search

klausbetz / apple-identity-provider-keycloak

An extension for Keycloak, that enables web-based sign in with Apple and token exchange
Apache License 2.0
193 stars 27 forks source link

Token exchange from web #22

Closed leksmano closed 1 year ago

leksmano commented 1 year ago

hello,

sorry to submit this as an issue as it is more of a question. I was attempting to do a token exchange from a web app with this extension.

e.g

  1. Sign in with apple on a website where a specific redirect URI is used (e.g. https://my-server/login/oauth2/code/apple )
  2. Attempt to exchange the code received in step 1 for a keycloak token token (which uses a different redirect URI)

Currently we run into an issue since the redirect URL configured in keycloak will be different:

"error_description":"redirect_uri mismatch. The code was not issued to https://my-keycloak-server/auth/realms/master/broker/apple/endpoint."

Are there any suggestions how to make this type of token exchange work?

I noticed that for the Google identity provider for keycloak it is possible to use the access token to perform a token exchange (via the userInfo endpoint), but I am not sure if this is possible with apple.

I have also tried setting the subject_token_type to urn:ietf:params:oauth:token-type:id_token, in order to override the default apple-authz-code, however that appears to return user info service disabled on my version of keycloak (18.0.2)

I am guessing validating the id token jwt is probably the way to go but just wanted to check if there are other suggestions. Any input would be helpful.

leksmano commented 1 year ago

adding these two configs in the constructor of the AppleIdentityProvider seems to allow keycloak to validate the id token

config.setValidateSignature(true);
config.setJwksUrl("https://appleid.apple.com/auth/keys");

and then passing the following in the POST request to the token endpoint for subject_token_type: urn:ietf:params:oauth:token-type:id_token

klausbetz commented 1 year ago

hi @leksmano,
thx for getting in touch with me. 😁

This is an interesting issue. Seems like a feature that should be supported, but isn't at the moment.

Basically, there are two different types of token-exchange:

  1. Trading an Apple token for Keycloak tokens -> Supported
  2. Trading Keycloak tokens for Apple tokens -> Not supported (and never will be, cause Apple)

However, for the first option, there are different Apple tokens available to do that. Currently, only Apple authorization codes (+ user JSON if available) are supported. It might be a good idea to add Apple ID-Tokens as well.

I'll need some testing to verify, if the ID-Token also works. If so, I'll prepare a new version of this package. Your code-snippet is a good hint for implementing this one!

klausbetz commented 1 year ago

Nice!

ID-Token exchange works like a charm! 😁
Thank you, @leksmano. Your request made this extension way better than it was before!

Using the ID-Token instead of the authorization_code is faster and not that fragile (as you mentioned your issue with the redirect_uri mismatch).

1.4.0 is out!

leksmano commented 1 year ago

awesome! Thanks so much for a quick update!

If apple provided a userInfo endpoint then token exchange could align with all the other providers https://github.com/keycloak/keycloak/search?q=PROFILE_URL

(and we could use access token for accessing it)

unfortunately there isn't one :disappointed: I am guessing one reason for this might be because users can modify their firstName/lastName during sign in process and apple doesn't seem to store those details.

thanks again!