any way to receive IdentityToken without user operation?
umegaya opened this issue · comments
hi, thank you for creating the plugin!! this save my time quite a lot ;D
To gain more security, I want to verify IAppleIDCredential.User with IAppleIDCredential.IdentityToken on server side. without it, modified client can send arbiter account id to server, and may hijack other user's data.
I'm able to do this successfully with great unity example, but it seems that IdentityToken only valid 10min, which means I always require fresh token when user do operation which requires apple account id.
IAppleAuthManager.GetCredentialState does not help because it only returns credential validity, I also try IAppleAuthManager.QuickLogin because it calls AppleAuth_IOS_LoginSilently, which seems to do exact thing I want (guessed from name). but it also ask me to authorize operation with touch ID.
is there any way to receive IdentityToken without user operation? am I missed something to run IAppleAuthManager.QuickLogin correctly?
regards,
The operations being followed are in the same order as Apple´s JUICE official example.
https://developer.apple.com/documentation/authenticationservices/adding_the_sign_in_with_apple_flow_to_your_app
I have been trying to test this in a simulator, but Sign In With Apple does not properly work in it. And unfortunately I don´t have an iOS 13 device to try and test this yet.
Is there a "refresh token" inside that identity token?
If so, you could try using the official REST API they provide to refresh the credential.
https://developer.apple.com/documentation/signinwithapplerestapi
I have been looking to give support for OAuth as well (for other devices/ios versions that lack the native option), but it´s still WIP.
The lack of documentation for this feature is baffling, specially considering they want to enforce this. For the REST API flow, you may have some luck looking at this (it´s for a website, but sent params to https://appleid.apple.com/auth/token can be modified to include a refresh token):
https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
And official Oauth flow docs for refresh token
https://auth0.com/docs/tokens/refresh-token/current
Hi, sadly there is no way to get a refresh token after the first user authorization. The WWDS's video said to store login information in order get access with your server. The GetCredentialState API return only the status of your AppleSignIn. So it's not a properly login system but only a user identification and validation.
At this link the letter from OpenID foundation to Apple with all the differences between OpenID Connect standards and Sign In with Apple.
Hope this help, I really appreciate your work with this code!
Just a question (sorry for the OT) this preprocessor directive is your creation? How and how it works?
#if __IPHONE_OS_VERSION_MAX_ALLOWED >= 130000 || __TV_OS_VERSION_MAX_ALLOWED >= 130000 || __MAC_OS_X_VERSION_MAX_ALLOWED >= 101500
Hi @alexmaroldi , thanks a lot for the answer. This is really valuable information for all of us, I´ll find some way to add it to a future FAQ in the README file.
The preprocessor directives come directly from the SDK. They allow us avoid compiling code in unsupported SDKs
__IPHONE_OS_VERSION_MAX_ALLOWED >= 130000 will check if the SDK used to compile is for iOS >= 13.0.0
Then you have the runtime conditions, which we check with
if (@available(iOS 13.0, tvOS 13.0, macOS 10.15, *))
More info here:
https://gist.github.com/nicklockwood/d63c69ba2f40a33d7aa4