sign-in-with-apple 苹果登陆,后端如何解析用户数据?

1. 用户授权

当用户在IOS APP端授权登陆之后,APP端可以拿到 identityToken, authorizationCode, userID 这三个字段的数据。

2. php-jwt

后端从前端接收到 identityToken 字符串之后,由于 identityToken 是一个 JWT,因此我们需要安装如下第三方库对 identityToken 进行解析

composer require firebase/php-jwt

3. JWK

安装完成之后,我们还需要获取解密 JWTJWK,这个可以通过访问 https://appleid.apple.com/auth/keys 得到一个 keys 列表,也就是 JWK 列表。这也就意味着客户端向服务器提交的 identityToken 可能是用 keys 里面的特定某个 JWK 来进行加密的。

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "86D88Kf",
      "use": "sig",
      "alg": "RS256",
      "n": "iGaLqP6y-SJCCBq5Hv6pGDbG\_SQ11MNjH7rWHcCFYz4hGwHC4lcSurTlV8u3avoVNM8jXevG1Iu1SY11qInqUvjJur--hghr1b56OPJu6H1iKulSxGjEIyDP6c5BdE1uwprYyr4IO9th8fOwCPygjLFrh44XEGbDIFeImwvBAGOhmMB2AD1n1KviyNsH0bEB7phQtiLk-ILjv1bORSRl8AK677-1T8isGfHKXGZ\_ZGtStDe7Lu0Ihp8zoUt59kx2o9uWpROkzF56ypresiIl4WprClRCjz8x6cPZXU2qNWhu71TQvUFwvIvbkE1oYaJMb0jcOTmBRZA2QuYw-zHLwQ",
      "e": "AQAB"
    },
    {
      "kty": "RSA",
      "kid": "eXaunmL",
      "use": "sig",
      "alg": "RS256",
      "n": "4dGQ7bQK8LgILOdLsYzfZjkEAoQeVC\_aqyc8GC6RX7dq\_KvRAQAWPvkam8VQv4GK5T4ogklEKEvj5ISBamdDNq1n52TpxQwI2EqxSk7I9fKPKhRt4F8-2yETlYvye-2s6NeWJim0KBtOVrk0gWvEDgd6WOqJl\_yt5WBISvILNyVg1qAAM8JeX6dRPosahRVDjA52G2X-Tip84wqwyRpUlq2ybzcLh3zyhCitBOebiRWDQfG26EH9lTlJhll-p\_Dg8vAXxJLIJ4SNLcqgFeZe4OfHLgdzMvxXZJnPp\_VgmkcpUdRotazKZumj6dBPcXI\_XID4Z4Z3OM1KrZPJNdUhxw",
      "e": "AQAB"
    },
    {
      "kty": "RSA",
      "kid": "AIDOPK1",
      "use": "sig",
      "alg": "RS256",
      "n": "lxrwmuYSAsTfn-lUu4goZSXBD9ackM9OJuwUVQHmbZo6GW4Fu\_auUdN5zI7Y1dEDfgt7m7QXWbHuMD01HLnD4eRtY-RNwCWdjNfEaY\_esUPY3OVMrNDI15Ns13xspWS3q-13kdGv9jHI28P87RvMpjz\_JCpQ5IM44oSyRnYtVJO-320SB8E2Bw92pmrenbp67KRUzTEVfGU4-obP5RZ09OxvCr1io4KJvEOjDJuuoClF66AT72WymtoMdwzUmhINjR0XSqK6H0MdWsjw7ysyd\_JhmqX5CAaT9Pgi0J8lU\_pcl215oANqjy7Ob-VMhug9eGyxAWVfu\_1u6QJKePlE-w",
      "e": "AQAB"
    }
  ]
}

接下来就需要我们确定当前的 identityToken 到底是使用哪个 JWK 来加密的,这样做可以避免批量生成证书,提升性能。

// 处理 JWK 列表
$client=new Client();  
$reqUrl='https://appleid.apple.com/auth/keys';  
$res=$client->request('GET',$reqUrl);  
$resData=json_decode($res->getBody()->getContents(),true);  
$keys=$resData['keys'];  
$keys_map=[];  
foreach($keys as $key){  
  $keys_map[$key['kid']]=$key;  
}  
// 定位用于加密当前 identityToken 的 JWK
$tks = explode('.', $identityToken);  
list($headb64, $bodyb64, $cryptob64) = $tks;  
$header=JWT::jsonDecode(JWT::urlsafeB64Decode($headb64));  
$key_used=$keys_map[$header->kid];

确定了 JWK 之后,安装如下第三方库就可以将 JWK 转换为 PEM了。

  composer require codercat/jwk-to-pem

然后通过如下方式即可获取用户的数据了

$jwkConverter = new JWKConverter();  
$publicKey=$jwkConverter->toPEM($key_used);
$decode=JWT::decode($identityToken,$publicKey,['RS256']);
print_r($decode);

参考文献

posted on 2020-03-28 09:53  思过崖灬  阅读(1014)  评论(0编辑  收藏  举报

导航