Apple登录:如何将其用于自定义服务器终结点身份验证? [英] Apple Sign-In: How to use it for custom server endpoint authentication?
问题描述
我的用例是,当我有一个用户登录我的应用程序后,当我从我的应用程序向我的自定义服务器进行端点调用时,我将使用由登录产生的Oauth令牌来对调用方进行身份验证.例如,我以这种方式使用 Google登录.
My use case is that once I have a user signed into my app, I use the Oauth token, resulting from the sign-in, when I make endpoint calls from my app to my custom server-- to authenticate the caller. E.g., I use Google Sign In in this way.
此方法(例如,使用Google登录)具有几个有用的属性:
This method (e.g., with Google Sign In) has several useful properties:
-
已更新的令牌是在客户端应用上自动创建的.
Updated tokens are created automatically on the client app.
我的自定义服务器可以使用Google的端点轻松验证令牌的有效性.
My custom server can easily verify the validity of the token, using Google's endpoints.
初始令牌验证可以在端点请求处理的早期进行-无需访问定制服务器数据库(如
Initial token verification can take place early in the endpoint request processing-- without access to the custom servers database (as in the style in https://github.com/IBM-Swift/Kitura-Credentials).
我的问题是:鉴于有人告诉我们必须将Apple Sign-In整合到我们的iOS应用中(如果我们提供了通用的登录功能),那么我该怎么做我的自定义服务器进行身份验证?
My question is: Given that we're being told we have to incorporate Apple Sign-In into our iOS apps (if we offer general purpose sign-in facilities), how can I do endpoint authentication with my custom server?
我看到了两种选择,我都不喜欢.
I see two alternatives, neither of which I like very much.
首先,我可以让我的客户端应用程序将Apple登录id_token发送到我的服务器,并忽略exp(到期)字段.我可以定期重新生成id_token(显然,每天最多只能重复)并发送还给我的客户我不喜欢这种想法,这既是因为忽略了令牌的过期,又因为需要定期将令牌从服务器发送到客户端. (我的应用程序使用多个登录系统,这只会增加额外的难度).
First, I can have my client app send an Apple Sign In id_token to my server and ignore the exp (expiry) field. I can regenerate the id_token periodically (apparently, no more than once a day) and send it back to my client. I don't like this idea both because of ignoring the expiry of the token, and because of the need to periodically send the token from server to client. (My app uses multiple sign in systems and this just creates extra difficulty).
第二,我可以让我的客户发送一个Apple登录刷新令牌到我的服务器.我的服务器当然需要首先生成该刷新令牌并将其发送回客户端.我比第一个想法更喜欢这个想法.我在自定义服务器中进行的初始令牌验证需要访问其数据库以查找与此令牌匹配的对象.我通常不能使用Apple端点-因为同样,Apple显然会限制这种验证.
Second, I could have my client send an Apple Sign In refresh token to my server. My server would need, of course, to initially generate that refresh token and send it back to the client. I like this idea even less than the first idea. My initial token verification in my custom server would need to access its database to look for a match this token. I can't generally use an Apple endpoint -- because, again, Apple is apparently going to throttle this verification.
此外,我不太喜欢我的自定义服务器每天最多只能检查一次令牌有效性的想法.如果用户撤消了该应用程序的凭据,我希望我的自定义服务器将不再能够代表用户相对快速地进行操作.
Additionally, I don't really like the idea that my custom server can, at best, check on token validity once a day. If the user revokes the app's credentials, I would hope my custom sever would stop being able to operate on behalf of the user relatively quickly.
有想法吗?
10/5/19-更新到上面的第一个替代方法.实际使用 https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens对于刷新令牌验证,我发现它实际上并未生成更新的id令牌.它正在生成访问令牌(但Apple并未定义访问令牌),并且正在验证刷新令牌.因此,无法将更新的ID令牌发送到客户端iOS应用.因此,使用第一种方法时,不能使用id令牌的到期日期.
10/5/19-- update to the first alternative above. Upon actual use of https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens for refresh token validation, I find that it is not actually generating an updated id token. It is generating an access token (but Apple doesn't define a use for that), and is validating the refresh token. And so, there is no way to send an updated id token to the client iOS app. Thus, using the first alternative, the expiry date of the id token cannot be used.
10/10/19--更新:我已经写了一篇关于该主题的博客文章-
10/10/19-- update: I've written a blog article on this subject-- https://medium.com/@crspybits/apple-sign-in-custom-servers-and-an-expiry-conundrum-d1ad63223870
8/6/20-更新:在博客文章中关注苹果的可能前进路径和未决细节:
8/6/20-- update: Follow on blog article with possible path forward, pending details from Apple: https://medium.com/@crspybits/part-ii-apple-sign-in-custom-servers-and-an-expiry-conundrum-b3e9735dc079
推荐答案
在获得在演示文稿中,在WWDC 2020 中使用Apple登录最多的人,他们在演示中介绍了服务器到服务器的通知,使您的服务器可以实时监视用户帐户状态的变化.
In Get the most out of Sign in with Apple in WWDC 2020, at 11:30 in their presentation, they introduce server-to-server notifications to enable your server to monitor user account state changes on a real-time basis.
到目前为止,有关此方面的细节很少.
So far, few details on this though.
这篇关于Apple登录:如何将其用于自定义服务器终结点身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
