Skip to content

IdToken

Nov Matake edited this page May 23, 2020 · 10 revisions

AppleID::IdToken

ID Token Claims

id_token = token_response.id_token

id_token.iss # => "https://appleid.apple.com"
id_token.aud # => Your Client ID
id_token.sub # => Apple User Identifier (a.k.a. Subject Identifier)
id_token.iat # => issued_at (Unix Timestamp)
id_token.exp # => expires_at (Unix Timestamp)
id_token.at_hash # => hash value of access_token which is issued together with the id_token

id_token.original_jwt # => JSON::JWS (in case of you need direct JWT access)

ID Token Decoding

When getting ID Token via AppleID::Client#access_token!, received id_token is automatically decoded.

However, if you manually decode id_token, use this method.

AppleID::IdToken.decode 'eyJ..'

ID Token Verification

When the ID Token is obtained via back-channel TLS communication

In this case, you can just skip ID Token verification steps, since the token is fetched via back-channel channel, where the server is authenticated in TLS layer.

However, if you do full verification, do as below.

id_token.verify!(
  client: client, # NOTE: Check `aud`
  nonce: session[:nonce], # NOTE: Check `nonce`
  access_token: token_response.access_token, # NOTE: Check `at_hash`
  # verify_signature: true # NOTE: signature is verified as default
)

NOTE: JWKS caching feature will reduce unnecessary JWKS fetch requests for signature verification.

When the ID Token is obtained via front-channel communication

Don't use the ID Token on back-end.

Instead, pass Authorization Code from front-end to back-end, obtain ID Token via back-channel and use it.