python版：

# encoding=utf8
import requests
import jwt
import simplejson
from jwt.algorithms import RSAAlgorithm


TOKEN_URL = 'https://appleid.apple.com/auth/keys'
KIDS = ["86D88Kf", "eXaunmL"]  # 一般会返回两个kid，两个都试下
BUNDLE_ID = ''

def decode_jwt(identityToken):

    key_req = requests.get(TOKEN_URL).json()
    # head = jwt.get_unverified_header(identityToken)
    # token_key = head['kid']
    for kid in KIDS:
        for pub_key in key_req['keys']:
            if pub_key['kid'] == kid:
                key_core = simplejson.dumps(pub_key)
                # public key
                key = RSAAlgorithm.from_jwk(key_core)
                alg = pub_key['alg']
                break

        try:
            claims = jwt.decode(identityToken, key=key, verify=True, algorithms=[alg], audience=BUNDLE_ID)
            if claims:
                return claims # identityToken具有过期性，如果过期了，两种kid都无法解，会抛出无法验证异常
        except Exception as e:
            continue

    return None


print decode_jwt(identityToken)

转载请注明：永盟博客 » Apple 授权登陆