Apple通过Python登录 [英] Apple Signin through Python

问题描述

我在python中使用Apple登录确实存在问题，但主要不是python，只是一些神秘的东西.... 所以，我读了这篇文章 https://medium.com /@ aamishbaloch/在您的django-python-backend-b501daa835a9中使用Apple登录 实施起来应该很容易，但是我的实现不起作用，所以我要做的是: 我添加了在REST框架中使用的appleapiprovider类，该AppleProvider的调用方式为:

I do have a problem with apple signin in python but it's mostly not python, just mysterious stuff.... So, I read this article https://medium.com/@aamishbaloch/sign-in-with-apple-in-your-django-python-backend-b501daa835a9 It should be quite easy to implement it but my implementation doesn't work, so what I did is: I've added appleapiprovider class which being used in rest framework, this AppleProvider being called this way:

provider = AppleApiProvider()
provider.verify_token(token_sent_from_ios_device) # NOT JWT TOKEN, just code.

这是verify_token方法中发生的事情

and here is what happening in the method verify_token

def verify_token(self, token):
    client_id, client_secret = self.get_key_and_secret()
    headers = {'content-type': "application/x-www-form-urlencoded"}
    data = {
        'client_id': client_id,
        'client_secret': client_secret,
        'code': access_token,
        'grant_type': 'authorization_code',
        'redirect_uri': 'https://example-app.com/redirect'
    }
    res = requests.post('https://appleid.apple.com/auth/token', data=data, headers=headers)

    def get_key_and_secret(self):
        headers = {
            'kid': KID
        }

        payload = {
            'iss': ISS,
            'iat': timezone.now(),
            'exp': timezone.now() + timedelta(days=180),
            'aud': 'https://appleid.apple.com',
            'sub': 'com.APP.staging.signin',
        }

        client_secret = jwt.encode(
            payload,
            open('/etc/apple.pem', 'rb').read(),
            algorithm='ES256',
            headers=headers
        ).decode("utf-8")

        return 'com.APP.staging.signin', client_secret

结果我得到了

{error: 'invalid_grant'}

有什么主意吗?这不是client_id和client_secret的问题，我尝试在那里使用绝对随机的字符串，并且说，invalid_client 可能的重复项是:新的Apple登录会不断抛出错误HTTP 400 Invalid_grant 但是我的问题没有确切的解决方案，它应该很小，而且我不知道如何调试它.

Any idea ? It's not a problem with client_id and client_secret, I tried to use there just absolutely random strings and it says, invalid_client Possible duplicate is: New Apple Sign in keeps throwing Error HTTP 400 Invalid_grant but there's no exact solution to my problem, it should be quite small and I don't know how to debug it.

推荐答案

我的错误是将JWT令牌用作"code"参数而不是authorization_code.

My error was using the JWT token as the 'code' parameter instead of the authorization_code.

我正在使用'@ invertase/react-native-apple-authentication'React Native软件包来处理客户端的Apple登录.我认为在本地和其他程序包中传输的数据可能相似.

I am using the '@invertase/react-native-apple-authentication' React Native package to handle Apple Sign in on client side. I think the data transmitted there may be similar across Native and other packages.

此软件包在Apple登录时返回的内容是以下对象:

What this package returns on apple sign-in is the following object:

{
  authorizationCode: string <- this should be sent as "code"
  authorizedScopes: [],
  email: string <- will be null, except for first request. To reset for testing, disconnect the app from apple signin
  fullName: {...} <- will contain null values only, except for first request. see above
  identityToken: string
  nonce: string
  realUserStatus: 1
  state: ?
  user: string  <- should be used to identify users
}

identityToken是一个JWT令牌，在解码时包含以下数据:

The identityToken is a JWT token that when decoded contains the following data:

header:
{
  "kid": string, <- can be used to identify the apple public key one can use to verify the signature (fetched from here https://appleid.apple.com/auth/keys)
  "alg": "RS256"
}

payload:
{
  "iss": "https://appleid.apple.com",
  "aud": <your package ID>,
  "exp": number,
  "iat": number,
  "sub": string, <- same as "user" in above datastructure
  "nonce": string,
  "c_hash": string,
  "email": "asd@privaterelay.appleid.com", <- contains the email, even if the above structure does not contain it
  "email_verified": "true",
  "is_private_email": "true",
  "auth_time": number,
  "nonce_supported": true
}

一个令人困惑的方面是，电子邮件在第一个obj中可以为空，但仍包含在JWT中.尚不清楚在所有情况下是否都需要JWT令牌.对于简单的身份验证服务而言，authorizationCode和用户参数似乎就足够了.

One confusing aspect is, that the email can be null in the first obj, but still be contained in the JWT. It is a bit unclear whether we need the JWT token in all cases. It seems like for a simple authentication service the authorizationCode and user parameters suffices.

这篇关于Apple通过Python登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！