Hi, I’m basically trying to implement a social login to my website via Apple. One step of the OAuth 2 flow running under the hood is to get an access token. To get it, as per the documentation (https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens), client_secret has to be “A secret JSON Web Token, generated by the developer, that uses the Sign in with Apple private key associated with your developer account”. As I understand it, this “Apple private key” is a .p8 file issued from the Apple Developer Console, in the ”Keys” section. I’ve already built both JWT header and claim as per the documentation. Also, I double checked its accuracy: all seems to be correct. Unfortunately, I’m struggling to build the 3rd part of the JWT structure, which is obviously the signature. My .p8 file looks like so: -----BEGIN PRIVATE KEY----- MIIDBjCCAm8CAQAwcTERMA8GA1UEAxMIcXV1eC5jb20xDzANBgNVBAsTBkJyYWlu CmHFqMOvXaFlT/BBBBBBBBBBBBBBBBBBBBBBBBBDAQehRANCAACCCCCCCRnZHgbz kA1DPsDBQPDhm76d6lgaGUC9M+AAAAAAAAAAAAAAAAAAAAAAAAAAsAnAZ14noyVW SBV/nsIM -----END PRIVATE KEY----- First issue, despite the content above looks like a well-formatted base64 text, when I decode it, I’m getting a bunch of non-ASCII characters. Should this happen? Second issue, as I wrote I’m not able to sign the <base64_encoded_header>.<base64_encoded_claim> string of the JWT. Meaning, when I check the whole JWT structure including its signature on websites such as jwt.io, the signature appears to be invalid. Both header and claim information are being decoded as expected, but the signature is marked as invalid. Here’s the steps I followed to build the signature: Transform the text of the p8 file into a single-line string: concatenate all lines together, then replace any “/” by “_” and any “+” by “-” Assume that this string is my private key As I’m signing on the Salesforce platform (Apex), I’m using the following method: Blob signature = Crypto.sign('RSA-SHA256', Blob.valueOf(dataToSign), privateKey) Note to the SF developers: I don’t use the signWithCertificate(algorithmName, input, certDevName) method, since I couldn’t find a way to upload the p8 file on SF as a certificate (after some transformation obviously, but what I try didn’t succeed) Any help would be greatly appreciated! Thank you

Hi, I'm currently implementing various social login flows in Salesforce. Such an implementation essentially requires 3 steps: get an authorization code get an access token using the authorization code get user info using the access token I'm struggling with step 3. For example, Google provides this endpoint URL: https://www.googleapis.com/oauth2/v3/userinfo, but I can't find the equivalent for Apple. Can anybody help? Thanks

I own an Apple APNs p8 file, which is basically a PKCS#8 file containing a public key as well as a private key. I basically need to extract the private key information from this file, to then sign a JWT. DISCLAIMER: the following information matches a real key which has been revoked. I started by generating an ASN1 file from my p8 file. Using the dumpasn1 tool, I get this output: 2 SEQUENCE { 3 INTEGER 0 4 SEQUENCE { 5 OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 6 OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) 7 } 8 OCTET STRING, encapsulates { 9 SEQUENCE { 10 INTEGER 1 11 OCTET STRING 12 B8 89 CA 8C 12 AB AF 74 9E CA 11 D4 D8 36 B8 28 13 D1 99 4F 8D B3 72 52 49 3D 85 44 02 08 05 64 1E 14 [0] { 15 OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) 16 } 17 [1] { 18 BIT STRING 19 04 CD BB 86 D3 2C 4D 08 11 6A A4 D3 38 4E AE 1B 20 DF E3 EC E5 D4 6F 03 0D CF 39 CD 79 3C 2E E6 74 21 FA 93 54 10 F2 10 41 92 78 57 7D 87 72 55 F3 30 22 BE F4 CA 6F F0 89 55 24 B8 B6 84 89 9C 4A 08 B5 23 1A 24 } 25 } 26 } 27 } As I understand it, the private key is represented by a byte array written in HEX format from line 19 to line 23. I now want to convert this byte array into a raw string. IMHO, a good starting point would be to determine the encoding of the original text these bytes come from... and that's where I'm stuck. Are there some tools I can use to achieve my goal? Thank you

Hi, I generated a .p8 key and I now need to use the information it contains in the PKCS #8 (1.2) Private-Key Information Syntax Standard. First, I'm not sure what the p8 format really is. If anyone can say... Secondly, and that's the point, I'm looking to convert my p8 file to a PKCS #8 (1.2) file. How to do so? Thank you

As per the Developper documentation (https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms, paragraph Send the Required Query Parameters), I'm trying to get the user's name as long as I'm getting the authorization code. My issue is quite straightforward: I never see any user's name in the request's response, even if the scope parameter is name%20email or even name. To provide more details, the request URL is: [GET] https://appleid.apple.com/auth/authorize and the query string is in form of: response_type=code &response_mode=form_post &scope=name &client_id=***** &redirect_uri=***** &state=***** The response is a JSON containing a id_token key. The matching value is a JWT whose payload, one base64-decoded, is on form of: { "iss": "https://appleid.apple.com", "aud": "*****", "exp": 1632208524, "iat": 1632122124, "sub": "*****", "at_hash": "*****", "email": "*****", "email_verified": "true", "is_private_email": "true", "auth_time": 1632122123, "nonce_supported": true } Is the documentation irrelevant? Am I missing something? Note: this kind of response is return when the user hides his email. Sharing the email doesn't impact the response structure, yet.

Hi, As per the documentation (https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens), "after creating the JWT, sign it using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm". OpenSSL seems to list 2 types for this kind of curve: secp256k1 and prime256v1. What is the one matching Apple specs? Thank you

Hi, Starting from a .p8 file which contains both a private and a public key, I'm looking for the required steps to create a certificate, then create a JKS KeyStore, and finally import the certificate into the KeyStore. I've searching on the Net without success. Maybe someone could help on this one? Thank you

Hi, I created a connected app on Salesforce, which basically opens Salesforce to the outside world. Then I performed an Apple Social Login to Salesforce, using my Apple ID account. When doing so, I used the "Hide My Email" feature. The Apple authentication succeeded. On the appleid.apple.com website, in the "Sign-In and Security > Sign in with Apple" section, the Salesforce connected app appears. So far, so good. When I click on this app, under the "Hide My Email" section, I can see an address in form of xyz[at]privaterelay.appleid.com. On every forum or blog I visited, I read that the redirection from this alias email to the email associated to my Apple ID is activated by default. Here comes my issue. I tried to send emails to this alias from various email boxes, and never received any of them (of course I checked into the junked/spam folders as well). Is there something that I'm missing here? Any help would be much more appreciated. Thank you

Hi, Basically, I need to know whether or not it's possible to get the user's name when calling the https://appleid.apple.com/auth/token API. This topic is pretty confusing to me, since I saw inconsistent information about it. First, this page states: The information returned can include user identity, full name, verified email address, and real user status. On the other hand, the same page states: If you request the user’s full name, Sign in with Apple collects the information to pass along to your app. The name defaults to the user’s name from their Apple ID, but the user can change their name. The modified name is only shared with your app and not with Apple, and hence isn’t included in the ID token. On this other page,, regarding the scope parameter it's written: The amount of user information requested from Apple. Valid values are name and email. You can request one, both, or none. Use space separation and percent-encoding for multiple scopes; for example, "scope=name%20email" Pretty confusing, as I wrote earlier... The point is that when I call the https://appleid.apple.com/auth/token API, whose response contains the id_token information, once decoded, this ID token does not show the user's name, whenever the provided scope is name%20email or even just name! In fact, I'm able to get the user's email, but I never can get his name. Thank you