Skip to content
A library for validating Apple Sign In tokens written in Golang
Go Makefile
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
apple
example Update examples to fetch email information Feb 21, 2020
.gitignore
.travis.yml Fix travis golang version Sep 14, 2019
LICENSE Initial commit Sep 11, 2019
Makefile
README.md

README.md

Go Sign In With Apple

codecov Build Status Codacy Badge

A library for validating Apple Sign In tokens generated by either the web or iOS app.

Installation

go get github.com/Timothylock/go-signin-with-apple
import "github.com/Timothylock/go-signin-with-apple/apple"

Usage

There are several example files based on your particular use case which can be found below:

Example

While it is recommended to look at the specific example file, here is validating an app token:

import "github.com/Timothylock/go-signin-with-apple/apple"

...

// Generate the client secret used to authenticate with Apple's validation servers
// Refer to the example files to see where to get secret, teamID, clientID, keyID
secret, _ := apple.GenerateClientSecret(secret, teamID, clientID, keyID)

// Generate a new validation client
client := apple.New()

vReq := apple.AppValidationTokenRequest{
	ClientID:     clientID,
	ClientSecret: secret,
	Code:         "the_token_to_validate",
}

var resp apple.ValidationResponse

// Do the verification
client.VerifyAppToken(context.Background(), vReq, &resp)

unique, _ := apple.GetUniqueID(resp.IDToken)

// Voila!
fmt.Println(unique)

Generating Client Secret

Apple requires a JWT token along with your validation request to authenticate your request. A token can be generated by calling the GenerateClientSecret function included. Check secret.go to see exactly how to obtain the parameters required by the function. Note that your account might not have permissions to view/create service IDs and keys required by this function.

import "github.com/Timothylock/go-signin-with-apple/apple"

...

// Your 10-character Team ID
team_id := "XXXXXXXXXX"

// Your Services ID, e.g. com.aaronparecki.services
client_id := "come.change.me"

// Find the 10-char Key ID value from the portal
key_id := "XXXXXXXXXX"

secret := `Your key that starts in -----BEGIN PRIVATE KEY-----`

secret, _ := apples.GenerateClientSecret(secret, team_id, client_id, key_id)
fmt.Println(secret)

Validating Token

To validate a token, you must create a new validation Client then call the respective Verify function.

import "github.com/Timothylock/go-signin-with-apple/apple"

...

// Generate a new validation client
client := apple.New()

vReq := apple.AppValidationTokenRequest{
	ClientID:     clientID,
	ClientSecret: secret,
	Code:         "the_token_to_validate",
}

var resp apple.ValidationResponse

// Do the verification
client.VerifyAppToken(context.Background(), vReq, &resp)

Obtaining Unique Subject ID

A subject ID is included in the id_token field of the response which when decoded, has a subject that can uniquely identify the user. A helper function is included to obtain this subject ID: GetUniqueID

import "github.com/Timothylock/go-signin-with-apple/apple"

... Code to validate token ...

reflect.TypeOf(response)         // ValidationResponse
reflect.TypeOf(response.IdToken) // String


id := apple.GetUniqueID(response.IdToken)
fmt.Println(id)

Obtaining Email

Apple recently added support for the including information about the user in their response. As of right now, you have access to the following:

  • email
  • email_verified - whether or not the user has validated their email with Apple
  • private_email - whether or not the email is a private relay email from Apple
import "github.com/Timothylock/go-signin-with-apple/apple"

... Code to validate token ...

reflect.TypeOf(response)         // ValidationResponse
reflect.TypeOf(response.IdToken) // String


claim, _ := apple.GetClaims(resp.IDToken)

email := (*claim)["email"]
emailVerified := (*claim)["email_verified"]
isPrivateEmail := (*claim)["is_private_email"]

Contributing

Make sure tests pass, submit a PR, and lets get going!

License

go-signin-with-apple is licensed under the MIT.

You can’t perform that action at this time.