3 releases
0.1.2 | Mar 22, 2021 |
---|---|
0.1.1 | Mar 13, 2020 |
0.1.0 | Mar 13, 2020 |
#741 in Authentication
8KB
98 lines
Sign In With Apple JSON Web Token validator library
When using Sign In with Apple on an iOS/iPadOS/macOS device, the client receives an identity token and user token to send to a web/cloud server for validation. The identity token is in the form of a base64 encoded, signed, JSON Web Token (JWT).
This library can be used on the server side to validate the identity token with Apple's servers. An identity token is usually only valid for about 5 minutes.
For testing, it can be valuable to save an identity token for longer than 5 minutes and validate it except for the expiry time. A flag is provided for this purpose when calling the validator.
Apple also provides a mechanism for the server to re-validate the user periodically (but not more than once per day). A future version of this library will add this functionality.
lib.rs
:
Backend for Sign In With Apple
Provides verification of identityToken from Apple's docs at: https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_user
To verify the identity token, your app server must:
-
Fetch Apple’s public key to verify the ID token signature.
-
Verify the
JWS E256
signature using the server’s public key -
Verify the nonce for the authentication
-
Verify that the
iss
field contains https://appleid.apple.com -
Verify that the
aud
field is the developer’s client_id -
Verify that the time is earlier than the
exp
value of the token
Dependencies
~16–30MB
~548K SLoC