-
-
Notifications
You must be signed in to change notification settings - Fork 23
IdToken
Nov Matake edited this page May 23, 2020
·
10 revisions
id_token = token_response.id_token
id_token.iss # => "https://appleid.apple.com"
id_token.aud # => Your Client ID
id_token.sub # => Apple User Identifier (a.k.a. Subject Identifier)
id_token.iat # => issued_at (Unix Timestamp)
id_token.exp # => expires_at (Unix Timestamp)
id_token.at_hash # => hash value of access_token which is issued together with the id_token
id_token.original_jwt # => JSON::JWS (in case of you need direct JWT access)
When getting ID Token via AppleID::Client#access_token!
, received id_token is automatically decoded.
However, if you manually decode id_token, use this method.
AppleID::IdToken.decode 'eyJ..'
In this case, you don't have to verify id_token signature nor at_hash.
id_token.verify!(
client: client,
verify_signature: false
)
Moreover, you can just skip all verification steps, since the token is fetched via back-channel channel, where the server is authenticated in TLS layer.
However, if you do full verification, do as below.
id_token.verify!(
client: client,
nonce: session[:nonce],
access_token: token_response.access_token, # NOTE: Check `at_hash`
# verify_signature: true # NOTE: signature is verified as default
)
NOTE: JWKS caching feature will reduce unnecessary JWKS fetch requests for signature verification.
Don't use the ID Token obtained via front-channel.
Instead, pass Authorization Code from front-end to back-end, and Exchange Authorization Code with Access Token & ID Token in back-channel.