I am currently developing a Swift backend using Vapor. My iOS client uses the new iOS 13 feature "Sign in with Apple". When the user signs in I get an identity token (access token) which is a valid JWT token signed by Apple. This is send to the server in all ongoing communication to authenticate some routes the server provides.
On the server I'd like to validate that the sent token was indeed signed by Apple and is not specifically crafted by some malicious user by verifying the token signature. Apple provides a HTTP endpoint to retrieve the public key to do this: Apple Documentation.
However what I am not sure about how often I have to query this endpoint to retrieve the modulus and exponent from the API and build the public key to then verify the signature. Is it sufficient enough to query this once and store the public key on the server to use this or would I need to query the HTTP endpoint in my middleware before verifying the signature (for every protected route)?
Basically I am not sure whether the modulus and exponent will change from time to time.
You could do this:
This would allow you to know about a changed public key as soon as it is necessary.