iOS | Security issue on Apple Sign In token

Currently as part of project, we are decoding the token at server side which we received from iPhone app after apple login.

iOS code snippet: let appleIDToken = appleIDCredential.identityToken let idTokenString = String(data: appleIDToken, encoding: .utf8) idTokenString value is passed to server.

Server side code snippet: jwt.decode(token, { complete: true }); token value is idTokenString which we received from iOS app.

We are facing security concern as this token is able to decode directly without any security key.

Is there any way by which we can get token from apple with encrypted key. This key will be kept as a secret key at apple and our project side as well. Hence, it will be secured or is there any apple link where this token can be decoded.

Please check on this concern. We have attached screenshot for your reference.

Up vote post of Pushparaj_Setindia Down vote post of Pushparaj_Setindia
435 views
Posted by
Pushparaj_Setindia
Reply
Add a Comment

Replies

Hi Pushparaj_Setindia,

Is there any way by which we can get token from apple with encrypted key. This key will be kept as a secret key at apple and our project side as well. Hence, it will be secured or is there any apple link where this token can be decoded.

Yes, you can securely transfer the authorization grant code received in your ASAuthorizationAppleIDCredential to your server infrastructure, then your server can validate the authorizationCode to receive the user's identity token, refresh token, and access token. Please see the following documentation for more info:

Generate and validate tokens

Cheers,

Paris

Posted by
ppinkney
Up vote reply of ppinkney Down vote reply of ppinkney
Add a Comment