Apple - failed to decode PEM block containing private key

[jaya-kumar-softobiz]

I am trying to implement social sign in. Google was done very easily but facing an issue with Apple
In kratos.yml file, I have included the private key like in below image but I get an error saying
error=map[message:failed to decode PEM block containing private key]( see raw logs below)

PS : The text is word wraped, actually the key is in one single line
I also tried removing the \n characters at the start and end of the key but same error.

Any Idea? If anyone has already done this, please let me know. Thank you

Also, for sign in with LinkedIn, I guess I have to use generic option? right?

Logs :

| time=2022-01-04T17:49:46Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 connection:keep-alive content-length:126 content-type:application/x-www-form-urlencoded cookie:io=sCqOuekINMTSggRcAAAH; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=WyP5nSKRutwidQRH0rJfRAF2PsN4bVp+6BCviM0gvcY= dnt:1 origin:http://127.0.0.1:8080 referer:http://127.0.0.1:8080/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4433 method:POST path:/self-service/login query:flow=0aa9bebf-deda-4f7c-a33b-57f8a265d84d remote:172.31.0.1:33260 scheme:http]

kratos_1 | time=2022-01-04T17:49:46Z level=info msg=Encountered self-service login error. audience=audit error=map[message:failed to decode PEM block containing private key] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 connection:keep-alive content-length:126 content-type:application/x-www-form-urlencoded cookie:io=sCqOuekINMTSggRcAAAH; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=WyP5nSKRutwidQRH0rJfRAF2PsN4bVp+6BCviM0gvcY= dnt:1 origin:http://127.0.0.1:8080 referer:http://127.0.0.1:8080/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4433 method:POST path:/self-service/login query:flow=0aa9bebf-deda-4f7c-a33b-57f8a265d84d remote:172.31.0.1:33260 scheme:http] login_flow=&{0aa9bebf-deda-4f7c-a33b-57f8a265d84d 033ca5f0-cf30-4c6b-902a-e511ae7adde7 browser 2022-01-04 18:49:05.54143551 +0000 UTC 2022-01-04 17:49:05.54143551 +0000 UTC [123 125] http://127.0.0.1:4433/self-service/login/browser 0xc000f44230 2022-01-04 17:49:05.54771 +0000 UTC 2022-01-04 17:49:05.54771 +0000 UTC vjw8VxDL9VGyDneflDthyiNOwJt3CVmT1ow2Vf+ZTVblH8XKMlpPjZB7c9hGiT6OIjj+WA9kA+0+nJndMrnwkA== false aal1} service_name=Ory Kratos service_version=v0.8.0-alpha.3

kratos_1 | time=2022-01-04T17:49:46Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[message:failed to decode PEM block containing private key] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 connection:keep-alive content-length:126 content-type:application/x-www-form-urlencoded cookie:io=sCqOuekINMTSggRcAAAH; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=WyP5nSKRutwidQRH0rJfRAF2PsN4bVp+6BCviM0gvcY= dnt:1 origin:http://127.0.0.1:8080 referer:http://127.0.0.1:8080/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4433 method:POST path:/self-service/login query:flow=0aa9bebf-deda-4f7c-a33b-57f8a265d84d remote:172.31.0.1:33260 scheme:http] service_name=Ory Kratos service_version=v0.8.0-alpha.3

kratos_1 | time=2022-01-04T17:49:46Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 connection:keep-alive content-length:126 content-type:application/x-www-form-urlencoded cookie:io=sCqOuekINMTSggRcAAAH; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=WyP5nSKRutwidQRH0rJfRAF2PsN4bVp+6BCviM0gvcY= dnt:1 origin:http://127.0.0.1:8080 referer:http://127.0.0.1:8080/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4433 method:POST path:/self-service/login query:flow=0aa9bebf-deda-4f7c-a33b-57f8a265d84d remote:172.31.0.1:33260 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:http://127.0.0.1:8080 access-control-expose-headers:Content-Type, Set-Cookie cache-control:private, no-cache, no-store, must-revalidate location:http://127.0.0.1:8080/error?id=0dcd1845-ee25-48bf-8e67-3c6cbbaef7ea vary:Origin] size:0 status:302 text_status:Found took:18.368967ms]

[vinckr]

Hello @jaya-kumar-softobiz
We did have a longer discussion about this in the Slack, will copy it over so it does not get lost:
(Reference for the full discussion)

Courtesy of @themech

I got it working, somehow the POST->GET redirect hack did the trick and I can sign in with Apple. The code is messy with shortcuts, hardcoded values and apple specific code leaking in more places that I’m comfortable with. So more work is needed before we can open a decent looking pull request. Here is the list of things that need to be done in order for the “sign in with apple” to work:

• new apple provider has to be created
• provider config needs new fields (team id and private key details)
• apple provider needs to call apple and generate a JWT token which then acts as client secret
• apple provider needs to set response_mode param to form_post when reaching apple
• after coming back from apple website browser will call the redirect URL using POST method; this request will be missing kratos cookies; CSRF checks need to be disabled for kratos-public/self-service/methods/oidc/callback/apple
• new POST handler needs to be added under kratos-public/self-service/methods/oidc/callback/:provider; it should redirect to itself and rewrite form fields to query parameters; this is a workaround for kratos session cookie missing during the POST request
• I had some issues with email_verified field from Apple - it was sent as a string; this caused json unmarshal issues in Kratos and also was breaking my apple jsonnet template

It has been a few months, maybe we can pick this up and complete it. If @themech could chime in, I would be very grateful as he is probably most skilled in this issue now 😁.

[jaya-kumar-softobiz]

That's really cool mate. Thanks for the update :)
My issue is actually with the private key format in the kratos.yml config. I am getting an error that says

message:failed to decode PEM block containing private key

I actually have a private EC key(Elliptic Curve), which looks like this(masked for security reasons)
-----BEGIN EC PRIVATE KEY-----
MHcCAQ#########XGFl+9Ml27fI+BekCo+SCqhSXzXa##########GSM49
AwEHoUQDQgAEec2xaXbzL###############X1BgesOWWfUsOzUbVJYG
b7u**************AZiiHs9pTA==
-----END EC PRIVATE KEY-----

So, does this make any difference ?
If I remove the EC, then it throws the error

error=map[message:Private key decoding failed: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)]

Any suggestions ?

[themech]

Private key is a multiline string. In our setup oidcProviders are passed as json array, the private key itself is passed as a 3 line string:

[{"id":"apple","provider":"apple","client_id":"foo","team_id":"bar","private_key_id":"foobar","private_key":"-----BEGIN PRIVATE KEY-----\n*****************************************************************\n-----END PRIVATE KEY-----\n","mapper_url":"file:///etc/config/oidc.apple.mapper.jsonnet","scope":["openid","email"]}]

I think in yaml it should be passed as

private_key: |
              -----BEGIN PRIVATE KEY-----
              .... # Replace this by the content of the private key downloaded from Apple
              -----END PRIVATE KEY-----

This is what I mentioned in https://www.ory.sh/kratos/docs/v0.8/guides/sign-in-with-github-google-facebook-linkedin/ although we're not using yaml in our case so I based this example on yaml format documentation.

[jaya-kumar-softobiz]

I am not able to use -----BEGIN PRIVATE KEY-----
I have to use -----BEGIN EC PRIVATE KEY----- with my key
also, I actually did try with \n (new lines) at first and then removed them... didn't work either way. I will try that again. Thank you

[themech]

I was using this tutorial when setting up our integration with Apple: https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple. Private key is downloaded from Apple and I don't remember being able to select the EC key type when checking the Sign In with Apple option during key generation. But maybe I missed it.

P.S. you shouldn't be using the \n character in yaml. the easiest way to debug the issue is probably dumping the a.config.PrivateKey value before the key is parsed in provider_apple.go.

[jaya-kumar-softobiz]

Will try that, and thanks for the tutorial link.

[jaya-kumar-softobiz]

@vinckr hey, what about sign in with LinkedIn ? I mean I don't see it in the provider list here
https://github.com/ory/kratos/tree/v0.8.0-alpha.3/selfservice/strategy/oidc

So I have to use generic provider for it I guess ?

[jaya-kumar-softobiz]

No, we decided to do this social sign in tasks later, maybe next week or so, due to other feature priorities. But when I try, I will post the updates here. Please LMK your updates as well. I am hoping you will implement LinkedIn as dedicated provider in Ory rather than just generic

[vinckr]

LinkedIn will be implemented for sure at some point. At the moment we don't have concrete plans when that would be, but I will always see to support community contributions.

Let me know how it goes with the social sign in and maybe we can contribute the LinkedIn provider together.

Right now the biggest blocker for me is a proper testing environment 🤔

[vinckr]

PS: lets take this to a new discussion then, when the time comes. This one is kind of derailed by now 😄

[jaya-kumar-softobiz]

Sure, if I get it working, I will post updates here

[jaya-kumar-softobiz]

PS: lets take this to a new discussion then, when the time comes. This one is kind of derailed by now smile

Sounds good. Ok then, I will start a discussion when I start working on that and post updates over there