Can I store Apple's public key for verifying token signature?

Question

In order to implement OAuth with Apple, we make a call GET https://appleid.apple.com/auth/keys.

(According to the documentation in https://docs.developer.pv.apple.com/documentation/signinwithapplerestapi/fetch_apple_s_public_key_for_verifying_token_signature)

The result goes along the lines of:

{
    "kty": "RSA",
    "kid": "1234567890",
    "use": "...",
    "alg": "RS256",
    "n": "...",
    "e": "..."
}

Can I trust that this information will not change without notice? Or should I make this request every time we need to use Apple's public key?

you should cache the key with "kid" for subsequent uses, and fetch new key again when you see JWT is signed with different "kid". — Chunlong, Jul 16 '19 at 22:24

score 0 · Answer 1 · answered Jul 10 '20 at 13:18

0

It can change, but not that often. So you can cache it, and verify it with the cached ones. And then when you see a token coming in that can't be verified with the cached key, then update your cached keys and try verifying the token, again.

answered Jul 10 '20 at 13:18

Hamoonist

2,286
3
19
36

Can I store Apple's public key for verifying token signature?

1 Answers1