Sign-in with Apple user verification
Information Security Asked on November 8, 2021
I want to enable "Sign-in with apple" in my application.
As you can see here App sends Token authorization code to the backend, and then backend needs to talk with Apple ID to verify the user.
This is the recommended way from iOS docs, but I noticed when the app calls the "Sign in with Apple" function it gets a JWT which is cryptographically signed by Apple, and it contains user email + user ID. (ASAuthorizationAppleIDCredential-> identityToken)
I can just validate Apple’s signature, and decode the JWT and I KNOW the identity of the user handing over the token to me and I know that JWT is valid because apple’s signature match.
My question is why do I need to deal with network requests + authorization codes, just to verify user’s identity, when I can do it locally on my backend just with algorithms + Apple’s public key.
I can see why this flow is good when I need to access apple API About the user later (let’s say updating some info about them or adding something to their calendar) but just for sign-in, this feels like an overkill.
a useful link about validating the JWT: https://sarunw.com/posts/sign-in-with-apple-3/
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- haakon.io on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Peter Machado on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?