In my case the issue was that when generating client secret (which is signed JWT) I was not attaching private key id ("kid") to JWT header. The funny thing is that it was working without providing "kid" when I had only one private key generated in developer console. When generated another one only the newest one was working without attaching "kid" to JWT so it seems that when verifying client secret (which is signed JWT) Apple takes the latest private key to check signature when "kid" is not present in JWT.
Here is how I generate ClientSecret passed to apple token endpoint (c#):
private static string GenerateAppleClientSecret(AppleSettings appleSettings)
{
string iss = appleSettings.AccountTeamId;
string aud = appleSettings.Authority;
string sub = appleSettings.ClientId;
var now = DateTime.UtcNow;
var ecdsa = ECDsa.Create();
ecdsa.ImportPkcs8PrivateKey(Convert.FromBase64String(appleSettings.PrivateKey), out _);
JwtHeader jwtHeader = new JwtHeader(new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256));
jwtHeader.Clear();
jwtHeader.Add("alg", "ES256");
jwtHeader.Add("typ", "JWT");
jwtHeader.Add("kid", appleSettings.PrivateKeyId);
JwtPayload jwtPayload = new JwtPayload(
iss,
aud,
new List<Claim>()
{
new Claim("sub", sub),
},
now,
now.Add(TimeSpan.FromMinutes(5))
);
var jwt = new JwtSecurityToken(jwtHeader, jwtPayload);
return new JwtSecurityTokenHandler().WriteToken(jwt);
}
alekbe
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution