I am verify the sign in apple identify token in the server side, this is my java code(java 11) look like:
public Response<LoginResponse> loginWithJwt(FortuneAppleUserJwtLoginRequest request) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
String exampleIdentifyToken = "eyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnNreW1pbmcuZGV2aWNlbW9uaXRvciIsImV4cCI6MTU2NTY2ODA4NiwiaWF0IjoxNTY1NjY3NDg2LCJzdWIiOiIwMDEyNDcuOTNiM2E3OTlhN2M4NGMwY2I0NmNkMDhmMTAwNzk3ZjIuMDcwNCIsImNfaGFzaCI6Ik9oMmFtOWVNTldWWTNkcTVKbUNsYmciLCJhdXRoX3RpbWUiOjE1NjU2Njc0ODZ9.e-pdwK4iKWErr_Gcpkzo8JNi_MWh7OMnA15FvyOXQxTx0GsXzFT3qE3DmXqAar96nx3EqsHI1Qgquqt2ogyj-lLijK_46ifckdqPjncTEGzVWkNTX8uhY7M867B6aUnmR7u-cf2HsmhXrvgsJLGp2TzCI3oTp-kskBOeCPMyTxzNURuYe8zabBlUy6FDNIPeZwZXZqU0Fr3riv2k1NkGx5MqFdUq3z5mNfmWbIAuU64Z3yKhaqwGd2tey1Xxs4hHa786OeYFF3n7G5h-4kQ4lf163G6I5BU0etCRSYVKqjq-OL-8z8dHNqvTJtAYanB3OHNWCHevJFHJ2nWOTT3sbw";
// get apple public keys
AppleUserRestClient client = RetrofitUtil.getAppleIdRetrofitInstance().create(AppleUserRestClient.class);
Call<JWKSet> call = client.getPublicKey();
JWKSet jwkSet = call.execute().body();
String n = jwkSet.getKeys().get(0).getN();
String e = jwkSet.getKeys().get(0).getE();
PublicKey publicKey = getPublicKey(n,e);
// verify the identities token
verify(publicKey,exampleIdentifyToken,"","");
return new Response<>();
}
public void verify(PublicKey key, String jwt, String audience, String subject) {
JwtParser jwtParser =Jwts.parserBuilder()
.setSigningKey(key)
.requireIssuer("https://appleid.apple.com")
.requireAudience(audience)
.requireSubject(subject)
.build();
try {
Jws<Claims> claim = jwtParser.parseClaimsJws(jwt);
if (claim != null && claim.getBody().containsKey("auth_time")) {
}
} catch (ExpiredJwtException e) {
log.error("apple identityToken expired", e);
} catch (Exception e) {
log.error("apple identityToken illegal", e);
}
}
when I invoke the verify
function, I did not know where to get the audience
and subject
parameter, what should I do to get the two parameter? this is the FortuneAppleUserJwtLoginRequest
define:
package biz.user.login;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import io.swagger.v3.oas.annotations.media.Schema;
import lombok.Data;
import lombok.NoArgsConstructor;
import javax.validation.constraints.NotNull;
/**
* @author dolphin
* https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api
*/
@Data
@NoArgsConstructor
@JsonIgnoreProperties(ignoreUnknown = true)
public class FortuneAppleUserJwtLoginRequest extends LoginBaseRequest {
@NotNull
private String identityToken;
}
The 'audience' and the 'subject' are inside the body of the JWT, they are called 'aud' and 'sub' and will have the following structure:
Where the fields you are looking for are:
You can check this link for more information.