3

I am trying to validate apple identityToken using API. I am using the firebase/php-jwt library.

I have done the below code.

$access_token = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$auth_keys = file_get_contents('https://appleid.apple.com/auth/keys');

$public_keys = JWK::parseKeySet(json_decode($auth_keys, true));
$keys = array_keys($public_keys);

$decoded = JWT::decode($access_token, $public_keys[$keys[0]], ['RS256']);
$decoded_array = (array) $decoded;

echo '<pre>' . print_r($decoded_array, true) . '</pre>';

When I run the code the first time it works successfully. but the second time it returns 'Signature verification failed'. so i just changed from $public_keys[$keys[0]] to $public_keys[$keys[1]] so it works. but if I am trying to login again it is not working.

There is any problem with the key selection? I don't know how to select it. I tried lots of searches but I didn't found any proper solution so I hope to get help from here.

Thank you in advance

Sohil Sardhara
  • 133
  • 1
  • 13
  • 1
    the keys are identified by a key id `kid`. You find this `kid` in the header of your token and in the jwks (under the given url). Just select the jwk with the matching `kid` for your token. – jps Apr 17 '20 at 09:23
  • Thank You @jps for your help, I fixed that. – Sohil Sardhara Apr 17 '20 at 10:16

1 Answers1

3
$access_token = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
list($headb64, $bodyb64, $cryptob64) = explode('.', $access_token);
$header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64));

$kid = $header->kid;
Sohil Sardhara
  • 133
  • 1
  • 13