-
-
Save patrickbussmann/877008231ef082cc5dc4ee5ca661a641 to your computer and use it in GitHub Desktop.
| <?php | |
| # composer require web-token/jwt-framework | |
| require_once 'vendor/autoload.php'; | |
| use Jose\Component\Core\AlgorithmManager; | |
| use Jose\Component\KeyManagement\JWKFactory; | |
| use Jose\Component\Signature\Algorithm\ES256; | |
| use Jose\Component\Signature\JWSBuilder; | |
| use Jose\Component\Signature\Serializer\CompactSerializer; | |
| /** Your team identifier: https://developer.apple.com/account/#/membership/ (Team ID) */ | |
| $teamId = '1A234BFK46'; | |
| /** The client id of your service: https://developer.apple.com/account/resources/identifiers/list/serviceId */ | |
| $clientId = 'org.example.service'; | |
| /** Code from request: https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */ | |
| $code = 'ab1c23456fb104dbfa034e0e66bc58370.0.nrwxq.yQMut7nanacO82i7OvNoBg'; | |
| /** The ID of the key file: https://developer.apple.com/account/resources/authkeys/list (Key ID) */ | |
| $keyFileId = '1ABC6523AA'; | |
| /** The path of the file which you downloaded from https://developer.apple.com/account/resources/authkeys/list */ | |
| $keyFileName = 'AuthKey_1ABC6523AA.p8'; | |
| /** The redirect uri of your service which you used in the $code request */ | |
| $redirectUri = 'https://example.org'; | |
| $algorithmManager = new AlgorithmManager([new ES256()]); | |
| $jwsBuilder = new JWSBuilder($algorithmManager); | |
| $jws = $jwsBuilder | |
| ->create() | |
| ->withPayload(json_encode([ | |
| 'iat' => time(), | |
| 'exp' => time() + 3600, | |
| 'iss' => $teamId, | |
| 'aud' => 'https://appleid.apple.com', | |
| 'sub' => $clientId | |
| ])) | |
| ->addSignature(JWKFactory::createFromKeyFile($keyFileName), [ | |
| 'alg' => 'ES256', | |
| 'kid' => $keyFileId | |
| ]) | |
| ->build(); | |
| $serializer = new CompactSerializer(); | |
| $token = $serializer->serialize($jws, 0); | |
| $data = [ | |
| 'client_id' => $clientId, | |
| 'client_secret' => $token, | |
| 'code' => $code, | |
| 'grant_type' => 'authorization_code', | |
| 'redirect_uri' => $redirectUri | |
| ]; | |
| $ch = curl_init(); | |
| curl_setopt_array ($ch, [ | |
| CURLOPT_URL => 'https://appleid.apple.com/auth/token', | |
| CURLOPT_POSTFIELDS => http_build_query($data), | |
| CURLOPT_RETURNTRANSFER => true | |
| ]); | |
| $response = curl_exec($ch); | |
| curl_close ($ch); | |
| var_export(json_decode($response, true)); | |
| /** | |
| * array ( | |
| * 'access_token' => 'ab12cd3ef45db4f86a7d32cbbf7703a45.0.abcde.Ab01C3_D4elgkHOMcFuXpg', | |
| * 'token_type' => 'Bearer', | |
| * 'expires_in' => 3600, | |
| * 'refresh_token' => 'abcdef12345678bb9bbbefba3e36118a2.0.mrwxq.Vo5t5ogmUXFERuNtiMbrvg', | |
| * 'id_token' => 'RS256 Encoded Hash', | |
| * ) | |
| */ |
Thanks a lot!! will get back if any clarifications
Heyy it works. we changed the request_method from form_state to query. It works.
Is there any other way without using the jwt-framework?? just to know
It works but pay attention, the code provided by the client is valid only for a short time, so dont keep testing with the same code for a long time because it will say invalid_grant
Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?
Thank you very much !!!
Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?
You saved my life! I am implementing the same using Guzzle and all I needed was to use your curl method instead.
Be careful because of this invalid_client error could be misleading (as always Apple's error messages)
$postParams = array(
'code' => ...,
'client_id' => ...,
'client_secret' => ...,
'grant_type' => 'authorization_code',
'redirect_uri' => ...,
);
$curl = curl_init('https://appleid.apple.com/auth/token');
// never pass params as just array for apple without stringifying via http_build_query()
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postParams));
When you will use just curl_setopt($curl, CURLOPT_POSTFIELDS, $postParams); it is valid POST request but another type than Apple expects but lazy apple developers are not able to provide error that this type of POST request is unsupported.
Ah yes @aaron2310:
You have the URL. When you open it then you are on the apple sign in page.
Now you sign in with Apple.
Then you'll be redirected to {$redirectUri} with query parameters (or POST body) "code". (and on first sign in first name, last name, email and this things)
So when you'll be redirected to your $redirectUri let your browser console with network tab open. Then you can check your POST Body and/or query parameters easily.
👍