让用户在 iOS 上通过 Apple 登录
本文档介绍如何使用 Identity Platform 将“通过 Apple 登录”添加到 iOS 应用。
准备工作
创建一个使用 Identity Platform 的 iOS 应用。
使用 Apple 配置应用
在 Apple Developer 网站上,执行以下操作:
为您的应用启用“通过 Apple 登录”功能。
如果您使用 Identity Platform 向用户发送电子邮件,请使用以下电子邮件地址为您的项目配置 Apple 的专用电子邮件中继服务:
noreply@project-id.firebaseapp.com
如果您的应用具有自定义电子邮件模板,您也可以使用自定义电子邮件模板。
符合 Apple 匿名数据要求
Apple 为用户提供了匿名化其数据的选项,包括电子邮件地址。对于选择此选项的用户,Apple 会分配使用 privaterelay.appleid.com 域名进行混淆处理的电子邮件地址。
您的应用必须遵守关于匿名 Apple ID 的所有适用的 Apple 开发者政策或条款。这包括在将任何个人身份信息 (PII) 与匿名 Apple ID 关联之前征得用户同意。涉及 PII 的操作包括但不限于:
- 将电子邮件地址关联至匿名 Apple ID,或者将匿名 Apple ID 关联至电子邮件地址。
- 将电话号码关联至匿名 Apple ID,或者将匿名 Apple ID 关联至电话号码。
- 将非匿名社交凭据(Facebook 账号、Google 账号等)关联至匿名 Apple ID,或者将匿名 Apple ID 关联至非匿名社交凭据。
如需了解详情,请参阅您的 Apple 开发者账号的《Apple 开发者计划许可协议》。
将 Apple 配置为提供商
要将 Apple 配置为身份提供商,请执行以下操作:
前往 Google Cloud 控制台中的身份提供方页面。
点击添加提供商。
从列表中选择 Apple。
在平台下,选择 iOS。
输入应用的软件包 ID。
点击已获授权的网域下的添加网域,以注册您应用的网域。出于开发目的,
localhost默认处于启用状态。在配置您的应用下,点击 iOS。将代码段复制到应用的代码中,以初始化 Identity Platform Client SDK。
点击保存。
让用户通过 Client SDK 登录
使用 Apple 的身份验证服务框架登录用户并获取 ID 令牌。
通过调用
SecRandomCopyBytes(_:_:_:)生成一个随机字符串(称为 Nonce)。Nonce 用于防止重放攻击。您将 Nonce 的 SHA-256 哈希添加到身份验证请求后,Apple 会不加修改地将其在响应中返回。然后,Identity Platform 通过将原始哈希与 Apple 返回的值进行比较来验证响应。
启动 Apple 的登录流程,包含您在上一步中创建的 Nonce 的 SHA-256 哈希,以及处理 Apple 响应的代理类:
Swift
import CryptoKit // Unhashed nonce. fileprivate var currentNonce: String? @available(iOS 13, *) func startSignInWithAppleFlow() { let nonce = randomNonceString() currentNonce = nonce let appleIDProvider = ASAuthorizationAppleIDProvider() let request = appleIDProvider.createRequest() request.requestedScopes = [.fullName, .email] request.nonce = sha256(nonce) let authorizationController = ASAuthorizationController(authorizationRequests: [request]) authorizationController.delegate = self authorizationController.presentationContextProvider = self authorizationController.performRequests() } @available(iOS 13, *) private func sha256(_ input: String) -> String { let inputData = Data(input.utf8) let hashedData = SHA256.hash(data: inputData) let hashString = hashedData.compactMap { return String(format: "%02x", $0) }.joined() return hashString }Objective-C
@import CommonCrypto; - (void)startSignInWithAppleFlow { NSString *nonce = [self randomNonce:32]; self.currentNonce = nonce; ASAuthorizationAppleIDProvider *appleIDProvider = [[ASAuthorizationAppleIDProvider alloc] init]; ASAuthorizationAppleIDRequest *request = [appleIDProvider createRequest]; request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail]; request.nonce = [self stringBySha256HashingString:nonce]; ASAuthorizationController *authorizationController = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]]; authorizationController.delegate = self; authorizationController.presentationContextProvider = self; [authorizationController performRequests]; } - (NSString *)stringBySha256HashingString:(NSString *)input { const char *string = [input UTF8String]; unsigned char result[CC_SHA256_DIGEST_LENGTH]; CC_SHA256(string, (CC_LONG)strlen(string), result); NSMutableString *hashed = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2]; for (NSInteger i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) { [hashed appendFormat:@"%02x", result[i]]; } return hashed; }在
ASAuthorizationControllerDelegate实现中处理 Apple 的响应。如果登录成功,请使用 Apple 响应中的 ID 令牌和未经哈希处理的 Nonce 来进行 Identity Platform 身份验证:Swift
@available(iOS 13.0, *) extension MainViewController: ASAuthorizationControllerDelegate { func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential { guard let nonce = currentNonce else { fatalError("Invalid state: A login callback was received, but no login request was sent.") } guard let appleIDToken = appleIDCredential.identityToken else { print("Unable to fetch identity token") return } guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else { print("Unable to serialize token string from data: \(appleIDToken.debugDescription)") return } // Initialize a Firebase credential. let credential = OAuthProvider.credential(withProviderID: "apple.com", IDToken: idTokenString, rawNonce: nonce) // Sign in with Firebase. Auth.auth().signIn(with: credential) { (authResult, error) in if error { // Error. If error.code == .MissingOrInvalidNonce, make sure // you're sending the SHA256-hashed nonce as a hex string with // your request to Apple. print(error.localizedDescription) return } // User is signed in to Firebase with Apple. // ... } } } func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { // Handle error. print("Sign in with Apple errored: \(error)") } }Objective-C
- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithAuthorization:(ASAuthorization *)authorization API_AVAILABLE(ios(13.0)) { if ([authorization.credential isKindOfClass:[ASAuthorizationAppleIDCredential class]]) { ASAuthorizationAppleIDCredential *appleIDCredential = authorization.credential; NSString *rawNonce = self.currentNonce; NSAssert(rawNonce != nil, @"Invalid state: A login callback was received, but no login request was sent."); if (appleIDCredential.identityToken == nil) { NSLog(@"Unable to fetch identity token."); return; } NSString *idToken = [[NSString alloc] initWithData:appleIDCredential.identityToken encoding:NSUTF8StringEncoding]; if (idToken == nil) { NSLog(@"Unable to serialize id token from data: %@", appleIDCredential.identityToken); } // Initialize a Firebase credential. FIROAuthCredential *credential = [FIROAuthProvider credentialWithProviderID:@"apple.com" IDToken:idToken rawNonce:rawNonce]; // Sign in with Firebase. [[FIRAuth auth] signInWithCredential:credential completion:^(FIRAuthDataResult * _Nullable authResult, NSError * _Nullable error) { if (error != nil) { // Error. If error.code == FIRAuthErrorCodeMissingOrInvalidNonce, // make sure you're sending the SHA256-hashed nonce as a hex string // with your request to Apple. return; } // Sign-in succeeded! }]; } } - (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithError:(NSError *)error API_AVAILABLE(ios(13.0)) { NSLog(@"Sign in with Apple errored: %@", error); }
与许多其他身份提供商不同,Apple 不提供照片网址。
如果用户选择不与应用分享其真实电子邮件,Apple 会为该用户预配唯一的电子邮件地址来与应用共享。此电子邮件的格式为 xyz@privaterelay.appleid.com。如果您配置了私人电子邮件中继服务,则 Apple 会将发送到匿名地址的电子邮件转发到用户的真实电子邮件地址。
Apple 只会在用户首次登录时与应用共享用户信息(例如显示名)。在大多数情况下,Identity Platform 会存储此数据,以便您可以在未来的会话中使用 firebase.auth().currentUser.displayName 提取该数据。但是,如果您允许用户在与 Identity Platform 集成之前通过 Apple 登录您的应用,则无法获得用户信息。
用户账号删除
Apple 要求支持帐号创建功能的 iOS 应用还必须允许用户在应用内发起帐号删除操作。
删除用户帐号时,您必须先撤消该用户的令牌,然后才能删除该用户的帐号,以及您为该用户在 Firestore、Cloud Storage 和 Firebase Realtime Database 中存储的所有数据。如需了解详情,请参阅 Apple 开发者支持文档中的在应用中提供帐号删除功能。
通过 Apple 登录创建用户时,Identity Platform 不会存储用户令牌,因此您必须先要求用户登录,然后才能撤消其令牌并删除帐号。或者,为了避免在用户使用 Apple 登录方式登录时要求用户再次登录,您可以存储授权代码,以便在令牌撤消期间重复使用。
如需撤消用户的令牌并删除其帐号,请运行以下命令:
Swift
let user = Auth.auth().currentUser
// Check if the user has a token.
if let providerData = user?.providerData {
for provider in providerData {
guard let provider = provider as? FIRUserInfo else {
continue
}
if provider.providerID() == "apple.com" {
isAppleProviderLinked = true
}
}
}
// Re-authenticate the user and revoke their token
if isAppleProviderLinked {
let request = appleIDRequest(withState: "revokeAppleTokenAndDeleteUser")
let controller = ASAuthorizationController(authorizationRequests: [request])
controller.delegate = self
controller.presentationContextProvider = self
controller.performRequests()
} else {
// Usual user deletion
}
func authorizationController(
controller: ASAuthorizationController,
didCompleteWithAuthorization authorization: ASAuthorization
) {
if authorization.credential is ASAuthorizationAppleIDCredential {
let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential
if authorization.credential is ASAuthorizationAppleIDCredential {
if appleIDCredential.state == "signIn" {
// Sign in with Firebase.
// ...
} else if appleIDCredential.state == "revokeAppleTokenAndDeleteUser" {
// Revoke token with Firebase.
Auth.auth().revokeTokenWithAuthorizationCode(code) { error in
if error != nil {
// Token revocation failed.
} else {
// Token revocation succeeded then delete user again.
let user = Auth.auth().currentUser
user?.delete { error in
// ...
}
}
}
}
}
}
}
Objective-C
FIRUser *user = [FIRAuth auth].currentUser;
// Check if the user has a token.
BOOL isAppleProviderLinked = false;
for (id<FIRUserInfo> provider in user.providerData) {
if ([[provider providerID] isEqual:@"apple.com"]) {
isAppleProviderLinked = true;
}
}
// Re-authenticate the user and revoke their token
if (isAppleProviderLinked) {
if (@available(iOS 13, *)) {
ASAuthorizationAppleIDRequest *request =
[self appleIDRequestWithState:@"revokeAppleTokenAndDeleteUser"];
ASAuthorizationController *controller = [[ASAuthorizationController alloc]
initWithAuthorizationRequests:@[ request ]];
controller.delegate = self;
controller.presentationContextProvider = self;
[controller performRequests];
}
} else {
// Usual user deletion
}
- (void)authorizationController:(ASAuthorizationController *)controller
didCompleteWithAuthorization:(ASAuthorization *)authorization
API_AVAILABLE(ios(13.0)) {
if ([authorization.credential
isKindOfClass:[ASAuthorizationAppleIDCredential class]]) {
ASAuthorizationAppleIDCredential *appleIDCredential =
authorization.credential;
if ([appleIDCredential.state isEqualToString:@"signIn"]) {
// Sign in with Firebase.
// ...
} else if ([appleIDCredential.state
isEqualToString:@"revokeAppleTokenAndDeleteUser"]) {
// Revoke token with Firebase.
NSString *code =
[[NSString alloc] initWithData:appleIDCredential.authorizationCode
encoding:NSUTF8StringEncoding];
[[FIRAuth auth]
revokeTokenWithAuthorizationCode:code
completion:^(NSError *_Nullable error) {
if (error != nil) {
// Token revocation failed.
} else {
// Token revocation succeeded then delete
// user again.
FIRUser *user = [FIRAuth auth].currentUser;
[user deleteWithCompletion:^(
NSError *_Nullable error){
// ...
}];
}
}];
}
}
}
后续步骤
- 详细了解 Identity Platform 用户。
- 让用户通过其他身份提供商登录。