Will Apple change the public key in the future?

The reason I'm asking the questions is that as we need to validate the id token signature returned by Apple when a user Sign In with Apple, I'm not sure whether it is necessary to fetch Apple's public key every time from this endpoint (GET https://appleid.apple.com/auth/keys). Is there rate limit to the endpoints (GET public key and POST validate authcode/token)?


Will Apple ever change the public key in the future? If so, will the developers be notified when Apple changes it? Also, how often do we expect Apple will change it?


Thank you!

Post not yet marked as solved Up vote post of angelatestapple Down vote post of angelatestapple
2.5k views
Posted by
angelatestapple
Reply

  • hi angela, how do you use the public keys to decode?? I'm trying but always return: Could not deserialize key data

    majjmichele
Add a Comment

Replies

Hi!

Did you get response from this yet?


Regards,

Jonas

Posted by
Jonzey
Up vote reply of Jonzey Down vote reply of Jonzey
Add a Comment

The reason this endpoint exists is because it's possible that the public key could be revoked. You should not rely on the public key remaining constant forever, instead, use the endpoint as the authoritative source for the Sign in with Apple public key.

Posted by
Frameworks Engineer
Post not yet marked as solved Up vote reply of Frameworks Engineer Down vote reply of Frameworks Engineer
Add a Comment

Yes it can and has changed before. Few months ago Apple public key was

AIDOPK1, then this month they have changed to other Key ID.
My guess would be like Apple change the public key once every month? You can set up a cron job to call the public key endpoint once every 24 hours, then save the latest public keys JSON into your database (and replace the old one), then your backend can use the saved public keys to verify the identityToken.
Posted by
soulchild
Up vote reply of soulchild Down vote reply of soulchild
Add a Comment

I am interested in this too, because I think it is a waste of bandwidth and computing power to retrieve these public keys online whenever we need them. But if it really changes periodally as 'souldchild' said, then it can't be helped. [We have to access it online every time.] I am adding this comment because his idea of using cron job is a bad idea. Even if, let's say, this cron job is reduced to once every an hour. What if our user tries to "apple sign in" during the time that apple changes the public keys, just several minutes after our last cron job runs?

Posted by
immannuel
Up vote reply of immannuel Down vote reply of immannuel
Add a Comment