Post not yet marked as solved
Post marked as unsolved with 0 replies, 890 views
Hello,As part of the Sign in with Apple, we receive an id token as part of the first authentication step. Either when going through AuthenticationServices Framework (iOS app: https://developer.apple.com/documentation/authenticationservices/asauthorizationappleidcredential) or through REST APIs (https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse). Apple documentation says we should verify this ID token to ensure this is the real deal. Documentation says the way to fetch Apple's public key is here: https://developer.apple.com/documentation/signinwithapplerestapi/fetch_apple_s_public_key_for_verifying_token_signature.However, it does not make sense to fetch the public key for every transaction / every login. My questions are1. Does Apple's public key change often? My guess is not.2. If it does not, I should be able to fetch it once and cache it. Use the cached key for subsequent operations. Does this make sense?How have others solved this problem?Thanks.