-
-
Save patrickbussmann/877008231ef082cc5dc4ee5ca661a641 to your computer and use it in GitHub Desktop.
<?php | |
# composer require web-token/jwt-framework | |
require_once 'vendor/autoload.php'; | |
use Jose\Component\Core\AlgorithmManager; | |
use Jose\Component\KeyManagement\JWKFactory; | |
use Jose\Component\Signature\Algorithm\ES256; | |
use Jose\Component\Signature\JWSBuilder; | |
use Jose\Component\Signature\Serializer\CompactSerializer; | |
/** Your team identifier: https://developer.apple.com/account/#/membership/ (Team ID) */ | |
$teamId = '1A234BFK46'; | |
/** The client id of your service: https://developer.apple.com/account/resources/identifiers/list/serviceId */ | |
$clientId = 'org.example.service'; | |
/** Code from request: https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */ | |
$code = 'ab1c23456fb104dbfa034e0e66bc58370.0.nrwxq.yQMut7nanacO82i7OvNoBg'; | |
/** The ID of the key file: https://developer.apple.com/account/resources/authkeys/list (Key ID) */ | |
$keyFileId = '1ABC6523AA'; | |
/** The path of the file which you downloaded from https://developer.apple.com/account/resources/authkeys/list */ | |
$keyFileName = 'AuthKey_1ABC6523AA.p8'; | |
/** The redirect uri of your service which you used in the $code request */ | |
$redirectUri = 'https://example.org'; | |
$algorithmManager = new AlgorithmManager([new ES256()]); | |
$jwsBuilder = new JWSBuilder($algorithmManager); | |
$jws = $jwsBuilder | |
->create() | |
->withPayload(json_encode([ | |
'iat' => time(), | |
'exp' => time() + 3600, | |
'iss' => $teamId, | |
'aud' => 'https://appleid.apple.com', | |
'sub' => $clientId | |
])) | |
->addSignature(JWKFactory::createFromKeyFile($keyFileName), [ | |
'alg' => 'ES256', | |
'kid' => $keyFileId | |
]) | |
->build(); | |
$serializer = new CompactSerializer(); | |
$token = $serializer->serialize($jws, 0); | |
$data = [ | |
'client_id' => $clientId, | |
'client_secret' => $token, | |
'code' => $code, | |
'grant_type' => 'authorization_code', | |
'redirect_uri' => $redirectUri | |
]; | |
$ch = curl_init(); | |
curl_setopt_array ($ch, [ | |
CURLOPT_URL => 'https://appleid.apple.com/auth/token', | |
CURLOPT_POSTFIELDS => http_build_query($data), | |
CURLOPT_RETURNTRANSFER => true | |
]); | |
$response = curl_exec($ch); | |
curl_close ($ch); | |
var_export(json_decode($response, true)); | |
/** | |
* array ( | |
* 'access_token' => 'ab12cd3ef45db4f86a7d32cbbf7703a45.0.abcde.Ab01C3_D4elgkHOMcFuXpg', | |
* 'token_type' => 'Bearer', | |
* 'expires_in' => 3600, | |
* 'refresh_token' => 'abcdef12345678bb9bbbefba3e36118a2.0.mrwxq.Vo5t5ogmUXFERuNtiMbrvg', | |
* 'id_token' => 'RS256 Encoded Hash', | |
* ) | |
*/ |
Heyy it works. we changed the request_method from form_state to query. It works.
Is there any other way without using the jwt-framework?? just to know
It works but pay attention, the code provided by the client is valid only for a short time, so dont keep testing with the same code for a long time because it will say invalid_grant
Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?
Thank you very much !!!
Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?
You saved my life! I am implementing the same using Guzzle and all I needed was to use your curl method instead.
Be careful because of this invalid_client
error could be misleading (as always Apple's error messages)
$postParams = array(
'code' => ...,
'client_id' => ...,
'client_secret' => ...,
'grant_type' => 'authorization_code',
'redirect_uri' => ...,
);
$curl = curl_init('https://appleid.apple.com/auth/token');
// never pass params as just array for apple without stringifying via http_build_query()
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postParams));
When you will use just curl_setopt($curl, CURLOPT_POSTFIELDS, $postParams);
it is valid POST request but another type than Apple expects but lazy apple developers are not able to provide error that this type of POST request is unsupported.
Thanks a lot!! will get back if any clarifications