You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've passed the last couple of days trying to set up this gem to work with a API-only Rails application and there's been a lot of trouble along the way.
I figured I should share my experience now that I've made it work in case anyone else tries to do the same later.
Context
Our Rails application is a backend only app handling user authentication with devise and omniauth-apple along with other omniauth providers.
This Rails API interacts with multiple Client-side applications combining multiple platforms (Web, Android, IOS and a web extension).
Our initial config for omniauth-apple was as follow and we made sure that every credential was properly defined as per the README's instruction (which were a huge help btw, thank you very much)
Once the user is authenticated that provider provides us with a authorization code and sometimes a JWT id_token (the latter depends on the provider).
We POST those params to our API through the appropriate callback endpoint which lets the omniauth- gem handle the callback and when successfull we return our user object
I don't really remember the exact order in which I encountered each issues so I'll just list them as I remember them, sorry for not being more specific.
There was a CORS error because we're using Hybrid mode. The solution was describe in #54 (comment) which specified having to add provider_ignores_state: true to the config when skipping to the callback step which is the case in Hybrid mode.
This needs to be documented
config.omniauth:apple,Rails.application.credentials.apple_app_bundle_id,'',key_id: Rails.application.credentials.apple_key_id,pem: Rails.application.credentials.apple_pem,provider_ignores_state: true,# <- ADD THIS LINEscope: 'email',team_id: Rails.application.credentials.apple_team_id
There was a invalid_credentials error that I took a long time to figure out. The problem was that omniauth-apple only checks the request.params when looking for the code and id_token but never reads the request.body if they are missing. Because with other providers we were sending those credentials in the request's body we did it here again thinking that would work.
To fix this we updated our API request to include the params in the query instead of in the request's body
There was an error notifying a mismatch in the redirect_uri. That is because when verifying a authorization code the redirect_uri needs to be the same as when that authorization code was obtained which means the client-side application's redirect_uri needs to be send to the backend too and used in the callback.
This is also the case with other omniauth-<provider> gem and we just forgot to include it this time which we corrected.
There was an error saying the client_id provided to the middleware was incorrect.
This issue is describe in #68 and a solution is provided in #68 (comment) which is to add a authorized_client_ids option to the middleware and give it the apple client id
While this solution worked, it ended up being a monkey patch
We ended up discovering that the real reason why the provided client_id was not working as intended while providing it again in the authorized_client_ids worked was because when defining the @client_idomniauth-apple omits the options.client_id from its validation
This needs to be fixed with a pull request
In the meantime this issue can be monkey patched by initializing a custom class that will override this gem
# config/initializers/omniauth-apple-monkey-patch.rbmoduleOmniAuthmoduleStrategiesclassAppleprivatedefclient_id@client_id ||= ifid_info.nil?options.client_idelse# id_info[:aud] if options.authorized_client_ids.include? id_info[:aud]id_info[:aud]if[options.client_id].concat(options.authorized_client_ids).include?(id_info[:aud])endendendendend
By doing it is not necessary to add a authorized_client_ids option to the middleware.
There was an error with missing nonce in the id_token.
This issue is being discussed in #102 already.
Basically whether id_token[:nonce_supported] is true and whether id_token[:nonce] is present is not related but omniauth-apple consider them paired which in our case meant we had nonce_supported: true and nonce: nil which broke.
A solution as been proposed in #111 should be considered for approval.
In the meantime this issue can be monkey patched by initializing a custom class that will override this gem
Summary
I've passed the last couple of days trying to set up this gem to work with a API-only Rails application and there's been a lot of trouble along the way.
I figured I should share my experience now that I've made it work in case anyone else tries to do the same later.
Context
Our Rails application is a backend only app handling user authentication with devise and omniauth-apple along with other omniauth providers.
This Rails API interacts with multiple Client-side applications combining multiple platforms (Web, Android, IOS and a web extension).
Our initial config for
omniauth-applewas as follow and we made sure that every credential was properly defined as per the README's instruction (which were a huge help btw, thank you very much)When we want to sign in a user using omniauth our flow is as follow (example with the @capacitor-community/apple-sign-in npm package):
codeand sometimes a JWTid_token(the latter depends on the provider).userobjectIssues
I don't really remember the exact order in which I encountered each issues so I'll just list them as I remember them, sorry for not being more specific.
There was a CORS error because we're using Hybrid mode. The solution was describe in #54 (comment) which specified having to add
provider_ignores_state: trueto the config when skipping to the callback step which is the case in Hybrid mode.This needs to be documented
There was a
invalid_credentialserror that I took a long time to figure out. The problem was thatomniauth-appleonly checks therequest.paramswhen looking for thecodeandid_tokenbut never reads therequest.bodyif they are missing. Because with other providers we were sending those credentials in the request's body we did it here again thinking that would work.To fix this we updated our API request to include the params in the query instead of in the request's body
This needs to be documented
There was an error notifying a mismatch in the
redirect_uri. That is because when verifying a authorization code theredirect_urineeds to be the same as when that authorization code was obtained which means the client-side application'sredirect_urineeds to be send to the backend too and used in the callback.This is also the case with other
omniauth-<provider>gem and we just forgot to include it this time which we corrected.This needs to be documented
The problem is that this still didn't work and that is because
omniauth-appledoes not allow using aredirect_uricoming from the POST request.omniauth-apple/lib/omniauth/strategies/apple.rb
Line 63 in b42831b
This needs to be fixed with a pull request
In the meantime this issue can be monkey patched by initializing a custom class that will override this gem
There was an error saying the client_id provided to the middleware was incorrect.
This issue is describe in #68 and a solution is provided in #68 (comment) which is to add a
authorized_client_idsoption to the middleware and give it the apple client idThis option needs to be documented
While this solution worked, it ended up being a monkey patch
We ended up discovering that the real reason why the provided client_id was not working as intended while providing it again in the
authorized_client_idsworked was because when defining the@client_idomniauth-appleomits theoptions.client_idfrom its validationomniauth-apple/lib/omniauth/strategies/apple.rb
Line 139 in b42831b
This needs to be fixed with a pull request
In the meantime this issue can be monkey patched by initializing a custom class that will override this gem
By doing it is not necessary to add a
authorized_client_idsoption to the middleware.There was an error with missing
noncein theid_token.This issue is being discussed in #102 already.
Basically whether
id_token[:nonce_supported]is true and whetherid_token[:nonce]is present is not related butomniauth-appleconsider them paired which in our case meant we hadnonce_supported: trueandnonce: nilwhich broke.omniauth-apple/lib/omniauth/strategies/apple.rb
Line 108 in b42831b
A solution as been proposed in #111 should be considered for approval.
In the meantime this issue can be monkey patched by initializing a custom class that will override this gem
Tasks
The text was updated successfully, but these errors were encountered: