Skip to content

Nonce should be SHA-256 hashed when sent to Apple when you use Firebase Auth (Apple provider) #28

New issue
New issue
Open
Open
Nonce should be SHA-256 hashed when sent to Apple when you use Firebase Auth (Apple provider)#28
Assignees
hippogamesunitybakkermark
Labels
enhancementNew feature or request
@bakkermark

Description

@bakkermark
bakkermark
opened on Nov 20, 2024

The Apple documentation indicates that the nonce sent to Apple must be hashed using SHA256. This can be found in the section about creating and validating a login request.

Additionally, the Firebase documentation on authentication with Apple mentions that you must send the SHA256 hash of the nonce with your sign-in request:

"You will send the SHA256 hash of the nonce with your sign-in request, which Apple will pass unchanged in the response." (Source: https://firebase.google.com/docs/auth/ios/apple)

These sources emphasize the importance of hashing the nonce with SHA256 before sending it to Apple, to ensure the security of the authentication process.

Regarding the nonce: Apple uses the nonce to ensure the integrity of the authentication process. As far as I could find, Apple does not explicitly specify that the nonce must be hashed before being sent to them. However, it is recommended by various third-party sources (such as Firebase) to hash the nonce for better security of the authentication process.

In the context of Firebase integration with Sign in with Apple, it is clear that you need to generate the raw nonce yourself, hash it with SHA256, and then send this hashed nonce as part of the authentication request to Apple.

So this line in AppleAuth.cs should be changed and a SHA-256 hashed Nonce should be used.

var authorizationRequest = $"{AuthorizationEndpoint}?client_id={_settings.ClientId}&nonce={hashedNonce}&redirect_uri={Uri.EscapeDataString(redirectUri)}&response_mode=form_post&response_type=code&scope={Uri.EscapeDataString(string.Join(" ", _settings.AccessScopes))}&state={_state}";

And example method to SHA-256 hash is:

private static string GenerateSHA256Hash(string input)
{
input = input.Trim();
using var sha256 = SHA256.Create();
var bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(input));
var builder = new StringBuilder();
foreach (var t in bytes)
{
builder.Append(t.ToString("x2"));
}
return builder.ToString();
}

It will be handy if also the Nonce and the HashedNonce where returned in the UserInfo or save it to PlayerPrefs so the developer can use it when he makes the connection towards Firebase Auth.

Happy programming!

Mark Bakker - The Netherlands

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions