search

GriffinLedingham / php-apple-signin

🗝 Decode Apple Sign In client tokens in PHP
BSD 3-Clause "New" or "Revised" License
200 stars 87 forks source link

Apple multiple Public keys #5

Open ElKnarzo opened 4 years ago

ElKnarzo commented 4 years ago

The decoding of the JSON web token, which is created when logging in with the Apple SignIn process, sometimes fails due to a SignatureInvalidException.

I found out that Apple delivers several public keys via "https://appleid.apple.com/auth/keys". With Apple SignIn, one of these keys happens to be used for the JWT. However, the ASDecoder is fixed on a specific index of the key array.

This leads to this exception because an incorrect public key is used for decoding.

gengzhenfei commented 4 years ago

The decoding of the JSON web token, which is created when logging in with the Apple SignIn process, sometimes fails due to a SignatureInvalidException.

I found out that Apple delivers several public keys via "https://appleid.apple.com/auth/keys". With Apple SignIn, one of these keys happens to be used for the JWT. However, the ASDecoder is fixed on a specific index of the key array.

This leads to this exception because an incorrect public key is used for decoding.

Apple send back the Key Id "kid" in the response so you can lookup the appropriate key. 在 identityToken 中base64解析出来json包含kid,可以找到 https://appleid.apple.com/auth/keys 里其中一组key。

From Sign in with apple - Multiple public keys returned https://forums.developer.apple.com/thread/129047

TipiT commented 4 years ago

I understood that this issue was fixed in: https://github.com/GriffinLedingham/php-apple-signin/pull/8/commits

I still get SignatureInvalidExceptions exactly like before, so the lib still picks the wrong key. Did someone got this fixed or am I using the lib wrong?