Closed andreasbergqvist closed 4 years ago
mikebronner
commented
4 years ago Hi @andreasbergqvist, thanks for writing in! Apple doesn't work exactly like other OAuth providers. With SIWA you have to request a new token with each login, from what I remember, the token is not stored for reuse.
OrkhanAlikhanov
commented
2 months ago I would say that we should at least verify the signature of the JWT against a known key. Otherwise if someone uses access_token sent by a mobile app directly it would allow an attacker to craft any json to to log in almost as anyone.
OrkhanAlikhanov
commented
2 months ago There is a list of known public keys from Apple to do the job: https://appleid.apple.com/auth/keys
Hi We are building an mobile app and would like to use this provider with an Laravel backend. But have a question.
For Facebook and Google we use:
$socialiteUser = Socialite::driver('facebook')->stateless()->userFromToken($request->token);Where$request->tokenis the token sent from the app.Both the Facebook and the Google provider now runs:
getUserByToken()and does an request to verify the user. See: https://github.com/laravel/socialite/blob/4.0/src/Two/GoogleProvider.php#L61But in this provider the
getUserByToken()function just decodes the token: https://github.com/GeneaLabs/laravel-sign-in-with-apple/blob/1a2aabe7146ecd0dc7876e49d6891b29203649f7/src/Providers/SignInWithAppleProvider.php#L83Wouldn't it be a good idea to be consistent with how the other providers work? Or is there something specific with Apple login that works different? Or could this provider still work but call some other function to verify the user?
I understand that this provider is build for the web implementation first but just wanted to raise the question!
Otherwise, great work!