how to get the audience and subject when verify the identify token when sign in apple

Question

I am verify the sign in apple identify token in the server side, this is my java code(java 11) look like:

public Response<LoginResponse> loginWithJwt(FortuneAppleUserJwtLoginRequest request) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        String exampleIdentifyToken = "eyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnNreW1pbmcuZGV2aWNlbW9uaXRvciIsImV4cCI6MTU2NTY2ODA4NiwiaWF0IjoxNTY1NjY3NDg2LCJzdWIiOiIwMDEyNDcuOTNiM2E3OTlhN2M4NGMwY2I0NmNkMDhmMTAwNzk3ZjIuMDcwNCIsImNfaGFzaCI6Ik9oMmFtOWVNTldWWTNkcTVKbUNsYmciLCJhdXRoX3RpbWUiOjE1NjU2Njc0ODZ9.e-pdwK4iKWErr_Gcpkzo8JNi_MWh7OMnA15FvyOXQxTx0GsXzFT3qE3DmXqAar96nx3EqsHI1Qgquqt2ogyj-lLijK_46ifckdqPjncTEGzVWkNTX8uhY7M867B6aUnmR7u-cf2HsmhXrvgsJLGp2TzCI3oTp-kskBOeCPMyTxzNURuYe8zabBlUy6FDNIPeZwZXZqU0Fr3riv2k1NkGx5MqFdUq3z5mNfmWbIAuU64Z3yKhaqwGd2tey1Xxs4hHa786OeYFF3n7G5h-4kQ4lf163G6I5BU0etCRSYVKqjq-OL-8z8dHNqvTJtAYanB3OHNWCHevJFHJ2nWOTT3sbw";
        // get apple public keys
        AppleUserRestClient client = RetrofitUtil.getAppleIdRetrofitInstance().create(AppleUserRestClient.class);
        Call<JWKSet> call = client.getPublicKey();
        JWKSet jwkSet = call.execute().body();
        String n = jwkSet.getKeys().get(0).getN();
        String e = jwkSet.getKeys().get(0).getE();
        PublicKey publicKey = getPublicKey(n,e);
        // verify the identities token
        verify(publicKey,exampleIdentifyToken,"","");
        return new Response<>();
    }

public void verify(PublicKey key, String jwt, String audience, String subject) {
        JwtParser jwtParser =Jwts.parserBuilder()
                .setSigningKey(key)
                .requireIssuer("https://appleid.apple.com")
                .requireAudience(audience)
                .requireSubject(subject)
                .build();
        try {
            Jws<Claims> claim = jwtParser.parseClaimsJws(jwt);
            if (claim != null && claim.getBody().containsKey("auth_time")) {

            }
        } catch (ExpiredJwtException e) {
            log.error("apple identityToken expired", e);
        } catch (Exception e) {
            log.error("apple identityToken illegal", e);
        }
    }

when I invoke the verify function, I did not know where to get the audience and subject parameter, what should I do to get the two parameter? this is the FortuneAppleUserJwtLoginRequest define:

package biz.user.login;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import io.swagger.v3.oas.annotations.media.Schema;
import lombok.Data;
import lombok.NoArgsConstructor;

import javax.validation.constraints.NotNull;

    /**
     * @author dolphin
     * https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api
     */
    @Data
    @NoArgsConstructor
    @JsonIgnoreProperties(ignoreUnknown = true)
    public class FortuneAppleUserJwtLoginRequest extends LoginBaseRequest {
    
        @NotNull
        private String identityToken;
    
    }

Answer 1

The 'audience' and the 'subject' are inside the body of the JWT, they are called 'aud' and 'sub' and will have the following structure:

{
    "alg": "ES256",
    "kid": "ABC123DEFG"
}
{
    "iss": "DEF123GHIJ",
    "iat": 1437179036,
    "exp": 1493298100,
    "aud": "https://appleid.apple.com",
    "sub": "com.mytest.app"
}

Where the fields you are looking for are:

"aud": "https://appleid.apple.com",
"sub": "com.mytest.app"

You can check this link for more information.