How do I decode/decrypt Apple Server-to-Server Notifications?

Question

My website supports Sign In with Apple.

In the configurations of this service, I have an endpoint here:

What I receive in this endpoint is a JSON like this:

"{"payload":"eyJraW...................NLnyA"}

However, I don't find absolutely anywhere how to decrypt/decode this payload...

The "Learn more" link sends me here: https://developer.apple.com/help/account/configure-app-capabilities/about-sign-in-with-apple

The page below this one is this: https://developer.apple.com/help/account/configure-app-capabilities/enabling-server-to-server-notifications

Nowhere I see how to interpret these messages...

Does anyone know what do I need to do to read these payloads?

Answer 1

It looks like the general procedure for Server-to-Server notifications are outlined here. This is what the docs have to say:

These notifications contain a cryptographically signed payload, in JSON Web Signature (JWS) format, signed by Apple’s private key. After your server receives a notification, examine the JWS payload and use the algorithm specified in the header’s alg parameter to validate the signature. For more information, see Fetch Apple’s public key for verifying token signature.

So, this payload is really just a JWT (verify/decode with the JWT library of your choice, there are many to choose from). Because anyone can access your endpoint, you need to verify that the token is really from Apple. Note: do not try to decode the JWT yourself. Because of security concerns, it is better to let a library do it for you.

After validating the token signature, your server performs work according to the type value in the events claim of the token. The notification payload object contains information about user-initiated account modification events.

The decoded JWT will contain something like this (example is from the docs):

{
    "iss": "https://appleid.apple.com",
    "aud": "com.mytest.app",
    "iat": 1508184845,
    "jti": "abede...67890",
    "events": {
        "type": "email-enabled",
        "sub": "820417.faa325acbc78e1be1668ba852d492d8a.0219",
        "email": "[email protected]",
        "is_private_email": "true"
        "event_time": 1508184845
    }
}

events.type has the event that happened (full list is here), and the rest of the token contains everything else you'll need.

Answer 2

@Michael M.'s answer helped me understanding that this payload is basically a JWT.

This is what we need to do (minimal example):

use Firebase\JWT\JWK;
use Firebase\JWT\JWT;

$json = json_decode(file_get_contents('php://input'));

$publicKeys = json_decode(file_get_contents('https://appleid.apple.com/auth/keys'), true);

$decodedPayload = JWT::decode($json->payload, JWK::parseKeySet($publicKeys));

var_dump($decodedPayload);