jwt.verify - Invalid Signature caused by addition of new Apple Public Keys

[sanvean]

Just a heads up to anyone using this library, as mentioned here: https://forums.developer.apple.com/thread/129047

Apple recently added multiple public keys instead of the single public key that has been available since Apple Sign In was launched (see: https://appleid.apple.com/auth/keys)

To avoid getting invalid signature errors every time a token is signed using a different key to the first returned from the URL above (which what this library currently uses) the following changes are needed:

const verifyIdToken = async (idToken, clientID) => { const decodedToken = jwt.decode(identityToken, { complete: true }); const applePublicKey = await getAppleIDPublicKey(decodedToken.header.kid);

const jwtClaims = jwt.verify(idToken, applePublicKey, { algorithms: 'RS256' }); ...

getAppleIDPublicKey then needs to use the kid (keyIdentifier) parameter to return the correct key from the list of keys returned from https://appleid.apple.com/auth/keys and everything should work 100% again 🥳

[alaborderie]

Created a fork with changes at https://github.com/alaborderie/node-apple-signin until PR is merged

[Ariandr]

It seems this repo is not maintained. But I found a different repo (with corresponding npm lib) made in the same way which fixes the issue.

Repo: https://github.com/A-Tokyo/apple-signin-auth

npm lib: https://www.npmjs.com/package/apple-signin-auth

[8secz-johndpope]

please merge - got an app rejected because of this

[shaniqwa]

watching this, waiting for the merge