how to verify the signature in the "id_token"?

App & System Services General
pikeqwu OP
Created Oct ’19
Replies 1
Boosts 0
Views 5.4k
Participants 2

After I request https://appleid.apple.com/auth/token , I get a response looks like:

{

"access_token": "a8a553508e53e48b19592886f08f9a6b0.0.mwvx.eRuGAbf8uDOD0ZeOrhHE3w",

"token_type": "Bearer",

"expires_in": 3600,

"refresh_token": "r9e03ba3c70ef4b2b9bf67281b0914ea1.0.mwvx.MUIwF6uk5OsIYIJNY3zanw",

"id_token": "eyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRlbmNlbnQucXFtdXNpY2JhYnkuZCIsImV4cCI6MTU3MDYxNTU3NywiaWF0IjoxNTcwNjE0OTc3LCJzdWIiOiIwMDA2NTcuNjY1NjJkM2IxMWJjNDAzMDk5YjFjZGI0OTQ3YzFkM2MuMTE0MiIsImF0X2hhc2giOiJibFQ3UTFNMDF1NW12Y0ZVZ1JIZGR3IiwiYXV0aF90aW1lIjoxNTcwNjE0OTI0fQ.TXpunnl6hlJs8C9_W7k-LeJ3Lm_otBeLoJxwe1C2oufKmMWxlANu0KI2-LnTcHYx23npMY3swk4fM46W5Vt9ursllz27P4zR8H1eoZ2Tj-3O3rTz8lqC1uI-mMo_a6VxqXvNmqenre5S0CyaUHAI1_Um9798b4ehduJqDtYVYIbftYIpiXBAW-vGjEbBnjWkHw_7HmjEWrsc0vfPhHGXyUMFmon4VhMBzzY2Nq0LIF4NP9Aa_9dyTzdEaqNfPjdSbFCVaJcTI_rxrIbooh18UbdowsFJtnLKsTZ7ePYtz3uBIaWUaiwJI1oU6ZeAb6uAzHl7TV2DdB9UkHDJe960hg"

}


Is it necessary to verify the signature in the "id_token" to make sure it is not bogus?

I know the "id_token" is a JWT, and I try to parse the "id_token" and verify the signature in it by using https://github.com/dgrijalva/jwt-go.

It need an ecdsa.PublicKey to verify the signature, where should I get it from?

Replies  1
Boosts  0
Views  5.4k
Participants  2
Bmurrayca OP
Oct ’19

Apple's documentation for "Sign in with Apple" is pretty poor. You're looking for JWK. JSON Web Keys.


https://godoc.org/github.com/lestrrat/go-jwx/jwk


Specicially, they use the URL:


https://appleid.apple.com/auth/keys


This is not noted anywhere in their documentation. Hope this helps!

0
how to verify the signature in the "id_token"?
First post date Last post date
 
 
Q