pedrocaseiro

pedrocaseiro

How to implement Apple Login in a Phoenix app?

Hey everyone!
I’m currently implementing sign in with apple on my app. I’m already at the point where I got the JWT that I need to decode to validate the user and the key hash from apple (includes the kid, the alg etc…
How can I use the information from the key hash to decode the JWT correctly?
In Ruby it seems pretty straight forward with

keyHash = ActiveSupport::HashWithIndifferentAccess.new(apple_certificate["keys"].select {|key| key["kid"] == kid}[0])
jwk = JWT::JWK.import(keyHash)
token_data = JWT.decode(jwt, jwk.public_key, true, {algorithm: alg})[0]

But I’m having a hard time finding the equivalent in Elixir. I took a look at JOSE.JWK but I’m not sure which method I should use to generate the JWK and fetch the public key afterward
Thanks!

Most Liked

Udi

Udi

defmodule Accounts.AppleAuth do
  @apple_keys_url "https://appleid.apple.com/auth/keys"
  @aud "com.blahblah"

  def verify_identity_token(identity_token) do
    # Fetch Apple's public keys
    case get_apple_public_keys() do
      {:ok, apple_keys} ->
        with {:ok, token} <- decode_and_verify(identity_token, apple_keys) do
          verify_claims(token)
        end

      {:error, reason} ->
        {:error, reason}
    end
  end

  defp get_apple_public_keys() do
    case HTTPoison.get(@apple_keys_url) do
      {:ok, %HTTPoison.Response{status_code: 200, body: body}} ->
        case Jason.decode(body) do
          {:ok, %{"keys" => keys}} ->
            {:ok, keys}
          {:error, _} ->
            {:error, "Failed to decode Apple's public keys"}
        end

      {:ok, %HTTPoison.Response{status_code: status_code}} ->
        {:error, "Failed to fetch Apple's public keys, status code: #{status_code}"}

      {:error, %HTTPoison.Error{reason: reason}} ->
        {:error, "HTTP request failed: #{reason}"}
    end
  end

  defp decode_and_verify(token, apple_keys) do
    # Find the appropriate key for the token
    key = find_apple_key(token, apple_keys)

    if key do
      jwk = JOSE.JWK.from(key)
      {verified, jwt, _} = JOSE.JWT.verify_strict(jwk, ["RS256"], token)
      if verified, do: {:ok, jwt}, else: {:error, "Invalid token signature"}
    else
      {:error, "No matching key found"}
    end
  end

  defp verify_claims(jwt) do
    %JOSE.JWT{fields: claims} = jwt

    case claims do
      %{"aud" => @aud, "exp" => exp} ->
        current_time = System.system_time(:second)

        if exp > current_time do
          {:ok, claims}
        else
          {:error, "Token has expired"}
        end

      _ ->
        {:error, "Invalid claims"}
    end
  end

  defp find_apple_key(token, keys) do
    # Decode token header to find matching `kid`
    %JOSE.JWS{fields: %{"kid" => kid}} = JOSE.JWT.peek_protected(token)
    Enum.find(keys, fn key -> key["kid"] == kid end)
  end
end

The above seems to be working for me! Hope it helps someone out one day.

jayden

jayden

I recently implemented Sign in with Apple in our app, and I used Joken to handle both token verification and client secret generation.

Here’s what I did to decode the JWT (Note: My example uses Joken v1.5)

token = Joken.token(id_token)
%{"alg" => alg, "kid" => key_id} = Joken.peek_header(token)

token
|> Joken.with_signer(Signer.rs(alg, public_key))
|> Joken.with_validation("aud", &(&1 == "<client_id>"))
|> Joken.with_validation("exp", &(&1 >= System.os_time(:second)))
|> Joken.with_validation("iss", &(&1 == "<issuer>"))
|> Joken.verify!()

public_key above is the matching key fetched from Apple’s public key endpoint.

Hope this helps - and feel free to reach out with additional questions

JeyHey

JeyHey

With Assent it is very easy too (in my mix file: {:assent, "~> 0.1.13"}). You just have to pass the apple authorization code (ASAuthorizationAppleIDCredentialauthorizationCode) and the apple_id is then verified. No need to manually pass the public key and algorithm. You don’t even need to pass the identityToken:

def check_apple_sign_in(_apple_jwt, apple_auth) do
    [
     client_id: "com.your_domain.your_app",
     team_id: "YOUR_ID",
     private_key_id: "KEY_ID",
     private_key_path: "/Users/you/development/Keys/AuthKey_2YZ4LV4PYI.p8",
     redirect_uri: nil
    ]
    |> Assent.Config.put(:session_params, %{})
    |> Assent.Strategy.Apple.callback(%{"code" => apple_auth})
    |> case do
      {:ok, %{user: user, token: token}} ->
        %{"sub" => user_id} = user
        Logger.info "apple sign in verification successful. user: #{Kernel.inspect(user)}; token: #{Kernel.inspect(token)}"
        {:ok, user_id} #the user_id you are interested in
      error ->
        Logger.info "apple sign in verification not successful: #{Kernel.inspect(error)}"
        {:error, :authentication}
    end
  end

Where Next?

Popular in Questions Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID&lt;0.412.0&gt; terminating ** (Postgrex.Error) FATAL...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: &lt;h1&gt;Create Post&lt;/h1&gt; &lt;%= ...
New
Lily
In templates/appointment/index.html.eex: &lt;%= for appointment &lt;- @appointments do %&gt; &lt;tr&gt; &lt;td&gt;&lt;%= appoi...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New

Other popular topics Top

albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement