-
Notifications
You must be signed in to change notification settings - Fork 536
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Extract email from ID token not user parameter
Use the verified ID token JWT as the source of the email claim rather than the user parameter in the callback.
- Loading branch information
1 parent
f454732
commit a0fe95e
Showing
3 changed files
with
108 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,9 @@ | |
* for more information concerning the license and the contributors participating to this project. | ||
*/ | ||
|
||
using System.IdentityModel.Tokens.Jwt; | ||
using System.Security.Cryptography; | ||
using System.Text.Json; | ||
using Microsoft.AspNetCore.WebUtilities; | ||
using Microsoft.Extensions.DependencyInjection.Extensions; | ||
using Microsoft.IdentityModel.Logging; | ||
|
@@ -465,6 +468,91 @@ public async Task BuildChallengeUrl_Generates_Correct_Url(bool usePkce) | |
} | ||
} | ||
|
||
[Fact] | ||
public void Regenerate_Test_Jwts() | ||
{ | ||
using var rsa = RSA.Create(); | ||
var parameters = rsa.ExportParameters(true); | ||
|
||
var webKey = new | ||
{ | ||
kty = JsonWebAlgorithmsKeyTypes.RSA, | ||
kid = "AIDOPK1", | ||
use = "sig", | ||
alg = SecurityAlgorithms.RsaSha256, | ||
n = Base64UrlEncoder.Encode(parameters.Modulus), | ||
e = Base64UrlEncoder.Encode(parameters.Exponent), | ||
}; | ||
|
||
var signingCredentials = new SigningCredentials(new RsaSecurityKey(rsa), SecurityAlgorithms.RsaSha256) | ||
{ | ||
CryptoProviderFactory = new CryptoProviderFactory { CacheSignatureProviders = false } | ||
}; | ||
|
||
var audience = "com.martincostello.signinwithapple.test.client"; | ||
var issuer = "https://appleid.apple.com"; | ||
var expires = DateTimeOffset.FromUnixTimeSeconds(1587212159).UtcDateTime; | ||
|
||
var iat = new Claim(JwtRegisteredClaimNames.Iat, "1587211559"); | ||
var sub = new Claim(JwtRegisteredClaimNames.Sub, "001883.fcc77ba97500402389df96821ad9c790.1517"); | ||
var atHash = new Claim(JwtRegisteredClaimNames.AtHash, "eOy0y7XVexdkzc7uuDZiCQ"); | ||
var emailVerified = new Claim("email_verified", "true"); | ||
var authTime = new Claim(JwtRegisteredClaimNames.AuthTime, "1587211556"); | ||
var nonceSupported = new Claim("nonce_supported", "true"); | ||
|
||
var claimsForPublicEmail = new Claim[] | ||
{ | ||
iat, | ||
sub, | ||
atHash, | ||
new Claim(JwtRegisteredClaimNames.Email, "[email protected]"), | ||
emailVerified, | ||
authTime, | ||
nonceSupported, | ||
}; | ||
|
||
var publicEmailToken = new JwtSecurityToken( | ||
issuer, | ||
audience, | ||
claimsForPublicEmail, | ||
expires: expires, | ||
signingCredentials: signingCredentials); | ||
|
||
var claimsForPrivateEmail = new Claim[] | ||
{ | ||
iat, | ||
sub, | ||
atHash, | ||
new Claim(JwtRegisteredClaimNames.Email, "[email protected]"), | ||
emailVerified, | ||
authTime, | ||
nonceSupported, | ||
new Claim("is_private_email", "true"), | ||
}; | ||
|
||
var privateEmailToken = new JwtSecurityToken( | ||
issuer, | ||
audience, | ||
claimsForPrivateEmail, | ||
expires: expires, | ||
signingCredentials: signingCredentials); | ||
|
||
var publicEmailIdToken = new JwtSecurityTokenHandler().WriteToken(publicEmailToken); | ||
var privateEmailIdToken = new JwtSecurityTokenHandler().WriteToken(privateEmailToken); | ||
var serializedRsaPublicKey = JsonSerializer.Serialize(webKey, new JsonSerializerOptions() { WriteIndented = true }); | ||
|
||
// Copy the values from the test output to bundles.json if you need to regenerate the JWTs to edit the claims | ||
|
||
// For https://appleid.apple.com/auth/keys | ||
OutputHelper!.WriteLine($"RSA key: {serializedRsaPublicKey}"); | ||
|
||
// For https://appleid.apple.com/auth/token | ||
OutputHelper!.WriteLine($"Public email JWT: {publicEmailIdToken}"); | ||
|
||
// For https://appleid.apple.local/auth/token/email | ||
OutputHelper!.WriteLine($"Private email JWT: {privateEmailIdToken}"); | ||
} | ||
|
||
private sealed class CustomAppleAuthenticationEvents : AppleAuthenticationEvents | ||
{ | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters