invalid_client on hitting REST API with iOS App authorizationCode & identityToken

Hey there, I'm trying to get Sign In with Apple integrated into a native iOS app, and am running into troubles trying to validate the data coming back in ASAuthorizationAppleIDCredential over the REST API on my app's server-side.


I am using the endpoint https://appleid.apple.com/auth/token with the body data containing client_id, code, grant_type and client_secret.


The values for these are as follows:


client_id: <the iOS app's ID com.blah.blah.blah..>

code: <authorizationCode from ASAuthorizationAppleIDCredential>
grant_type: <authorization_code - as I am trying to verify the authorization code>
client_secret: <identityToken from ASAuthorizationAppleIDCredential>


When I submit the post request, I constantly get invalid_client on grant_type of authorization_code. No further error response is present at all, so I'm grasping at straws a bit.


If anyone has experience fetching the code/secret from native, and then verifying these over the REST API from a server, I'd be very appreciative to hear any insights.


Thanks!

Up vote post of gcledingham Down vote post of gcledingham
17k views
Posted by
gcledingham
Reply
Add a Comment

Accepted Reply

After digging further online, I managed to find a blog post by Curtis Herbert here: https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/


This article is the missing documentation that Apple is lacking currently, would definitely reccomend giving it a read over if you are similarily trying to validate client tokens on your own server.


I had misunderstood the provided Sign In with Apple API's and was trying to use the web token API to do this job for me, when you really need to use the auth/token endpoint to grab Apple's public key, and decode the identityToken signed JWT using that.


I built a very simple PHP plugin to do this job after my continued research, if it could be of any help to anyone:
https://github.com/GriffinLedingham/php-apple-signin

Posted by
gcledingham
Up vote reply of gcledingham Down vote reply of gcledingham
Post marked as solved
Add a Comment

Replies

Hi


You said:

"client_secret: <identityToken from ASAuthorizationAppleIDCredential>"


The ID token is not the client secret to use when invoking the token endpoint. See the section "Creating the Client Secret" at https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

Posted by
Apple Staff
Up vote reply of Apple Staff Down vote reply of Apple Staff
Add a Comment

After digging further online, I managed to find a blog post by Curtis Herbert here: https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/


This article is the missing documentation that Apple is lacking currently, would definitely reccomend giving it a read over if you are similarily trying to validate client tokens on your own server.


I had misunderstood the provided Sign In with Apple API's and was trying to use the web token API to do this job for me, when you really need to use the auth/token endpoint to grab Apple's public key, and decode the identityToken signed JWT using that.


I built a very simple PHP plugin to do this job after my continued research, if it could be of any help to anyone:
https://github.com/GriffinLedingham/php-apple-signin

Posted by
gcledingham
Up vote reply of gcledingham Down vote reply of gcledingham
Post marked as solved
Add a Comment

Hello here,


I always get the error `invalid_client`.


I don't understand how can i pass this error. Can you xplain what you did ?


I don't unserstand your solution... or how i should use your php plugin


Best regards

Posted by
carere
Post not yet marked as solved Up vote reply of carere Down vote reply of carere
Add a Comment

How does this reply help. The reply does not go into the issue with auth/token endpoint. That endpoint requires a client_secret and a client_id, and it looks like Apple does not like one of the two. Why?

Posted by
AJ
Post not yet marked as solved Up vote reply of AJ Down vote reply of AJ

  • Same error happen with me. I try to many methods and anything helped me. I read description about error "invalid_client" from Apple documentation . "The client authentication failed, typically due to a mismatched or invalid client identifier, invalid client secret (expired token, malformed claims, or invalid signature), or mismatched or invalid redirect URI."

    Not helpful description.

    Yernur
Add a Comment

Same error happen with me. I try to many methods and anything helped me. I read description about error "invalid_client" from Apple documentation .

"The client authentication failed, typically due to a mismatched or invalid client identifier, invalid client secret (expired token, malformed claims, or invalid signature), or mismatched or invalid redirect URI."

Not helpful description.

Posted by
Yernur
Up vote reply of Yernur Down vote reply of Yernur
Add a Comment

go to Certificates, Identifiers & Profiles -> identifiers -> select the service id you are using and click "configure" against the sign in with apple option and add your domain names that you are trying to access the apple services from in "Website URLs" section.

Posted by
faranshery
Up vote reply of faranshery Down vote reply of faranshery
Add a Comment

Hi,

I have the same issue. Tried the following curl with the postman also. but continuously receiving 400 bad request responses with invalid_client.

curl --location --request POST 'https://appleid.apple.com/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=<code>' \
--data-urlencode 'redirect_uri=<base_url>/oauth2/callback/apple' \
--data-urlencode 'client_id=<service_id_from_developer_console>' \
--data-urlencode 'client_secret=<private_key_downloaded_from_keys_in_developer_console>'

please let me know if there's a way to overcome this issue.

Note: Do I need to verify the web applications domain prior to this

Thank you

Posted by
Sithara
Up vote reply of Sithara Down vote reply of Sithara

  • were you able to resolve the issue? i am also having the same

    Kitapple
Add a Comment