Sign In with Apple: Backend Part (Java)
This post is related to Sign In with Apple: iOS Part (Swift), written by Jeff’s iOS team. Although it can be used as individual backend part having the necessary parameters we will mention.
In this post we will be explaining how to deal with Apple Sign In on Backend side. We will be creating our private key from Apple Sign In certificate to get the user’s information and verifying the information Apple sent us with a public key.
1. Verifying Authorization Code
First of all we will need:
- Apple Certificate (.p8), that needs to be downloaded
- Apple Client ID
- Apple Key ID
- Apple Team ID
- Apple URL (https://appleid.apple.com)
You can get all of them from the certificate you have created for Apple Sign In on your Apple Developer Account.
Sent by the app, we will have key identifier (kid from token’s header) and authorization code, with those we will verify the user identity.
First step, we will generate a Jwts token with a private key generated by us from the Apple Certificate, Apple Team ID, Apple Client ID, Apple Key ID and Apple URL signed with ES256 algorithm as follows:
With the .p8 certificate we will generate a private key:
With that private key we will generate the Jwts token:
Second step, we will use Apple Client ID, a constant authorization_code and the authorizationCode sent by the app to make the request to apple to get user’s information.
Sending those parameters on a POST as a request params to https://appleid.apple.com/auth/token we will receive the user’s information. If it is a success we will get a TokenResponse, if it is not, we will get a different types of errors on a ErrorResponse.
So far we will have the main method as follows:
As you can see on apple documentation, they say the parameters should be sent as a body and content-type: application/x-www-form-urlencoded, but we send them as request parameters and it works
2. Getting User Information
With that TokenResponse we will have the id_token where we can get the user information after verifying it with an Apple public key.
To get the public keys from Apple we will make a GET request to https://appleid.apple.com/auth/keys
Before 14/02/2020, this request returned just one public key, but after this date, apple is sending more than one key
Looking at forums and posts seems to be the kid param, from app token’s header, which is useful to get the right key. Here is where key identifier(kid) sent by app take part.
We will choose the public key that has the same kid as the kid (keyIdentifier) received from the app.
Testing what I mentioned before, sometimes works and sometimes not, seems to be a part to fix from Apple. We have made an iterated keys loop to get the right key that is well signed to get the data from the id_token.
After having this claims from id_token we will have the data from the token.
We hope it helps you to understand a bit how Apple Sign In verification works from the implementation part.
As a Jeff Team, we have implemented it on Jeff SuperApp and it is working in production.
