namespace ASC.FederatedLogin.LoginProviders; [Scope] public class AppleIdLoginProvider : BaseLoginProvider { private readonly IHttpContextAccessor _httpContextAccessor; private readonly RequestHelper _requestHelper; public override string AccessTokenUrl { get { return "https://appleid.apple.com/auth/token"; } } public override string RedirectUri { get { return this["appleIdRedirectUrl"]; } } public override string ClientID { get { return (this["appleIdClientIdMobile"] != null && _httpContextAccessor?.HttpContext != null && _httpContextAccessor.HttpContext.Request.MobileApp()) ? this["appleIdClientIdMobile"] : this["appleIdClientId"]; } } public override string ClientSecret => GenerateSecret(); public override string CodeUrl { get { return "https://appleid.apple.com/auth/authorize"; } } public override string Scopes { get { return ""; } } public string TeamId { get { return this["appleIdTeamId"]; } } public string KeyId { get { return this["appleIdKeyId"]; } } public string PrivateKey { get { return this["appleIdPrivateKey"]; } } public AppleIdLoginProvider() { } public AppleIdLoginProvider( OAuth20TokenHelper oAuth20TokenHelper, TenantManager tenantManager, CoreBaseSettings coreBaseSettings, CoreSettings coreSettings, IConfiguration configuration, ICacheNotify cache, ConsumerFactory consumerFactory, Signature signature, InstanceCrypto instanceCrypto, IHttpContextAccessor httpContextAccessor, RequestHelper requestHelper, string name, int order, Dictionary props, Dictionary additional = null) : base(oAuth20TokenHelper, tenantManager, coreBaseSettings, coreSettings, configuration, cache, consumerFactory, signature, instanceCrypto, name, order, props, additional) { _httpContextAccessor = httpContextAccessor; _requestHelper = requestHelper; } public override LoginProfile ProcessAuthoriztion(HttpContext context, IDictionary @params, IDictionary additionalStateArgs) { try { var token = Auth(context, Scopes, out var redirect, @params, additionalStateArgs); var claims = ValidateIdToken(JObject.Parse(token.OriginJson).Value("id_token")); return GetProfileFromClaims(claims); } catch (ThreadAbortException) { throw; } catch (Exception ex) { return LoginProfile.FromError(Signature, InstanceCrypto, ex); } } public override LoginProfile GetLoginProfile(string authCode) { if (string.IsNullOrEmpty(authCode)) { throw new Exception("Login failed"); } var token = _oAuth20TokenHelper.GetAccessToken(ConsumerFactory, authCode); var claims = ValidateIdToken(JObject.Parse(token.OriginJson).Value("id_token")); return GetProfileFromClaims(claims); } public override LoginProfile GetLoginProfile(OAuth20Token token) { if (token == null) { throw new Exception("Login failed"); } var claims = ValidateIdToken(JObject.Parse(token.OriginJson).Value("id_token")); return GetProfileFromClaims(claims); } private LoginProfile GetProfileFromClaims(ClaimsPrincipal claims) { return new LoginProfile(Signature, InstanceCrypto) { Id = claims.FindFirst(ClaimTypes.NameIdentifier).Value, EMail = claims.FindFirst(ClaimTypes.Email)?.Value, Provider = ProviderConstants.AppleId, }; } private string GenerateSecret() { using (var cngKey = CngKey.Import(Convert.FromBase64String(PrivateKey), CngKeyBlobFormat.Pkcs8PrivateBlob)) { var handler = new JwtSecurityTokenHandler(); var token = handler.CreateJwtSecurityToken( issuer: TeamId, audience: "https://appleid.apple.com", subject: new ClaimsIdentity(new List { new Claim("sub", ClientID) }), issuedAt: DateTime.UtcNow, notBefore: DateTime.UtcNow, expires: DateTime.UtcNow.AddMinutes(5), signingCredentials: new SigningCredentials(new ECDsaSecurityKey(new ECDsaCng(cngKey)), SecurityAlgorithms.EcdsaSha256) ); token.Header.Add("kid", KeyId); return handler.WriteToken(token); } } private ClaimsPrincipal ValidateIdToken(string idToken) { var handler = new JwtSecurityTokenHandler(); var claims = handler.ValidateToken(idToken, new TokenValidationParameters() { ValidateIssuerSigningKey = true, IssuerSigningKeys = GetApplePublicKeys(), ValidateIssuer = true, ValidIssuer = "https://appleid.apple.com", ValidateAudience = true, ValidAudience = ClientID, ValidateLifetime = true }, out var _); return claims; } private IEnumerable GetApplePublicKeys() { var appplePublicKeys = _requestHelper.PerformRequest("https://appleid.apple.com/auth/keys"); var keys = new List(); foreach (var webKey in JObject.Parse(appplePublicKeys).Value("keys")) { var e = Base64UrlEncoder.DecodeBytes(webKey.Value("e")); var n = Base64UrlEncoder.DecodeBytes(webKey.Value("n")); var key = new RsaSecurityKey(new RSAParameters { Exponent = e, Modulus = n }) { KeyId = webKey.Value("kid") }; keys.Add(key); } return keys; } }