nonce value not present on decoded identity token

Hello everyone.


I am using `apple-sign-in` and on their docs, it mentions that you should verify the identity token.


To verify the identity token, your app server must:

  • Verify the JWS E256 signature using the server’s public key
  • Verify the
    nonce
    for the authentication <-- issue


How Do I verify the `nonce`? on the decoded identity token I am not getting the `nonce` field as per docs:


The identity token is a JSON Web Token (JWT) and contains the following claims:

iss

The issuer-registered claim key, which has the value

https://appleid.apple.com
.
sub

The unique identifier for the user.

aud

Your

client_id
in your Apple Developer account.
exp

The expiry time for the token. This value is typically set to 5 minutes.

iat

The time the token was issued.

nonce

A String value used to associate a client session and an ID token. This value is used to mitigate replay attacks and is present only if passed during the authorization request.

email

The user's email address.

email_verified

A Boolean value that indicates whether the service has verified the email. The value of this claim is always true because the servers only return verified email addresses.

These are the fields that I get:


{

"iss": "",

"aud": "",

"exp": ,

"iat":,

"sub": "",

"c_hash": "",

"email": "",

"email_verified": "true",

"auth_time": ""

}


Please help!

Accepted Reply

If you could give a try in the most recent iOS seed, it should be working there. If not, please file a feedback report with a sysdiagnose from that seed and we'll take a look.

Replies

I'm having the same issue (missing nonce claim in the id_token), but only when signing in with Safari and using "Continue with Touch ID". If I click "Use a different Apple ID" and go through the web UI sign-in, the nonce claim is there and the sign-in succeeds. It also works in other browsers on MacOS and Windows.


Signing in with touch ID is convenient but having to skip the nonce validation seems to violate both Apple's documentation (as noted above) and the OpenId Connect spec (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation).

Tech support responded that this is a known issue without a known workaround, and I should submit a bug report. Perhaps others who see this issue should do the same, at https://feedbackassistant.apple.com.

If you could give a try in the most recent iOS seed, it should be working there. If not, please file a feedback report with a sysdiagnose from that seed and we'll take a look.

Thanks, this is now working correctly with the latest macOS update, 10.15.3 (19D76).

Bumping this. I'm having the same issue with the latest Juice example app and "Sign in with Apple"