AppleAuthentication & Expo App Public Key

Please provide the following:

  1. SDK Version: 35
  2. Platforms(Android/iOS/web/all): iOS

Was just implementing AppleAuthentication and have the entire flow working well. However I can’t test the validation of the JWT token because that would require the public key of the Apple ID Key.

Would it be possible for you to provide that for users testing using the Expo app? Basically you take the private p8 file that you would have downloaded when setting up your key in the apple console and you would run this:

openssl ec -in AuthKey_123ABC4567.p8 -pubout -out AuthKey_123ABC4567_Public.p8

That key can then be used to validate the identityToken with that on the server side.

Thoughts?

Also happy to help anyone who’s struggling through implementing it as I figure out a lot today.

Things I figured out so far:

  • You have to give the button a width and height in a style tag or it doesn’t show up
  • That openssl line above is how you generate your public key which is used to validate the token

Josh

1 Like

Hi - We’ll take a look at this. It should be secure to share the public key (after all, it’s public) but we may rotate the p8 key over time and without any warning since we might not be able to anticipate needing to rotate it, so it’s not something you should rely on in production services. Of course, you can rely on your own p8 key for your own standalone apps.

I investigated this some more and found that there are two different types of key pairs: one that you create under your Apple Developer account to sign requests to Apple, and one that Apple uses to sign authentication JWTs. You want the second’s public key in this scenario.

In short, use Apple’s own public key to verify “Sign In with Apple” JWTs. The public key is here: https://appleid.apple.com/auth/keys. There is a JWT debugger on the front page of https://jwt.io/ that lets you paste in a JWT and a key – copy & paste your JWT and just one of the keys (not the whole response) from Apple into that form. I tested it and verified the signature correctly. This has nothing specific to do with Expo so you can use whatever approach and tools you’d use otherwise.

1 Like

@ide

I’m so sorry. I had written this reply to myself but I somehow didn’t post it. Again, so sorry, but you are totally correct. I was able to validate with the Apple JWK.

Follow up to myself.

You don’t need the public key specifically from your Apple Key, you need Apple’s public key. They provide a JWK set (JSON Web Key Set) here: https://appleid.apple.com/auth/keys

You can use that to validate your payload.

1 Like