nonce value not present on decoded identity token

App & System Services General
cavalos0086@gmail.com OP
Created Nov ’19
Replies 6
Boosts 0
Views 5.2k
Participants 5

Hello everyone.


I am using `apple-sign-in` and on their docs, it mentions that you should verify the identity token.


To verify the identity token, your app server must:

  • Verify the JWS E256 signature using the server’s public key
  • Verify the 
    nonce
    for the authentication <-- issue


How Do I verify the `nonce`? on the decoded identity token I am not getting the `nonce` field as per docs:


The identity token is a JSON Web Token (JWT) and contains the following claims:

iss

The issuer-registered claim key, which has the value 

https://appleid.apple.com
.
sub

The unique identifier for the user.

aud

Your 

client_id
in your Apple Developer account.
exp

The expiry time for the token. This value is typically set to 5 minutes.

iat

The time the token was issued.

nonce

A String value used to associate a client session and an ID token. This value is used to mitigate replay attacks and is present only if passed during the authorization request.

email

The user's email address.

email_verified

A Boolean value that indicates whether the service has verified the email. The value of this claim is always true because the servers only return verified email addresses.

These are the fields that I get:


{

"iss": "",

"aud": "",

"exp": ,

"iat":,

"sub": "",

"c_hash": "",

"email": "",

"email_verified": "true",

"auth_time": ""

}


Please help!

Answered by in 404685022

If you could give a try in the most recent iOS seed, it should be working there. If not, please file a feedback report with a sysdiagnose from that seed and we'll take a look.

Replies  6
Boosts  0
Views  5.2k
Participants  5
.02 OP
Dec ’19

I'm having the same issue (missing nonce claim in the id_token), but only when signing in with Safari and using "Continue with Touch ID". If I click "Use a different Apple ID" and go through the web UI sign-in, the nonce claim is there and the sign-in succeeds. It also works in other browsers on MacOS and Windows.


Signing in with touch ID is convenient but having to skip the nonce validation seems to violate both Apple's documentation (as noted above) and the OpenId Connect spec (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).

0
varpa89@gmail.com OP
Jan ’20

Have same issue

https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md

0
.02 OP
Jan ’20

Tech support responded that this is a known issue without a known workaround, and I should submit a bug report. Perhaps others who see this issue should do the same, at https://feedbackassistant.apple.com.

0
OP
Apple
Feb ’20
Accepted Answer

If you could give a try in the most recent iOS seed, it should be working there. If not, please file a feedback report with a sysdiagnose from that seed and we'll take a look.

0
.02 OP
Feb ’20

Thanks, this is now working correctly with the latest macOS update, 10.15.3 (19D76).

0
cbadalucco OP
Feb ’21
Bumping this. I'm having the same issue with the latest Juice example app and "Sign in with Apple"
0
nonce value not present on decoded identity token
First post date Last post date
 
 
Q