Sign in with Apple validating iOS auth on backend

I am currently looking into implementing Sign on with Apple in an iOS app. When the user is creating an account or signing in using their Apple ID, we send the authentication code returned in the `

ASAuthorizationAppleIDRequest`
to be verified on our backend server. The backend server will use the Apple Service API to do this. The documentation for authenticating this code, listed below, states that a `redirect_uri` value is required in the request. This `redirect_uri` should be the same one the code was originally sent to, however the iOS app doesn't use a redirect uri for this. So what value should be included here? Can it be empty?

Documentation: https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

Up vote post of PPiersonAnchor Down vote post of PPiersonAnchor
6.1k views
Posted by
PPiersonAnchor
Reply
Add a Comment

Replies

That's exactly what we were wondering today. What's the correct way to validate the authentication code?
We also have set up a ServiceID, uploaded the file to our server and so on, but the API call mentioned above always returns `unsupported_grant_type` - no matter what you pass for the values. (https://developer.apple.com/documentation/signinwithapplerestapi/errorresponse)
I am also wondering how nobody talks about this when having SIWA implemented is mandatory very very soon.

Posted by
jscho
Up vote reply of jscho Down vote reply of jscho
Add a Comment

When validating an `authorizationCode` received from the authenticationService library on a iOS-Client, you should not be using the `ServiceId` but the bundle-identifier of your App as the `client_id`.

Posted by
kai-yazio
Up vote reply of kai-yazio Down vote reply of kai-yazio
Add a Comment

We did that, but we additionally tried implementing the authentication flow when the users logs in via web (using the ServiceID). Both the iOS and the web workflow failed with the mentioned error.


Did it work for you, kay-yazio?

Posted by
jscho
Up vote reply of jscho Down vote reply of jscho
Add a Comment

@jscho: Yes it works for me for the iOS-Client. I did not implement web tho. Make sure you create the `client_secret` jwt using the private key you created in the developer portal.

Posted by
kai-yazio
Up vote reply of kai-yazio Down vote reply of kai-yazio
Add a Comment