Apple通过Python登录 [英] Apple Signin through Python
问题描述
我在python中使用Apple登录确实存在问题,但主要不是python,只是一些神秘的东西.... 所以,我读了这篇文章 https://medium.com /@ aamishbaloch/在您的django-python-backend-b501daa835a9中使用Apple登录 实施起来应该很容易,但是我的实现不起作用,所以我要做的是: 我添加了在REST框架中使用的appleapiprovider类,该AppleProvider的调用方式为:
I do have a problem with apple signin in python but it's mostly not python, just mysterious stuff.... So, I read this article https://medium.com/@aamishbaloch/sign-in-with-apple-in-your-django-python-backend-b501daa835a9 It should be quite easy to implement it but my implementation doesn't work, so what I did is: I've added appleapiprovider class which being used in rest framework, this AppleProvider being called this way:
provider = AppleApiProvider()
provider.verify_token(token_sent_from_ios_device) # NOT JWT TOKEN, just code.
这是verify_token方法中发生的事情
and here is what happening in the method verify_token
def verify_token(self, token):
client_id, client_secret = self.get_key_and_secret()
headers = {'content-type': "application/x-www-form-urlencoded"}
data = {
'client_id': client_id,
'client_secret': client_secret,
'code': access_token,
'grant_type': 'authorization_code',
'redirect_uri': 'https://example-app.com/redirect'
}
res = requests.post('https://appleid.apple.com/auth/token', data=data, headers=headers)
def get_key_and_secret(self):
headers = {
'kid': KID
}
payload = {
'iss': ISS,
'iat': timezone.now(),
'exp': timezone.now() + timedelta(days=180),
'aud': 'https://appleid.apple.com',
'sub': 'com.APP.staging.signin',
}
client_secret = jwt.encode(
payload,
open('/etc/apple.pem', 'rb').read(),
algorithm='ES256',
headers=headers
).decode("utf-8")
return 'com.APP.staging.signin', client_secret
结果我得到了
{error: 'invalid_grant'}
有什么主意吗?这不是client_id和client_secret的问题,我尝试在那里使用绝对随机的字符串,并且说,invalid_client 可能的重复项是:新的Apple登录会不断抛出错误HTTP 400 Invalid_grant 但是我的问题没有确切的解决方案,它应该很小,而且我不知道如何调试它.
Any idea ? It's not a problem with client_id and client_secret, I tried to use there just absolutely random strings and it says, invalid_client Possible duplicate is: New Apple Sign in keeps throwing Error HTTP 400 Invalid_grant but there's no exact solution to my problem, it should be quite small and I don't know how to debug it.
推荐答案
我的错误是将JWT令牌用作"code"参数而不是authorization_code.
My error was using the JWT token as the 'code' parameter instead of the authorization_code.
我正在使用'@ invertase/react-native-apple-authentication'React Native软件包来处理客户端的Apple登录.我认为在本地和其他程序包中传输的数据可能相似.
I am using the '@invertase/react-native-apple-authentication' React Native package to handle Apple Sign in on client side. I think the data transmitted there may be similar across Native and other packages.
此软件包在Apple登录时返回的内容是以下对象:
What this package returns on apple sign-in is the following object:
{
authorizationCode: string <- this should be sent as "code"
authorizedScopes: [],
email: string <- will be null, except for first request. To reset for testing, disconnect the app from apple signin
fullName: {...} <- will contain null values only, except for first request. see above
identityToken: string
nonce: string
realUserStatus: 1
state: ?
user: string <- should be used to identify users
}
identityToken是一个JWT令牌,在解码时包含以下数据:
The identityToken is a JWT token that when decoded contains the following data:
header:
{
"kid": string, <- can be used to identify the apple public key one can use to verify the signature (fetched from here https://appleid.apple.com/auth/keys)
"alg": "RS256"
}
payload:
{
"iss": "https://appleid.apple.com",
"aud": <your package ID>,
"exp": number,
"iat": number,
"sub": string, <- same as "user" in above datastructure
"nonce": string,
"c_hash": string,
"email": "asd@privaterelay.appleid.com", <- contains the email, even if the above structure does not contain it
"email_verified": "true",
"is_private_email": "true",
"auth_time": number,
"nonce_supported": true
}
一个令人困惑的方面是,电子邮件在第一个obj中可以为空,但仍包含在JWT中.尚不清楚在所有情况下是否都需要JWT令牌.对于简单的身份验证服务而言,authorizationCode和用户参数似乎就足够了.
One confusing aspect is, that the email can be null in the first obj, but still be contained in the JWT. It is a bit unclear whether we need the JWT token in all cases. It seems like for a simple authentication service the authorizationCode and user parameters suffices.
这篇关于Apple通过Python登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!