最近新开发的app在IOS平台app store connent提审的时候,被拒了,原因是app上如果有接第三方登陆(比如微信,微博,facebook等),那就必须要接apple id登陆,坑爹~苹果霸权啊!然而没办法,所以只能接入苹果登录。
APP端的接入可以看上一篇博客:iOS苹果授权登录(Sign in with Apple)/Apple登录/苹果登录集成教程,下面我来说一下对接苹果登陆的后端验证模块。
这里先说一下apple id登陆的主要流程和涉及到的一些知识点。首先apple登陆的时序图如下:
先是app和苹果服务器通信获得identitytoken,然后把identitytoken交给业务后台验证,验证通过就可以了。
其中appServer涉及到的验证,就是identitytoken,其实identitytoken就是一个jws(关于jws的只是可以参考https://www.jianshu.com/p/50ade6f2e4fd),至于校验jws,其实是有现成的jar包可以实现,验证jws的签名,保证数据没有被篡改之后,还要校验从identitytokendecode出来的nonce,iss,aud,exp,主要是iss和exp这两个。
针对后端验证苹果提供了两种验证方式,一种是基于JWT的算法验证,另外一种是基于授权码的验证。
一、苹果登录JAVA后台校验:JWT的identityToken验证模式
//接口返回值
{
"keys": [
{
"kty": "RSA",
"kid": "AIDOPK1",
"use": "sig",
"alg": "RS256",
"n": "lxrwmuYSAsTfn-lUu4goZSXBD9ackM9OJuwUVQHmbZo6GW4Fu_auUdN5zI7Y1dEDfgt7m7QXWbHuMD01HLnD4eRtY-RNwCWdjNfEaY_esUPY3OVMrNDI15Ns13xspWS3q-13kdGv9jHI28P87RvMpjz_JCpQ5IM44oSyRnYtVJO-320SB8E2Bw92pmrenbp67KRUzTEVfGU4-obP5RZ09OxvCr1io4KJvEOjDJuuoClF66AT72WymtoMdwzUmhINjR0XSqK6H0MdWsjw7ysyd_JhmqX5CAaT9Pgi0J8lU_pcl215oANqjy7Ob-VMhug9eGyxAWVfu_1u6QJKePlE-w",
"e": "AQAB"
}
]
}
kid,为密钥id标识,签名算法采用的是RS256(RSA 256 + SHA 256),kty常量标识使用RSA签名算法,其公钥参数为n和e,其值采用了BASE64编码,使用时需要先解码
- 使用方式:APP内苹果授权登陆会提供如下几个参数:userID、email、fullName、authorizationCode、identityToken
- userID:授权的用户唯一标识
- email、fullName:授权的用户资料
- authorizationCode:授权code
- identityToken:授权用户的JWT凭证
下面针对identityToken后端验证做简要说明,话不多说直接上代码:
1、app端请求appleServer返回的identityTokenn参考样例
"identityToken":"ZXlKcmFXUWlPaUpsV0dGMWJtMU1JaXdpUndje***xMXpZZ3BiYWRIWHdGVEtR4ejRPZTBhUkdtcHZOZFpWVkJGQjN4OU13"
// jwt 格式 该token的有效期是10分钟
eyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnNreW1pbmcuZGV2aWNlbW9uaXRvciIsImV4cCI6MTU2NTY2ODA4NiwiaWF0IjoxNTY1NjY3NDg2LCJzdWIiOiIwMDEyNDcuOTNiM2E3OTlhN2M4NGMwY2I0NmNkMDhmMTAwNzk3ZjIuMDcwNCIsImNfaGFzaCI6Ik9oMmFtOWVNTldWWTNkcTVKbUNsYmciLCJhdXRoX3RpbWUiOjE1NjU2Njc0ODZ9.e-pdwK4iKWErr_Gcpkzo8JNi_MWh7OMnA15FvyOXQxTx0GsXzFT3qE3DmXqAar96nx3EqsHI1Qgquqt2ogyj-lLijK_46ifckdqPjncTEGzVWkNTX8uhY7M867B6aUnmR7u-cf2HsmhXrvgsJLGp2TzCI3oTp-kskBOeCPMyTxzNURuYe8zabBlUy6FDNIPeZwZXZqU0Fr3riv2k1NkGx5MqFdUq3z5mNfmWbIAuU64Z3yKhaqwGd2tey1Xxs4hHa786OeYFF3n7G5h-4kQ4lf163G6I5BU0etCRSYVKqjq-OL-8z8dHNqvTJtAYanB3OHNWCHevJFHJ2nWOTT3sbw
// header 解码
{"kid":"AIDOPK1","alg":"RS256"} 其中kid对应上文说的密钥id
// claims 解码
{
"iss":"https://appleid.apple.com", // 苹果签发的标识
"aud":"com.skyming.devicemonitor", // 接收者的APP ID
"exp":1565668086,"iat":1565667486,
"sub":"001247.93b3a799a7c84c0cb46cd08f100797f2.0704", //用户的唯一标识
"c_hash":"Oh2am9eMNWVY3dq5JmClbg",
"auth_time":1565667486
}
其中 iss标识是苹果签发的,aud是接收者的APP ID,该token的有效期是10分钟,sub就是用户的唯一标识
如何验证呢?
//首先通过identityToken中的header中的kid,然后结合苹果获取公钥的接口,拿到相应的n和e的值,然后通过下面这个方法构建RSA公钥
public RSAPublicKeySpec build(String n, String e) {
BigInteger modulus = new BigInteger(1, Base64.decodeBase64(n));
BigInteger publicExponent = new BigInteger(1, Base64.decodeBase64(e));
return new RSAPublicKeySpec(modulus, publicExponent);
}
//获取验证所需的PublicKey
public PublicKey getPublicKey(String n,String e)throws NoSuchAlgorithmException, InvalidKeySpecException {
BigInteger bigIntModulus = new BigInteger(1,Base64.decodeBase64(n));
BigInteger bigIntPrivateExponent = new BigInteger(1,Base64.decodeBase64(e));
RSAPublicKeySpec keySpec = new RSAPublicKeySpec(bigIntModulus, bigIntPrivateExponent);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
return publicKey;
}
//通过下面这个方法验证JWT的有效性
// jwt 就是 identityToken:授权用户的JWT凭证
// audience就是APPID
// subject 就是 就是userId
public int verify(PublicKey key, String jwt, String audience, String subject) {
JwtParser jwtParser = Jwts.parser().setSigningKey(key);
jwtParser.requireIssuer("https://appleid.apple.com");
jwtParser.requireAudience(audience);
jwtParser.requireSubject(subject);
try {
Jws<Claims> claim = jwtParser.parseClaimsJws(jwt);
if (claim != null && claim.getBody().containsKey("auth_time")) {
return GlobalCode.SUCCESS;
}
return GlobalCode.THIRD_AUTH_CODE_INVALID;
} catch (ExpiredJwtException e) {
log.error("apple identityToken expired", e);
return GlobalCode.THIRD_AUTH_CODE_INVALID;
} catch (Exception e) {
log.error("apple identityToken illegal", e);
return GlobalCode.FAIL_ILLEGAL_REQ;
}
}
//使用的JWT工具库为:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
2、完整校验代码:
(1)有2次验证,分别调取apple提供的接口和标识
private final String APPLE_AUTH_URL = "https://appleid.apple.com/auth/keys";
private final String ISS = "https://appleid.apple.com";
(2)一次是利用token获取解密的publicKey;另一次就是再校验这个publicKey及token。
verify(AppleLoginVO appleLoginVO)里解析token
然后getPublicKey(kid)获取publicKey
然后再verify(publicKey, identityToken, aud, sub)校验
(3)封装的httpclient请求:private JSONObject getHttp(String url)
完整示例代码:
@Slf4j
@Service
public class AppleLoginService {
private final String APPLE_AUTH_URL = "https://appleid.apple.com/auth/keys";
private final String ISS = "https://appleid.apple.com";
public boolean verify(AppleLoginVO appleLoginVO) {
//这里传过来的identityToken应该是三个.分割,解密之后
String identityToken = appleLoginVO.getIdentityToken();
try {
if (identityToken.split("\.").length > 1){
String firstDate = new String( Base64.decodeBase64(identityToken.split("\.")[0]),"UTF-8");
String claim = new String(Base64.decodeBase64(identityToken.split("\.")[1]), "UTF-8");
String kid = JSONObject.parseObject(firstDate).get("kid").toString();
String aud = JSONObject.parseObject(claim).get("aud").toString();
String sub = JSONObject.parseObject(claim).get("sub").toString();
PublicKey publicKey = getPublicKey(kid);
if (publicKey == null) {
log.error("Apple have no info data!");
return false;
}
boolean reuslt = verify(publicKey, identityToken, aud, sub);
if (reuslt) {
log.info("苹果登录授权成功");
return true;
}
}
} catch (Exception e) {
log.error("苹果登录授权异常:", LogUtil.getStack(e));
e.printStackTrace();
}
log.error("identityToken格式不正确");
return false;
}
private PublicKey getPublicKey(String kid) {
try {
JSONObject debugInfo = getHttp(APPLE_AUTH_URL);
if (debugInfo == null) {
return null;
}
JSONObject jsonObject = debugInfo.getJSONObject("body");
String keys = jsonObject.getString("keys");
JSONArray jsonArray = JSONObject.parseArray(keys);
if (jsonArray.isEmpty()) {
return null;
}
for (Object object : jsonArray) {
JSONObject json = ((JSONObject) object);
if (json.getString("kid").equals(kid)) {
String n = json.getString("n");
String e = json.getString("e");
BigInteger modulus = new BigInteger(1, Base64.decodeBase64(n));
BigInteger publicExponent = new BigInteger(1, Base64.decodeBase64(e));
RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, publicExponent);
KeyFactory kf = KeyFactory.getInstance("RSA");
return kf.generatePublic(spec);
}
}
} catch (Exception e) {
log.error("getPublicKey异常!", LogUtil.getStack(e));
e.printStackTrace();
}
return null;
}
private boolean verify(PublicKey key, String jwt, String audience, String subject){
boolean result = false;
JwtParser jwtParser = Jwts.parser().setSigningKey(key);
jwtParser.requireIssuer(ISS);
jwtParser.requireAudience(audience);
jwtParser.requireSubject(subject);
try {
Jws<Claims> claim = jwtParser.parseClaimsJws(jwt);
if (claim != null && claim.getBody().containsKey("auth_time")) {
return true;
}
} catch (ExpiredJwtException e) {
log.error("getPublicKey异常{苹果identityToken过期}", LogUtil.getStack(e));
} catch (SignatureException e) {
log.error("getPublicKey异常{苹果identityToken非法}", LogUtil.getStack(e));
}
return result;
}
private JSONObject getHttp(String url) {
log.info("[请求地址]: " + url);
JSONObject resultJson = new JSONObject();
resultJson.put("code", -1);
CloseableHttpClient httpclient = HttpClients.createDefault();
try {
HttpGet httpPost = new HttpGet(url);
CloseableHttpResponse response = httpclient.execute(httpPost);
try {
HttpEntity entity = response.getEntity();
if (response.getStatusLine().getStatusCode() == 200) {
String resp = EntityUtils.toString(entity);
resultJson.put("code", 0);
resultJson.put("body", JSONObject.parseObject(resp));
} else {
resultJson.put("code", response.getStatusLine().getStatusCode());
log.error("[错误码] :" + response.getStatusLine().getStatusCode());
log.error("[请求地址] :" + url);
}
} finally {
response.close();
}
} catch (ClientProtocolException e) {
log.error("[异常] :", LogUtil.getStack(e));
} catch (IOException e) {
log.error("[异常] :", LogUtil.getStack(e));
} finally {
try {
httpclient.close();
} catch (IOException e) {
log.error("[httpclient 关闭异常] : ", LogUtil.getStack(e));
}
}
return resultJson;
}
}