Apple - new option for using private key instead secret key.

[hamrak]

Rather than static client secrets, Apple requires that you derive a client secret yourself from your private key. They use the JWT standard for this, using an elliptic curve algorithm with a P-256 curve and SHA256 hash. In other words, they use the ES256 JWT algorithm.

This PR add new configuration options that allow you to use private key instead of manually generating secret key every 6 months.

'key_id' => env('APPLE_KEY_ID'),
'team_id' => env('APPLE_TEAM_ID'),
'private_key' => env('APPLE_PRIVATE_KEY'), // Must be absolute path, e.g. /var/www/cert/AuthKey_XYZ.p8
'passphrase' => env('APPLE_PASSPHRASE'), // Set if your key have a passphrase.
'signer' => env('APPLE_SIGNER'), // Signer used for Configuration::forSymmetricSigner().

Need to merge #1018 first.

[atymic]

Could we get a docs like and a rebase please :)

[hamrak]

I don't know what you mean exactly.
Official Apple documentation for creating secret token is here: https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens#3262048

I also put some description in README.md.

Can you tell me exactly what I should add? :)

[atymic]

Will this method still work if the secret is dervied?

[hamrak]

Yes it will work. I had to do that (create new object) because this function is called statically (don't know why) and it was necessary to call other non static functions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[pricop]

This seems to be inspired from https://bannister.me/blog/generating-a-client-secret-for-sign-in-with-apple-on-each-request

Perhaps add support for private keys that are stored in the database / string format too?

My proposal would be something like:

$this->privateKey = $private_key_path; // Support for plain text private keys

if (!empty($private_key_path) && file_exists($private_key_path)) {
    $this->privateKey = file_get_contents($private_key_path);
}

This will ensure backwards compatibility for those of us who are already using this integration.

Thank you.

[hamrak]

pricop

Done ;)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[atymic]

Is this ready for review/merge?

[pricop]

Yes, it should be ready for review/merge. I've been using this successfully into production on multiple websites. This would be an awesome addition.

[hamrak]

Yes, i use it in production too.

[atymic]

One small change and a comment.

[atymic]

can we access this via the standard method, ie add to

public static function additionalConfigKeys()
    {
        return ['private_key', 'otherkey...'];
    }

$this->getConfig('private_key', '')

[hamrak]

Yes, we can. Changed.

[atymic]

Just to confirm, there is no bc break here, existing integrations using the secret key will continiue to work fine?

[hamrak]

yes, if you pass the path to the private key file, it will get the contents of the private key file, otherwise you put the private key contents by default.

[atymic]

@hamrak just a quick thing re; config and a question, then I will merge and tag new vers :)

[atymic]

Might need to set this to a variable on the class with above switch to $this->getConfig

[hamrak]

Why do you think so?

[atymic]

Suggested change

	config('services.apple.client_id'),
	$this->getConfig('client_id', '')

And other calls to config()

[hamrak]

You can call $this-> in static function, or ?

[atymic]

oh my bad, didn't realise it was static. Is that why it overrides the global config above?

[hamrak]

oh my bad, didn't realise it was static. Is that why it overrides the global config above?

yes

[atymic]

oh my bad, didn't realise it was static. Is that why it overrides the global config above?

[atymic]

cc @hamrak sorry can you resolve conflicts and we can get this in

[hamrak]

cc @hamrak sorry can you resolve conflicts and we can get this in

Done.