2

How do I, in Python, decode the id_token that Apple sends during the signup process?

I have tried (from here https://stackoverflow.com/a/65909432/984003)

import jwt
decoded = jwt.decode(token, options={"verify_signature": False})

I get an error:

jwt.exceptions.InvalidAudienceError: Invalid audience

If I copy-paste the id_token into the jwt.io page https://jwt.io/ then it correctly decodes it into all its parts (header, payload with aud, sub, etc.) So the token itself is correct and I have all the info I need.

user984003
  • 28,050
  • 64
  • 189
  • 285

1 Answers1

6

It works when I provide the expected aud value. aud is the same as the clientId that you provide when you make the first call to Apple for signin (https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple), which is the same as Identifier in the Apple console where you set it up.

There must be a way to do this without providing aud since this wbeage https://jwt.io/ can do it. However, maybe not in Python...

import jwt
decoded = jwt.decode(token, audience="<your app's>",options={"verify_signature": False})
user984003
  • 28,050
  • 64
  • 189
  • 285
  • 1
    Looks like Apple started recently to include `aud` in the token and [PyJWT is going to throw the exception](https://github.com/jpadilla/pyjwt/pull/336) if we didn't specify it in the call. Thanks for sharing the solution. – mota May 31 '21 at 14:20