刷新令牌。我不使用firebase / jwt-PHP库创建客户端密码,因为我了解了openSSL问题here。 我已经将.p8私钥转换为.pem格式以用于签名。
/**
*
* @param string $kid 10 digits key ID for my app from developer portal
* @param string $iss my 10 digits team ID from developer portal
* @param string $sub com.mycoopany.myapp
* @return string signed JWT
*/
public static function generateJWT($kid,$iss,$sub) {
$header = [
'alg' => 'ES256','kid' => $kid
];
$body = [
'iss' => $iss,'iat' => time(),'exp' => time() + 600,'aud' => 'https://appleid.apple.com','sub' => $sub
];
$private_key = <<<EOD
-----BEGIN PRIVATE KEY-----
My private key converted from .p8 to .pem by command:
openssl pkcs8 -in key.p8 -nocrypt -out key.pem
-----END PRIVATE KEY-----
EOD;
$privKey = openssl_pkey_get_private($private_key);
if (!$privKey){
return false;
}
$payload = self::encode(json_encode($header,JSON_UnesCAPED_SLASHES)).'.'.self::encode(json_encode($body,JSON_UnesCAPED_SLASHES));
$signature = '';
$success = openssl_sign($payload,$signature,$privKey,OPENSSL_ALGO_SHA256);
if (!$success) return false;
$raw_signature = self::fromDER($signature,64);
return $payload.'.'.self::encode($raw_signature);
}
private static function encode($data) {
$encoded = strtr(base64_encode($data),'+/','-_');
return rtrim($encoded,'=');
}
要转换openSSL符号,请使用this library中的 fromDER 函数:
public static function fromDER(string $der,int $partLength)
{
$hex = unpack('H*',$der)[1];
if ('30' !== mb_substr($hex,2,'8bit')) { // SEQUENCE
throw new \RuntimeException();
}
if ('81' === mb_substr($hex,'8bit')) { // LENGTH > 128
$hex = mb_substr($hex,6,null,'8bit');
} else {
$hex = mb_substr($hex,4,'8bit');
}
if ('02' !== mb_substr($hex,'8bit')) { // INTEGER
throw new \RuntimeException();
}
$Rl = hexdec(mb_substr($hex,'8bit'));
$R = self::retrievePositiveInteger(mb_substr($hex,$Rl * 2,'8bit'));
$R = str_pad($R,$partLength,'0',STR_PAD_LEFT);
$hex = mb_substr($hex,4 + $Rl * 2,'8bit');
if ('02' !== mb_substr($hex,'8bit')) { // INTEGER
throw new \RuntimeException();
}
$Sl = hexdec(mb_substr($hex,'8bit'));
$S = self::retrievePositiveInteger(mb_substr($hex,$Sl * 2,'8bit'));
$S = str_pad($S,STR_PAD_LEFT);
return pack('H*',$R.$S);
}
/**
* @param string $data
*
* @return string
*/
private static function retrievePositiveInteger(string $data)
{
while ('00' === mb_substr($data,'8bit') && mb_substr($data,'8bit') > '7f') {
$data = mb_substr($data,'8bit');
}
return $data;
}
最后,我对https://appleid.apple.com/auth/token端点的呼叫看起来像这样:
$signed_jwt = opensslFix::generateJWT($my_kid,'myTeamID',$app);
$send_data = [
'client_id' => $app,'client_secret' => $signed_jwt,'grant_type' => 'authorization_code','code' => $request->code
];
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://appleid.apple.com/auth/token');
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,http_build_query([$send_data]));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_HTTPHEADER,array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML,like Gecko) Chrome/20.0.1090.0 Safari/536.6');
$serverOutput = curl_exec($ch);
我总是从苹果服务器上得到“ invalid_client”答案:( 还有什么可能出问题?
解决方法
从头顶上尝试两件事:
- 添加一个Accept标头:
'Accept: application/x-www-form-urlencoded'
- 不将您的帖子数据传递到另一个数组中:
http_build_query($send_data)
如果我想更多的事情,我将编辑答案。