1. 用户授权
当用户在IOS APP端授权登陆之后,APP端可以拿到 identityToken, authorizationCode, userID 这三个字段的数据。
2. php-jwt
后端从前端接收到 identityToken 字符串之后,由于 identityToken 是一个 JWT,因此我们需要安装如下第三方库对 identityToken 进行解析
composer require firebase/php-jwt
3. JWK
安装完成之后,我们还需要获取解密 JWT 的 JWK,这个可以通过访问 https://appleid.apple.com/auth/keys 得到一个 keys 列表,也就是 JWK 列表。这也就意味着客户端向服务器提交的 identityToken 可能是用 keys 里面的特定某个 JWK 来进行加密的。
{
"keys": [
{
"kty": "RSA",
"kid": "86D88Kf",
"use": "sig",
"alg": "RS256",
"n": "iGaLqP6y-SJCCBq5Hv6pGDbG\_SQ11MNjH7rWHcCFYz4hGwHC4lcSurTlV8u3avoVNM8jXevG1Iu1SY11qInqUvjJur--hghr1b56OPJu6H1iKulSxGjEIyDP6c5BdE1uwprYyr4IO9th8fOwCPygjLFrh44XEGbDIFeImwvBAGOhmMB2AD1n1KviyNsH0bEB7phQtiLk-ILjv1bORSRl8AK677-1T8isGfHKXGZ\_ZGtStDe7Lu0Ihp8zoUt59kx2o9uWpROkzF56ypresiIl4WprClRCjz8x6cPZXU2qNWhu71TQvUFwvIvbkE1oYaJMb0jcOTmBRZA2QuYw-zHLwQ",
"e": "AQAB"
},
{
"kty": "RSA",
"kid": "eXaunmL",
"use": "sig",
"alg": "RS256",
"n": "4dGQ7bQK8LgILOdLsYzfZjkEAoQeVC\_aqyc8GC6RX7dq\_KvRAQAWPvkam8VQv4GK5T4ogklEKEvj5ISBamdDNq1n52TpxQwI2EqxSk7I9fKPKhRt4F8-2yETlYvye-2s6NeWJim0KBtOVrk0gWvEDgd6WOqJl\_yt5WBISvILNyVg1qAAM8JeX6dRPosahRVDjA52G2X-Tip84wqwyRpUlq2ybzcLh3zyhCitBOebiRWDQfG26EH9lTlJhll-p\_Dg8vAXxJLIJ4SNLcqgFeZe4OfHLgdzMvxXZJnPp\_VgmkcpUdRotazKZumj6dBPcXI\_XID4Z4Z3OM1KrZPJNdUhxw",
"e": "AQAB"
},
{
"kty": "RSA",
"kid": "AIDOPK1",
"use": "sig",
"alg": "RS256",
"n": "lxrwmuYSAsTfn-lUu4goZSXBD9ackM9OJuwUVQHmbZo6GW4Fu\_auUdN5zI7Y1dEDfgt7m7QXWbHuMD01HLnD4eRtY-RNwCWdjNfEaY\_esUPY3OVMrNDI15Ns13xspWS3q-13kdGv9jHI28P87RvMpjz\_JCpQ5IM44oSyRnYtVJO-320SB8E2Bw92pmrenbp67KRUzTEVfGU4-obP5RZ09OxvCr1io4KJvEOjDJuuoClF66AT72WymtoMdwzUmhINjR0XSqK6H0MdWsjw7ysyd\_JhmqX5CAaT9Pgi0J8lU\_pcl215oANqjy7Ob-VMhug9eGyxAWVfu\_1u6QJKePlE-w",
"e": "AQAB"
}
]
}
接下来就需要我们确定当前的 identityToken 到底是使用哪个 JWK 来加密的,这样做可以避免批量生成证书,提升性能。
// 处理 JWK 列表
$client=new Client();
$reqUrl='https://appleid.apple.com/auth/keys';
$res=$client->request('GET',$reqUrl);
$resData=json_decode($res->getBody()->getContents(),true);
$keys=$resData['keys'];
$keys_map=[];
foreach($keys as $key){
$keys_map[$key['kid']]=$key;
}
// 定位用于加密当前 identityToken 的 JWK
$tks = explode('.', $identityToken);
list($headb64, $bodyb64, $cryptob64) = $tks;
$header=JWT::jsonDecode(JWT::urlsafeB64Decode($headb64));
$key_used=$keys_map[$header->kid];
确定了 JWK 之后,安装如下第三方库就可以将 JWK 转换为 PEM了。
composer require codercat/jwk-to-pem
然后通过如下方式即可获取用户的数据了
$jwkConverter = new JWKConverter();
$publicKey=$jwkConverter->toPEM($key_used);
$decode=JWT::decode($identityToken,$publicKey,['RS256']);
print_r($decode);
参考文献
- iOS 13 苹果账号登陆与后台验证相关 https://juejin.im/post/5d551d11e51d4561cf15dfae