Social Login via Apple - signing a JWT to get an access token

App & System Services General
David5781 OP
Created Jul ’21
Replies 1
Boosts 0
Views 2.1k
Participants 2

Hi,

I’m basically trying to implement a social login to my website via Apple.

One step of the OAuth 2 flow running under the hood is to get an access token.

To get it, as per the documentation (https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens), client_secret has to be “A secret JSON Web Token, generated by the developer, that uses the Sign in with Apple private key associated with your developer account”.

As I understand it, this “Apple private key” is a .p8 file issued from the Apple Developer Console, in the ”Keys” section.

I’ve already built both JWT header and claim as per the documentation. Also, I double checked its accuracy: all seems to be correct.

Unfortunately, I’m struggling to build the 3rd part of the JWT structure, which is obviously the signature.

My .p8 file looks like so:

-----BEGIN PRIVATE KEY-----
MIIDBjCCAm8CAQAwcTERMA8GA1UEAxMIcXV1eC5jb20xDzANBgNVBAsTBkJyYWlu
CmHFqMOvXaFlT/BBBBBBBBBBBBBBBBBBBBBBBBBDAQehRANCAACCCCCCCRnZHgbz
kA1DPsDBQPDhm76d6lgaGUC9M+AAAAAAAAAAAAAAAAAAAAAAAAAAsAnAZ14noyVW
SBV/nsIM
-----END PRIVATE KEY-----

First issue, despite the content above looks like a well-formatted base64 text, when I decode it, I’m getting a bunch of non-ASCII characters. Should this happen?

Second issue, as I wrote I’m not able to sign the <base64_encoded_header>.<base64_encoded_claim> string of the JWT.

Meaning, when I check the whole JWT structure including its signature on websites such as jwt.io, the signature appears to be invalid. Both header and claim information are being decoded as expected, but the signature is marked as invalid.

Here’s the steps I followed to build the signature:

  • Transform the text of the p8 file into a single-line string: concatenate all lines together, then replace any “/” by “_” and any “+” by “-”
  • Assume that this string is my private key
  • As I’m signing on the Salesforce platform (Apex), I’m using the following method:

Blob signature = Crypto.sign('RSA-SHA256', Blob.valueOf(dataToSign), privateKey)

Note to the SF developers: I don’t use the signWithCertificate(algorithmName, input, certDevName) method, since I couldn’t find a way to upload the p8 file on SF as a certificate (after some transformation obviously, but what I try didn’t succeed)

Any help would be greatly appreciated!

Thank you

Replies  1
Boosts  0
Views  2.1k
Participants  2
getpat OP
Jul ’21

I was not able to get jwt.io or dinochiesa.github.io/jwt/ to sign the JWT in a manner that Apple seemed to like. I ended up using a third party Golang library, which got me to a better error code.

Also, if that is your actual private key, you should get a new one.

0
Social Login via Apple - signing a JWT to get an access token
First post date Last post date
 
 
Q