记录App接入Apple登录-后端验证处理
一、背景
公司的App要接入微信,QQ,微博,Apple等第三方的授权登录。微信、QQ、微博都有各自的开放平台,相关文档比较完善,容易上手。轮到苹果的时候,可能是受限于自己的英文水平,发现苹果接入的官方文档查找起来各种不便。最后上网上各种搜索,终于完成,现将Apple授权登录接入的后端验证做一个记录。
二 、苹果授权后端验证
针对后端验证苹果提供了两种验证方式,一种是基于JWT的算法验证,另外一种是基于授权码的验证,本文只是记录自己使用的基于JWT的算法验证。
- 基于JWT的算法验证的流程
- 1.1、解析identityToken
- APP内苹果授权登陆会提供如下几个参数:
userID:授权的用户唯一标识
email、fullName:授权的用户资料
authorizationCode:授权code (基于授权码的验证时使用)
identityToken:授权用户的JWT凭证 (基于JWT算法进行的验证就是对它进行验证)
Apple授权登录提供的identityToken参数示列:eyJraWQiOiI4NkQ4OEtmIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLndiLldlc3RCdWxsU3RvY2siLCJleHAiOjE2Mjk2MTIzOTMsImlhdCI6MTYyOTUyNTk5Mywic3ViIjoiMDAxMDQ1LmIyNzNmNWQxMWVmOTRlZjlhZDIyNmUzN2E3ZDc0ZDY4LjA2MzciLCJjX2hhc2giOiJ2OGRRbXRveE5rWDlxQmpiZkFoc05RIiwiYXV0aF90aW1lIjoxNjI5NTI1OTkzLCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.YuppuMqi2CN12M8JgpHr8WIJ1QyH-KRYGMUhuOc2iOtJ4iDCya9BsCU25FSo0oX8YxO8x3N5JzMhyat--LXYMtDDtTV1-QnlyPC_jTC60jEvUQ6jZEWJSX3etV6so9RpG2C_LBmEQPjNKJVejo6Irqyq-e2bxcZzU_6EX62BbgKd9nj1HleDSo7URb8y9oU1jMw1j0rpzzKf8jJsTb09oqWnqkp8sjtSYFu5qihzrW9QEw4PntWdWKCQ7hDKLAYJBxm4HhmnHWS1jrJNuUNTn83R7tgNduJ5LE9yybI83x5TmSeJvIh5p1uz5cBtS48ox2uLc3obrCOuwn66jos6Xg
对identityToken进行Decode后可以得到对应HEADER和PAYLOAD:
//HEADER
{
"kid": "86D88Kf",
"alg": "RS256"
}
//PAYLOAD
{
"iss": "https://appleid.apple.com",
"aud": "XX.XXX.XX",
"exp": 1629612393,
"iat": 1629525993,
"sub": "001045.b273f5d11ef94ef9ad226e37a7d74d68.0637",
"c_hash": "v8dQmtoxNkX9qBjbfAhsNQ",
"auth_time": 1629525993,
"nonce_supported": true
}
//iss标识是苹果签发的,aud是接收者的APP ID,sub是用户的唯一标识
- 1.2、构建RSA公钥
- Apple公钥接口:https://appleid.apple.com/auth/keys
- 该接口返回的数据形式如下:
{
"keys": [
{
"kty": "RSA",
"kid": "eXaunmL",
"use": "sig",
"alg": "RS256",
"n": "4dGQ7bQK8LgILOdLsYzfZjkEAoQeVC_aqyc8GC6RX7dq_KvRAQAWPvkam8VQv4GK5T4ogklEKEvj5ISBamdDNq1n52TpxQwI2EqxSk7I9fKPKhRt4F8-2yETlYvye-2s6NeWJim0KBtOVrk0gWvEDgd6WOqJl_yt5WBISvILNyVg1qAAM8JeX6dRPosahRVDjA52G2X-Tip84wqwyRpUlq2ybzcLh3zyhCitBOebiRWDQfG26EH9lTlJhll-p_Dg8vAXxJLIJ4SNLcqgFeZe4OfHLgdzMvxXZJnPp_VgmkcpUdRotazKZumj6dBPcXI_XID4Z4Z3OM1KrZPJNdUhxw",
"e": "AQAB"
},
{
"kty": "RSA",
"kid": "86D88Kf",
"use": "sig",
"alg": "RS256",
"n": "iGaLqP6y-SJCCBq5Hv6pGDbG_SQ11MNjH7rWHcCFYz4hGwHC4lcSurTlV8u3avoVN