I have implemented Sign in with Apple on website one weeks ago, and it work perfectly.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue....
in ios app site , we used bundle id for client_id.
in web site , we used service id for client_id;
I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error....
I tested it like this,
i got authorization code using Service ID
i tried authorization code with Service ID using browser :
successfully got the code
and requested access_token immately
2 and then, i tried validate the authorization grant code to obtain tokens
curl like this
curl -X POST https://appleid.apple.com/auth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=my_service_id" \
-d "client_secret=my_client_secret" \
-d "code=sent_from_frontend" \
-d "grant_type=authorization_code" \
-d "redirect_uri=my_redirect_uri"
then get fail and no error_description error_code is 400
invalid_grant
is not invalid_client error, and client secret is not expired too
My decoded token looks like the following :
{
"alg": "ES256",
"typ": "JWT",
"kid": "my_kid"
}
{
"aud": "https://appleid.apple.com",
"sub": "my_service_id",
"iss": "team_id",
"exp": 1744012650,
"iat": 1728460650
}