SSP authenticating with Apple ID?
Wessel, Keith
This might be a question for Patrick... or others might have a better answer.
I've been tasked with building a SAML to Apple ID bridge. That is, I want to allow users to sign in with their Apple ID to my Proxy IdP so I can proxy their claims back to a SAML application on the other side.
This is pretty similar to what we're doing with other social providers using the Cirrus Identity developed auth-oauth2 module, except instead of using a simple string for the client ID, Apple is using a public/private key pair and a signed JWT for the client secret.
Does the Cirrus module support this kind of thing? It doesn't look like it, but I'm hoping I'm missing something.
If not, is there another SSP module that will act as an OIDC client with this kind of client authentication?
Thanks,
Keith
pra...@gmail.com
Wessel, Keith
Hi, Patrick,
I’ve finally foundt he right person at my org to set me up with a service ID and key in the Apple developer console, and it’s almost working. Error is below if you have any insight.
I’m happy to file a bug or make a comment on the PR if you prefer.
The one thing that’s vague in the instructions for setting this up is the client secret. It’s a PEM-encoded private key, complete with the begin and end lines. I went ahead and put that into the client secret variable, changing the newlines to \n sequences. I’m not sure if that’s right.
When I log in, Apple recognizes my client ID and prompts me to log in. Everything’s fine until I get returned to SimpleSAMLphp. It seems that my call out at that point for the ID token is failing with an error. Details below.
Any thoughts?
Keith
Jun 30 16:35:24 simplesamlphp DEBUG [1cfc1292ac] authoauth2: linkback request=array (
'state' => 'authoauth2|_f5760524d6c759688a2b928d8fb48e0a658f11215c:https://apple.test.idpproxy.illinois.edu/simplesaml/module.php/core/as_login.php?AuthId=apple&ReturnTo=https%3A%2F%2Fapple.test.idpproxy.illinois.edu%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dapple',
'code' => 'c62380e39bdc04fcfa75ef4bfb0bb7267.0.mrrur.URrmOqlv8iVOhhFiYAsT-Q',
)
Jun 30 16:35:24 simplesamlphp DEBUG [1cfc1292ac] Loading state: '_f5760524d6c759688a2b928d8fb48e0a658f11215c:https://apple.test.idpproxy.illinois.edu/simplesaml/module.php/core/as_login.php?AuthId=apple&ReturnTo=https%3A%2F%2Fapple.test.idpproxy.illinois.edu%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dapple'
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] authoauth2: error in 'apple' msg 'invalid_client' body 'array (
'error' => 'invalid_client',
)'
Jun 30 16:35:25 simplesamlphp DEBUG [1cfc1292ac] Saved state: '_f5760524d6c759688a2b928d8fb48e0a658f11215c:https://apple.test.idpproxy.illinois.edu/simplesaml/module.php/core/as_login.php?AuthId=apple&ReturnTo=https%3A%2F%2Fapple.test.idpproxy.illinois.edu%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dapple'
192.168.136.1 - - [30/Jun/2022:16:35:24 -0500] "POST /simplesaml/module.php/authoauth2/linkback.php HTTP/1.1" 303 1897 https://appleid.apple.com/ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Jun 30 16:35:25 simplesamlphp DEBUG [1cfc1292ac] Loading state: '_f5760524d6c759688a2b928d8fb48e0a658f11215c:https://apple.test.idpproxy.illinois.edu/simplesaml/module.php/core/as_login.php?AuthId=apple&ReturnTo=https%3A%2F%2Fapple.test.idpproxy.illinois.edu%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dapple'
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] SimpleSAML\Error\AuthSource: Error with authentication source 'apple': Error on oauth2 linkback endpoint.
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] Backtrace:
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 4 /var/simplesamlphp/modules/authoauth2/lib/OAuth2ResponseHandler.php:96 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponseFromRequest)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 3 /var/simplesamlphp/modules/authoauth2/lib/OAuth2ResponseHandler.php:55 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponse)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 2 /var/simplesamlphp/modules/authoauth2/www/linkback.php:5 (require)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 1 /var/simplesamlphp/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 0 /var/simplesamlphp/www/module.php:10 (N/A)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] Caused by: League\OAuth2\Client\Provider\Exception\IdentityProviderException: invalid_client
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] Backtrace:
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 10 /var/simplesamlphp/vendor/league/oauth2-client/src/Provider/GenericProvider.php:222 (League\OAuth2\Client\Provider\GenericProvider::checkResponse)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 9 /var/simplesamlphp/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:628 (League\OAuth2\Client\Provider\AbstractProvider::getParsedResponse)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 8 /var/simplesamlphp/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:537 (League\OAuth2\Client\Provider\AbstractProvider::getAccessToken)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 7 /var/simplesamlphp/modules/authoauth2/lib/Auth/Source/AppleAuth.php:70 (SimpleSAML\Module\authoauth2\Auth\Source\AppleAuth::SimpleSAML\Module\authoauth2\Auth\Source\{closure})
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 6 /var/simplesamlphp/modules/authoauth2/lib/Auth/Source/OAuth2.php:281 (SimpleSAML\Module\authoauth2\Auth\Source\OAuth2::retry)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 5 /var/simplesamlphp/modules/authoauth2/lib/Auth/Source/AppleAuth.php:73 (SimpleSAML\Module\authoauth2\Auth\Source\AppleAuth::finalStep)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 4 /var/simplesamlphp/modules/authoauth2/lib/OAuth2ResponseHandler.php:90 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponseFromRequest)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 3 /var/simplesamlphp/modules/authoauth2/lib/OAuth2ResponseHandler.php:55 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponse)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 2 /var/simplesamlphp/modules/authoauth2/www/linkback.php:5 (require)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 1 /var/simplesamlphp/lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
Jun 30 16:35:25 simplesamlphp ERROR [1cfc1292ac] 0 /var/simplesamlphp/www/module.php:10 (N/A)
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with
some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/simplesamlphp/6bebd1ad-db36-4eb1-9168-6c1ecc68b8a2n%40googlegroups.com.