fix: use raw base64 url decoding

app/package-lock.json

@@ -9,7 +9,7 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
-				"@authorizerdev/authorizer-react": "^0.24.0-beta.1",
+        "@authorizerdev/authorizer-react": "^0.24.0-beta.2",
         "@types/react": "^17.0.15",
         "@types/react-dom": "^17.0.9",
         "esbuild": "^0.12.17",
@@ -37,9 +37,9 @@
       }
     },
     "node_modules/@authorizerdev/authorizer-react": {
-			"version": "0.24.0-beta.1",
+      "version": "0.24.0-beta.2",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.24.0-beta.1.tgz",
+      "resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.24.0-beta.2.tgz",
-			"integrity": "sha512-S/Oqc24EfotbrABuv379i/3uCfQPYJQqXrOU9d8AytF++pzG/2dcoIoaMbWZQkATR3m6a5AnhpG6bIB+4NbrUQ==",
+      "integrity": "sha512-YQC7yrOhjSSIhDMzjBxcnV735WfDq5ID993J/Lcm7yMWaHCp2zU58pyzCOl1YgSmU9xZLQA/2rGprQgrSNyYoA==",
       "dependencies": {
         "@authorizerdev/authorizer-js": "^0.13.0-beta.2",
         "final-form": "^4.20.2",
@@ -860,9 +860,9 @@
       }
     },
     "@authorizerdev/authorizer-react": {
-			"version": "0.24.0-beta.1",
+      "version": "0.24.0-beta.2",
-			"resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.24.0-beta.1.tgz",
+      "resolved": "https://registry.npmjs.org/@authorizerdev/authorizer-react/-/authorizer-react-0.24.0-beta.2.tgz",
-			"integrity": "sha512-S/Oqc24EfotbrABuv379i/3uCfQPYJQqXrOU9d8AytF++pzG/2dcoIoaMbWZQkATR3m6a5AnhpG6bIB+4NbrUQ==",
+      "integrity": "sha512-YQC7yrOhjSSIhDMzjBxcnV735WfDq5ID993J/Lcm7yMWaHCp2zU58pyzCOl1YgSmU9xZLQA/2rGprQgrSNyYoA==",
       "requires": {
         "@authorizerdev/authorizer-js": "^0.13.0-beta.2",
         "final-form": "^4.20.2",

app/package.json

@@ -11,7 +11,7 @@
   "author": "Lakhan Samani",
   "license": "ISC",
   "dependencies": {
-		"@authorizerdev/authorizer-react": "^0.24.0-beta.1",
+    "@authorizerdev/authorizer-react": "^0.24.0-beta.2",
     "@types/react": "^17.0.15",
     "@types/react-dom": "^17.0.9",
     "esbuild": "^0.12.17",

dashboard/src/constants.ts

@@ -9,7 +9,6 @@ export const TextInputType = {
 	FACEBOOK_CLIENT_ID: 'FACEBOOK_CLIENT_ID',
 	LINKEDIN_CLIENT_ID: 'LINKEDIN_CLIENT_ID',
 	APPLE_CLIENT_ID: 'APPLE_CLIENT_ID',
-	APPLE_CLIENT_SECRET: 'APPLE_CLIENT_SECRET',
 	JWT_ROLE_CLAIM: 'JWT_ROLE_CLAIM',
 	REDIS_URL: 'REDIS_URL',
 	SMTP_HOST: 'SMTP_HOST',

server/handlers/oauth_callback.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -224,7 +225,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			redirectURL = redirectURL + "?" + strings.TrimPrefix(params, "&")
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
+		c.Redirect(http.StatusFound, redirectURL)
 	}
 }
 
@@ -455,13 +456,14 @@ func processLinkedInUserInfo(code string) (models.User, error) {
 
 func processAppleUserInfo(code string) (models.User, error) {
 	user := models.User{}
+	fmt.Println("=> code:", code)
 	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(oauth2.NoContext, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid apple exchange code: %s", err.Error())
 	}
 
-	fmt.Println("=> token", oauth2Token.AccessToken)
+	fmt.Println("=> oauth2Token:", oauth2Token)
 
 	// Extract the ID Token from OAuth2 token.
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
@@ -470,17 +472,44 @@ func processAppleUserInfo(code string) (models.User, error) {
 		return user, fmt.Errorf("unable to extract id_token")
 	}
 
-	fmt.Println("=> rawIDToken", rawIDToken)
+	tokenSplit := strings.Split(rawIDToken, ".")
-
+	claimsData := tokenSplit[1]
-	// Parse and verify ID Token payload.
+	decodedClaimsData, err := base64.RawURLEncoding.DecodeString(claimsData)
-	claims, err := token.ParseJWTToken(rawIDToken)
 	if err != nil {
-		log.Debug("Failed to parse apple id token: ", err)
+		log.Debugf("Failed to decrypt claims %s: %s", claimsData, err.Error())
-		return user, err
+		return user, fmt.Errorf("failed to decrypt claims data: %s", err.Error())
+	}
+
+	fmt.Println("=> decodedClaimsData:", string(decodedClaimsData))
+
+	claims := make(map[string]interface{})
+	err = json.Unmarshal(decodedClaimsData, &claims)
+	if err != nil {
+		log.Debug("Failed to unmarshal claims data: ", err)
+		return user, fmt.Errorf("failed to unmarshal claims data: %s", err.Error())
+	}
+
+	fmt.Println("=> claims:", claims)
+
+	if val, ok := claims["email"]; !ok {
+		log.Debug("Failed to extract email from claims.")
+		return user, fmt.Errorf("unable to extract email, please check the scopes enabled for your app. It needs `email`, `name` scopes")
+	} else {
+		user.Email = val.(string)
+	}
+
+	if val, ok := claims["name"]; ok {
+		nameData := val.(map[string]interface{})
+		if nameVal, ok := nameData["firstName"]; ok {
+			givenName := nameVal.(string)
+			user.GivenName = &givenName
+		}
+
+		if nameVal, ok := nameData["lastName"]; ok {
+			familyName := nameVal.(string)
+			user.FamilyName = &familyName
+		}
 	}
-	fmt.Println("claims:", claims)
-	email := claims["email"].(string)
-	user.Email = email
 
 	return user, err
 }

server/handlers/oauth_login.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/memorystore"
@@ -170,7 +171,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 			c.Redirect(http.StatusTemporaryRedirect, url)
 		case constants.SignupMethodApple:
 			if oauth.OAuthProviders.AppleConfig == nil {
-				log.Debug("Linkedin OAuth provider is not configured")
+				log.Debug("Apple OAuth provider is not configured")
 				isProviderConfigured = false
 				break
 			}
@@ -183,7 +184,9 @@ func OAuthLoginHandler() gin.HandlerFunc {
 				return
 			}
 			oauth.OAuthProviders.AppleConfig.RedirectURL = hostname + "/oauth_callback/" + constants.SignupMethodApple
-			url := oauth.OAuthProviders.AppleConfig.AuthCodeURL(oauthStateString)
+			// there is scope encoding issue with oauth2 and how apple expects, hence added scope manually
+			// check: https://github.com/golang/oauth2/issues/449
+			url := oauth.OAuthProviders.AppleConfig.AuthCodeURL(oauthStateString, oauth2.SetAuthURLParam("response_mode", "form_post")) + "&scope=name email"
 			c.Redirect(http.StatusTemporaryRedirect, url)
 		default:
 			log.Debug("Invalid oauth provider: ", provider)

server/oauth/oauth.go

@@ -124,13 +124,12 @@ func InitOAuth() error {
 	if appleClientID != "" && appleClientSecret != "" {
 		OAuthProviders.AppleConfig = &oauth2.Config{
 			ClientID:     appleClientID,
-			ClientSecret: appleClientID,
+			ClientSecret: appleClientSecret,
 			RedirectURL:  "/oauth_callback/apple",
 			Endpoint: oauth2.Endpoint{
 				AuthURL:  "https://appleid.apple.com/auth/authorize",
 				TokenURL: "https://appleid.apple.com/auth/token",
 			},
-			Scopes: []string{},
 		}
 	}
 

server/routes/routes.go

@@ -23,6 +23,7 @@ func InitRouter(log *logrus.Logger) *gin.Engine {
 	router.GET("/playground", handlers.PlaygroundHandler())
 	router.GET("/oauth_login/:oauth_provider", handlers.OAuthLoginHandler())
 	router.GET("/oauth_callback/:oauth_provider", handlers.OAuthCallbackHandler())
+	router.POST("/oauth_callback/:oauth_provider", handlers.OAuthCallbackHandler())
 	router.GET("/verify_email", handlers.VerifyEmailHandler())
 	// OPEN ID routes
 	router.GET("/.well-known/openid-configuration", handlers.OpenIDConfigurationHandler())