node-apple-signin icon indicating copy to clipboard operation
node-apple-signin copied to clipboard

Published 20 hours ago verified publisher icon Techofficer

jwt.verify - Invalid Signature caused by addition of new Apple Public Keys

Open sanvean opened this issue 5 years ago • 5 comments

Just a heads up to anyone using this library, as mentioned here: https://forums.developer.apple.com/thread/129047

Apple recently added multiple public keys instead of the single public key that has been available since Apple Sign In was launched (see: https://appleid.apple.com/auth/keys)

To avoid getting invalid signature errors every time a token is signed using a different key to the first returned from the URL above (which what this library currently uses) the following changes are needed:

const verifyIdToken = async (idToken, clientID) => { const decodedToken = jwt.decode(identityToken, { complete: true }); const applePublicKey = await getAppleIDPublicKey(decodedToken.header.kid);

const jwtClaims = jwt.verify(idToken, applePublicKey, { algorithms: 'RS256' }); ...

getAppleIDPublicKey then needs to use the kid (keyIdentifier) parameter to return the correct key from the list of keys returned from https://appleid.apple.com/auth/keys and everything should work 100% again 🥳

sanvean avatar Feb 18 '20 13:02 sanvean

Created a fork with changes at https://github.com/alaborderie/node-apple-signin until PR is merged

alaborderie avatar Feb 27 '20 16:02 alaborderie

It seems this repo is not maintained. But I found a different repo (with corresponding npm lib) made in the same way which fixes the issue.

Repo: https://github.com/A-Tokyo/apple-signin-auth

npm lib: https://www.npmjs.com/package/apple-signin-auth

Ariandr avatar Mar 12 '20 10:03 Ariandr

please merge - got an app rejected because of this

8secz-johndpope avatar Mar 29 '20 00:03 8secz-johndpope

watching this, waiting for the merge

shaniqwa avatar Apr 25 '20 12:04 shaniqwa