forked from GriffinLedingham/php-apple-signin
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathASDecoder.php
More file actions
119 lines (97 loc) · 3.45 KB
/
ASDecoder.php
File metadata and controls
119 lines (97 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<?php
namespace AppleSignIn;
use AppleSignIn\Vendor\JWK;
use AppleSignIn\Vendor\JWT;
use Exception;
/**
* Decode Sign In with Apple identity token, and produce an ASPayload for
* utilizing in backend auth flows to verify validity of provided user creds.
*
* @package AppleSignIn\ASDecoder
* @author Griffin Ledingham <gcledingham@gmail.com>
* @license http://opensource.org/licenses/BSD-3-Clause 3-clause BSD
* @link https://github.com/GriffinLedingham/php-apple-signin
*/
class ASDecoder {
/**
* Parse a provided Sign In with Apple identity token.
*
* @param string $identityToken
* @return object|null
*/
public static function getAppleSignInPayload(string $identityToken)
{
$identityPayload = self::decodeIdentityToken($identityToken);
return new ASPayload($identityPayload);
}
/**
* Decode the Apple encoded JWT using Apple's public key for the signing.
*
* @param string $identityToken
* @return object
*/
public static function decodeIdentityToken(string $identityToken) {
$publicKeyKid = JWT::getPublicKeyKid($identityToken);
$publicKeyData = self::fetchPublicKey($publicKeyKid);
$publicKey = $publicKeyData['publicKey'];
$alg = $publicKeyData['alg'];
$payload = JWT::decode($identityToken, $publicKey, [$alg]);
return $payload;
}
/**
* Fetch Apple's public key from the auth/keys REST API to use to decode
* the Sign In JWT.
*
* @param string $publicKeyKid
* @return array
*/
public static function fetchPublicKey(string $publicKeyKid) {
$publicKeys = file_get_contents('https://appleid.apple.com/auth/keys');
$decodedPublicKeys = json_decode($publicKeys, true);
if(!isset($decodedPublicKeys['keys']) || count($decodedPublicKeys['keys']) < 1) {
throw new Exception('Invalid key format.');
}
$kids = array_column($decodedPublicKeys['keys'], 'kid');
$parsedKeyData = $decodedPublicKeys['keys'][array_search($publicKeyKid, $kids)];
$parsedPublicKey= JWK::parseKey($parsedKeyData);
$publicKeyDetails = openssl_pkey_get_details($parsedPublicKey);
if(!isset($publicKeyDetails['key'])) {
throw new Exception('Invalid public key details.');
}
return [
'publicKey' => $publicKeyDetails['key'],
'alg' => $parsedKeyData['alg']
];
}
}
/**
* A class decorator for the Sign In with Apple payload produced by
* decoding the signed JWT from a client.
*/
class ASPayload {
protected $_instance;
public function __construct($instance) {
if(is_null($instance)) {
throw new Exception('ASPayload received null instance.');
}
$this->_instance = $instance;
}
public function __call($method, $args) {
return call_user_func_array(array($this->_instance, $method), $args);
}
public function __get($key) {
return (isset($this->_instance->$key)) ? $this->_instance->$key : null;
}
public function __set($key, $val) {
return $this->_instance->$key = $val;
}
public function getEmail() {
return (isset($this->_instance->email)) ? $this->_instance->email : null;
}
public function getUser() {
return (isset($this->_instance->sub)) ? $this->_instance->sub : null;
}
public function verifyUser(string $user) {
return $user === $this->getUser();
}
}