Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.9
-
None
-
Windows
Description
Hello,
As there i actually zero info onnline how to manage c++ and apple oauth, so i tried to manage myself and found few points which are blocking to comply with apple and their oauth workflow.
first of all, QOAuthHttpServerReplyHandler let me listen only localhost, hoever apple does not support IP address or localhost redirect url.. therefore it must be something online with redirect to localhost... which brings me to:
1) apple does send data (code, id_token) as POST... however QAbstractOAuth2::Stage recognize only if code/token (or what else parameter im not sure) comes only as GET parameters...
- which in theory is not as big deal, because i have online php script to redirect me back to localhost and transfer all POST data into GET... however in case i would go for some other oauth service where they allow localhost as redirect_url and parameters comes as POST, then QAbstractOAuth2 wont catch it...
2) also as of 6.9 there is an idToken which shall be set automaticaly set when authorize receive id_token parameter (as POST or GET), however it does not... it still store id_token in extraTokens()... so upon extraTokensChanged() i need to dig it up, and emit idTokenChanged() manualy...
3) unfortunatelly apple requires this signed JWT encoded key, unfortunately there is no QSslKey sign method to do so, therefore need to install openssl for Qt or some other library/restapi... however even when I do generate propert client_secret according to apple requirements, in Qt i keep seeing only qt.networkauth.oauth2: Token request failed: "Error transferring https://appleid.apple.com/auth/token - server replied: Bad Request"
- here I have no idea how to to hook to check what actually qt does in behind.... i know apple requires to send data as POST while other services in GET, so I assume that this is the blocking point in Qt to pass...
- QT_LOGGING_RULES="q.networkauth.*=true" only shows: qt.networkauth.oauth2: Authorization URL generated
UPDATE: for Apple only works when I either set PkceMethod to QOAuth2AuthorizationCodeFlow::PkceMethod::None:
this->apple->setPkceMethod(QOAuth2AuthorizationCodeFlow::PkceMethod::None);
- which works only since 6.8.0
or remove code_challenge and code_challenge_method parameters manualy from QAbstractOAuth2::Stage::RequestingAuthorization:
this->apple->setModifyParametersFunction([this](QAbstractOAuth2::Stage stage, QMultiMap<QString, QVariant> *parameters) { // stage when building url just before opening the browser with the very first url if (stage == QAbstractOAuth2::Stage::RequestingAuthorization) { parameters->remove("code_challenge"); parameters->remove("code_challenge_method"); parameters->insert("response_mode", "form_post"); } }
also response_mode parameter with value form_post is very much required by Apple
UPDATE2: so it does emit idTokenChanged, but only in second stage (when code is exchanged to token)... however i can receive id_token even in first phase along with code.. as for Apple I can add to scope "code id_token" and i will receive both at same time
so, at the end only two points are opened and should be fixed:
1) id_token reception in fist stage along with code should also emit idTokenChanged()
2) also this same stage when QOAuth2AuthorizationCodeFlow::authorizationCallbackReceived the QOAuthHttpServerReplyHandler recognizes only GET parameters, but should also recognize POST parameters so code/id_token are known and next QOAuth2AuthorizationCodeFlow stage can trigger