Context
I am trying to make webservice that fetches the name and email from an users Apple account and place a Song or Artist in his library.
For adding a Song to the library I found this apple-music-api. library. To make requests on behalf of a user you need to request a user token with Apple MusicKit JS library.
For fetching the name and email of the user I use this oauth2 client that uses the signin with Apple functionality.
Problem
A Using the apple music kit... I can not query any user profile data. At least I cannot seem to find an example nor any documentation of this. Is there a possibility to get the user email and name using this route?
B Using the Sign in with Apple oauth flow I receive an access token which contains the name and email. But I cannot use the token to query the apple music api. It seems their scopes are limited to the name and email...and no scope for the music api or related seems to exist. Is there a possibility to get an user token that can be used on the music api?
C Are there any other possibilities to accomplish this without requiring the user to sign in twice on apple (once for the email and once for pushing the Song to his library)
What I tried for option B
// $leeway is needed for clock skew
Firebase\JWT\JWT::$leeway = 60;
$provider = new League\OAuth2\Client\Provider\Apple([
'clientId' => 'com.myapp.www',
'teamId' => 'team.id', // 1A234BFK46 https://developer.apple.com/account/#/membership/ (Team ID)
'keyFileId' => 'key.id', // 1ABC6523AA https://developer.apple.com/account/resources/authkeys/list (Key ID)
'keyFilePath' => dirname(__FILE__) . '/AuthKey_key.id.p8', // __DIR__ . '/AuthKey_1ABC6523AA.p8' -> Download key above
'redirectUri' => PLUGIN_URL . 'callback-apple-music.php',
]);
if (isset($_POST['code'])) {
if (empty($_POST['state']) || !isset($_COOKIE['apple-oauth2state']) || ($_POST['state'] !== $_SESSION['apple-oauth2state'])) {
unset($_COOKIE['apple-oauth2state']);
exit('Invalid state');
} else {
try {
// Try to get an access token (using the authorization code grant) via signin_with_apple
/** @var AppleAccessToken $token */
$token = $provider->getAccessToken('authorization_code', [
'code' => $_POST['code']
]);
$access_token = $token->getToken();
// create an client for api.music.apple
$tokenGenerator = new PouleR\AppleMusicAPI\AppleMusicAPITokenGenerator();
$jwtToken = $tokenGenerator->generateDeveloperToken(
'team.id',
'key.id',
dirname(__FILE__) .'/AuthKey_key.id.p8'
);
// create a developer token again
$curl = new \Symfony\Component\HttpClient\CurlHttpClient();
$client = new PouleR\AppleMusicAPI\APIClient($curl);
$client->setDeveloperToken($jwtToken);
$api = new PouleR\AppleMusicAPI\AppleMusicAPI($client);
$api->setMusicUserToken($access_token);
// This endpoint needs authorisation
$result = $api->getAllLibraryPlaylists(); //https://api.music.apple.com/v1/me/library/playlists?offset=0&limit=25
echo '<pre>';
print_r($result);
echo '</pre>';
// wp_redirect($redirect_url);
exit;
} catch (Exception $e) {
echo '<pre>';
print_r($e);
echo '</pre>';
}
}
}
The problem with the question is that these are three questions - and not telling which client.
Most commonly "login with" is only good for creating local accounts without much typing.
And it is quite likely intentional, that the oAuth2 scope is extremely limited for this purpose.
And I've looked it up ...one needs a "Music User Token": https://developer.apple.com/documentation/applemusicapi/getting_keys_and_creating_tokens
And this token needs to be passed as HTTP header:
'Music-User-Token: [music user token]'
.Which means, that the user token may either originate from an iOS device (you'd need to expose eg. a REST API, so that it can be posted and then used by PHP as HTTP header, on the server-side): https://developer.apple.com/documentation/storekit/skcloudservicecontroller/2909079-requestusertoken (this only requires a login to your own API).
When running Apple MusicKit JS on the cient-side (browser), two logins may not be evitable: https://developer.apple.com/documentation/musickitjs/musickit/musickitinstance/2992701-authorize
It makes no sense to use both of these flows within the same method
(which also ignores the principle of single responsibility).