Authentication Services (Sign In With Apple): "email_verified" claim in returned JWT should be boolean, not string
| Originator: | marco.ovolab | ||
| Number: | rdar://FB7600878 | Date Originated: | 2020-02-26 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | 13.3 |
| Classification: | Reproducible: | YES |
Upon a successful Sign in with Apple, the Authentication Services framework will return an ASAuthorizationAppleIDCredential object to the app, whose identityToken field is a JSON Web Token. It is my understanding that this JWT aims to be compliant with RFC 7519 and with the OpenID Connect 1.0 specification, and indeed, most claims in the JWT are compliant.
The "email_verified" field, however, is a string value which appears to take on the values "true" or "false", while it should be a boolean value according to the OpenID Connect 1.0 specification.
See: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
Here's a sample JWT generated by the Authentication Services framework:
eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiaXQuaWxnYXp6ZXR0aW5vLmlwaG9uZS1jbGllbnQiLCJleHAiOjE1ODI3MDk3ODgsImlhdCI6MTU4MjcwOTE4OCwic3ViIjoiMDAxNDEzLjI1OTU0NDIxZTAyZDQxZmRhZTZiMTQyNzgxMTljODdkLjEzMTMiLCJub25jZSI6IlBqVWU0bGxHQnR0dTd1cGs5b0FnTmJ3bGhzeW51MlM4IiwiY19oYXNoIjoiNnMxVVN4NTVJSkVfb2hDck1MWGVCdyIsImVtYWlsIjoiMjk4NjV3YWI2MkBwcml2YXRlcmVsYXkuYXBwbGVpZC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJpc19wcml2YXRlX2VtYWlsIjoidHJ1ZSIsImF1dGhfdGltZSI6MTU4MjcwOTE4OCwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.DjO_-aJNQJ2cAMxy3IWl1zZmTmGMR-j5AW7UKaGFap1S8bUx7lZbPkF7tKR5KMOCTMoUEpZU7MGn2T18dnPdS4lod4TI_fma62X-yP3lRvL09fomG8tbDGiV7803XhIKK8nym_dwbvTVinOKEL5VU1JGzdN6LV3HHV3tRJZsf30fmNvJVxmjLcifLMVufek4z0qarXxnXe3TdRmD3jR6ZM0oZj8QvYzr3z4G42tx1WD4eMLiQUZKceWj5W4lpUQDyGg2HlyVfxh_uA5HHcVjPgi7Nh35BmkdqE5eelzhthIDqhijILfIFajSiZ0E4uEQ3xlkl-1pqynsJHUPz4dk_g
Decoding the payload yields this JSON object:
{
"iss": "https://appleid.apple.com",
"aud": "it.ilgazzettino.iphone-client",
"exp": 1582709788,
"iat": 1582709188,
"sub": "001413.25954421e02d41fdae6b14278119c87d.1313",
"nonce": "PjUe4llGBttu7upk9oAgNbwlhsynu2S8",
"c_hash": "6s1USx55IJE_ohCrMLXeBw",
"email": "29865wab62@privaterelay.appleid.com",
"email_verified": "true",
"is_private_email": "true",
"auth_time": 1582709188,
"nonce_supported": true
}
But the expected result was this:
{
"iss": "https://appleid.apple.com",
"aud": "it.ilgazzettino.iphone-client",
"exp": 1582709788,
"iat": 1582709188,
"sub": "001413.25954421e02d41fdae6b14278119c87d.1313",
"nonce": "PjUe4llGBttu7upk9oAgNbwlhsynu2S8",
"c_hash": "6s1USx55IJE_ohCrMLXeBw",
"email": "29865wab62@privaterelay.appleid.com",
"email_verified": true,
"is_private_email": true,
"auth_time": 1582709188,
"nonce_supported": true
}
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!