Merge pull request #32 from OpenSecretCloud/apple-external-oauth2-services

AnthonyRonning · web-flow · commit db40038be04d · 2025-05-20T12:15:14.000-07:00
Append services to apple external oauth
diff --git a/pcrDev.json b/pcrDev.json
@@ -1,6 +1,6 @@
 {
   "HashAlgorithm": "Sha384 { ... }",
-  "PCR0": "2e6e8f86a657f6daed8e699c0b74bf02d6c7d6414638b1032e6addd2bca7d208a0e8aa4961eb8e926c54dc58fd63d401",
+  "PCR0": "6b15f0571de13a6357e646bbe3772a8fe32fdd85b07ba97b3a6f95bdc43023dd9deb5710c26b75346de90157d9ecdd1f",
   "PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",
-  "PCR2": "5c513f9c10db4f10ac27f2da0310bfee983aee9b5676866aef0c35238b9e90b56a59d42e6c3f083a64091c697fa2c9a4"
+  "PCR2": "cb114b8e27fb08576dee6a0481eef5ad96030a4a6402e7783ff363abbc5d72a2d916d053706cb76c6ff405ded55b77ae"
 }
diff --git a/pcrDevHistory.json b/pcrDevHistory.json
@@ -33,5 +33,12 @@
     "PCR2": "5c513f9c10db4f10ac27f2da0310bfee983aee9b5676866aef0c35238b9e90b56a59d42e6c3f083a64091c697fa2c9a4",
     "timestamp": 1746806841,
     "signature": "JgnRXXIAlRzxmAnkwoGfcKpqKOqTjeEApiUbtiawNytd5/C9jUSQzFGP2w7yVTlHNzuddaVlGVggxVIP2EWHI78qi8Rxa/V4tvzpSj7ojOAdQOFIQk5EhnnXRibj1zRC"
+  },
+  {
+    "PCR0": "6b15f0571de13a6357e646bbe3772a8fe32fdd85b07ba97b3a6f95bdc43023dd9deb5710c26b75346de90157d9ecdd1f",
+    "PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",
+    "PCR2": "cb114b8e27fb08576dee6a0481eef5ad96030a4a6402e7783ff363abbc5d72a2d916d053706cb76c6ff405ded55b77ae",
+    "timestamp": 1747766223,
+    "signature": "rURCqPwmpN/p/i7++Fm4esxeSCRRVSUws8Law5i9mBH3IIUCIJmqfGAD67+KGWM6bb5YfsQEy6O31bCFgsueUD+1fBGwFZGGl50JyaPj882Hx0waxrgoWbll7n+R7DiB"
   }
 ]
diff --git a/pcrProd.json b/pcrProd.json
@@ -1,6 +1,6 @@
 {
   "HashAlgorithm": "Sha384 { ... }",
-  "PCR0": "8de5541089649e9edb2cd96fafb90716aa298483447e459708e8840b1f82a557c9d9ff6ae1fd2461b04310e7d9400d7d",
+  "PCR0": "02a41da2df084fd1dee420d7717bef6dc0120f1d6a0b7fded3f4c7a539be4044b3061c71bc7156731db1fb66494097b0",
   "PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",
-  "PCR2": "c9f052dab1c210be6b64ea942148efa248ad4fb0c3fbbf5ab7fa7dc6287adec0d1e00f7e01b6109418026546f6f34cf8"
+  "PCR2": "4563722b974255c127d3706805645d13d10a4f01fe8e4e242e58cf1c89c21d27fbbb8a3be197c649e8dc5694370f3c12"
 }
diff --git a/pcrProdHistory.json b/pcrProdHistory.json
@@ -33,5 +33,12 @@
     "PCR2": "c9f052dab1c210be6b64ea942148efa248ad4fb0c3fbbf5ab7fa7dc6287adec0d1e00f7e01b6109418026546f6f34cf8",
     "timestamp": 1746806841,
     "signature": "XrFzIY9kD6QIEjikTe0kT4gHI2J59vsgkRVYTUOjWRrV0K54weasiBMPdRj4BiHxUgzwFbSunCgGYOrBP857A9VlmYU6rgPfHB+Wg/ToHk1Dzz0T/u+rv/ioavFdWiij"
+  },
+  {
+    "PCR0": "02a41da2df084fd1dee420d7717bef6dc0120f1d6a0b7fded3f4c7a539be4044b3061c71bc7156731db1fb66494097b0",
+    "PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",
+    "PCR2": "4563722b974255c127d3706805645d13d10a4f01fe8e4e242e58cf1c89c21d27fbbb8a3be197c649e8dc5694370f3c12",
+    "timestamp": 1747766237,
+    "signature": "PvzREdaKwTpXGbdgA7OkC3LFPJoyyN8dXFqPS5vnY1zSf0w9C6o6W+MGlVuZNDJADROO3nmfuY4GspVK8t5WCobLo0VsT12jNcnnm7EOi4BrL2EMKdfyLA+LC28BjfX+"
   }
 ]
diff --git a/src/web/oauth_routes.rs b/src/web/oauth_routes.rs
@@ -476,14 +476,21 @@ pub async fn oauth_callback(
                 })?;
 
             // Get Apple client ID from project OAuth settings
-            let client_id = oauth_settings
+            let mut client_id = oauth_settings
                 .apple_oauth_settings
                 .ok_or_else(|| {
                     error!("Apple OAuth settings not configured");
                     ApiError::BadRequest
                 })?
                 .client_id;
 
+            // For web-based OAuth flow, append .services to the client ID
+            // This is because Apple requires Services ID for web flow, not App ID
+            if !client_id.ends_with(".services") {
+                client_id = format!("{}.services", client_id);
+                debug!("Modified Apple client ID for web flow: {}", client_id);
+            }
+
             // For Apple, we need to extract the ID token from the token exchange response
             debug!("Processing Apple OAuth token response to get ID token");
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"HashAlgorithm": "Sha384 { ... }",`
`3`		`- "PCR0": "2e6e8f86a657f6daed8e699c0b74bf02d6c7d6414638b1032e6addd2bca7d208a0e8aa4961eb8e926c54dc58fd63d401",`
	`3`	`+ "PCR0": "6b15f0571de13a6357e646bbe3772a8fe32fdd85b07ba97b3a6f95bdc43023dd9deb5710c26b75346de90157d9ecdd1f",`
`4`	`4`	`"PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",`
`5`		`- "PCR2": "5c513f9c10db4f10ac27f2da0310bfee983aee9b5676866aef0c35238b9e90b56a59d42e6c3f083a64091c697fa2c9a4"`
	`5`	`+ "PCR2": "cb114b8e27fb08576dee6a0481eef5ad96030a4a6402e7783ff363abbc5d72a2d916d053706cb76c6ff405ded55b77ae"`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,5 +33,12 @@`
`33`	`33`	`"PCR2": "5c513f9c10db4f10ac27f2da0310bfee983aee9b5676866aef0c35238b9e90b56a59d42e6c3f083a64091c697fa2c9a4",`
`34`	`34`	`"timestamp": 1746806841,`
`35`	`35`	`"signature": "JgnRXXIAlRzxmAnkwoGfcKpqKOqTjeEApiUbtiawNytd5/C9jUSQzFGP2w7yVTlHNzuddaVlGVggxVIP2EWHI78qi8Rxa/V4tvzpSj7ojOAdQOFIQk5EhnnXRibj1zRC"`
	`36`	`+ },`
	`37`	`+ {`
	`38`	`+ "PCR0": "6b15f0571de13a6357e646bbe3772a8fe32fdd85b07ba97b3a6f95bdc43023dd9deb5710c26b75346de90157d9ecdd1f",`
	`39`	`+ "PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",`
	`40`	`+ "PCR2": "cb114b8e27fb08576dee6a0481eef5ad96030a4a6402e7783ff363abbc5d72a2d916d053706cb76c6ff405ded55b77ae",`
	`41`	`+ "timestamp": 1747766223,`
	`42`	`+ "signature": "rURCqPwmpN/p/i7++Fm4esxeSCRRVSUws8Law5i9mBH3IIUCIJmqfGAD67+KGWM6bb5YfsQEy6O31bCFgsueUD+1fBGwFZGGl50JyaPj882Hx0waxrgoWbll7n+R7DiB"`
`36`	`43`	`}`
`37`	`44`	`]`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"HashAlgorithm": "Sha384 { ... }",`
`3`		`- "PCR0": "8de5541089649e9edb2cd96fafb90716aa298483447e459708e8840b1f82a557c9d9ff6ae1fd2461b04310e7d9400d7d",`
	`3`	`+ "PCR0": "02a41da2df084fd1dee420d7717bef6dc0120f1d6a0b7fded3f4c7a539be4044b3061c71bc7156731db1fb66494097b0",`
`4`	`4`	`"PCR1": "e45de6f4e9809176f6adc68df999f87f32a602361247d5819d1edf11ac5a403cfbb609943705844251af85713a17c83a",`
`5`		`- "PCR2": "c9f052dab1c210be6b64ea942148efa248ad4fb0c3fbbf5ab7fa7dc6287adec0d1e00f7e01b6109418026546f6f34cf8"`
	`5`	`+ "PCR2": "4563722b974255c127d3706805645d13d10a4f01fe8e4e242e58cf1c89c21d27fbbb8a3be197c649e8dc5694370f3c12"`
`6`	`6`	`}`