Hey everyone!
I’m currently implementing sign in with apple on my app. I’m already at the point where I got the JWT that I need to decode to validate the user and the key hash from apple (includes the kid, the alg etc…
How can I use the information from the key hash to decode the JWT correctly?
In Ruby it seems pretty straight forward with
But I’m having a hard time finding the equivalent in Elixir. I took a look at JOSE.JWK but I’m not sure which method I should use to generate the JWK and fetch the public key afterward
Thanks!
With Assent it is very easy too (in my mix file: {:assent, "~> 0.1.13"}). You just have to pass the apple authorization code (ASAuthorizationAppleIDCredential -> authorizationCode) and the apple_id is then verified. No need to manually pass the public key and algorithm. You don’t even need to pass the identityToken:
def check_apple_sign_in(_apple_jwt, apple_auth) do
[
client_id: "com.your_domain.your_app",
team_id: "YOUR_ID",
private_key_id: "KEY_ID",
private_key_path: "/Users/you/development/Keys/AuthKey_2YZ4LV4PYI.p8",
redirect_uri: nil
]
|> Assent.Config.put(:session_params, %{})
|> Assent.Strategy.Apple.callback(%{"code" => apple_auth})
|> case do
{:ok, %{user: user, token: token}} ->
%{"sub" => user_id} = user
Logger.info "apple sign in verification successful. user: #{Kernel.inspect(user)}; token: #{Kernel.inspect(token)}"
{:ok, user_id} #the user_id you are interested in
error ->
Logger.info "apple sign in verification not successful: #{Kernel.inspect(error)}"
{:error, :authentication}
end
end
Just in case: please note that jose does not validate any claims of a jwt. It only verifies the signature - so you have to check all other things by yourself - especially exp and aud. Just don’t forget that!
Joken provides sane default behavior - which is useful. I did jwt handling both jose only and jose/joken and both are pretty straightforward.
Probably harder part is to parse a key in PEM format haha.