Always getting invalid_client when trying to authorize token...

Hello,


As the title says, i always getting an error when i try to hit the endpoint `/auth/token`


For info i followed the great tutorial from Aaron Parecki: https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple


At least he is here to explain to us how we can implement YOUR system.................


Now, my client_id is `com.***.***`, my team id is 10 characters string that i copy/paste from the web interface...


So please, help us finally integrate YOUR system.........

I hope you've had progress since this is a few weeks old now, but in case others are hitting this same problem, as I was, and finding this unanswered question, here are my findings so far...


The blog post you reference is really useful for getting started, however it's written from the point of view of implementing the Sign In With Apple button on the web, not in your iOS app. From your post, I think you're doing the same as me, and trying to authorise a user on your own servers by hitting the `auth/token` endpoint.


In this case, the `ASAuthorization` framework in your app will be making a token using your app's Bundle ID, not your services ID, and your client secret has to match that.


The fix for this is to generate a second client secret, using the same script and settings as per Aaron's blog post, except with your app's Bundle ID in the `sub` field of the settings. Then, when you're submitting an `authorization_code`, make sure you use the correct `client_id` in the request body, and the `client_secret` which matches that ID.


If you do this and get either `invalid_grant` or a success response, you've made progress. `invalid_grant` seems to be the next error in the chain, and is raised after client validation is passed.

You can try this solution completely written in PHP:

https://gist.github.com/patrickbussmann/877008231ef082cc5dc4ee5ca661a641


//edit:
Now with a library: https://github.com/patrickbussmann/oauth2-apple

Thank you! I'm actually doing the same exact thing, and getting the same error. Good point on bundle id vs secret id.

I firgured that if yo udon't support Sign In with Apple on web or Android, you don't even need service id, since ASAuthorization uses bundle id. You also don't need to worry about whitelisting domains and uploading txt files, am I right?


I am still experiencing the same invalid_token error though. My JWK has the right info, my key ID is correct, I am using a file I downloaded from Apple. I wish there was a debugging tool or some more explicit error code 😟

Adding what helped me solve a similar problem:


I had the same issue, checked every credential, made sure I'm using the `bundleId` from ios to verify and create client secret. Everything looked correct, but still, the request failed.


Finally noticed that the request I was making trough a library sent is as `Content-Type: application/json`. Changed it to the correct `Content-Type: application/x-www-form-urlencoded` and everything was good. I'd call it a bug as Apple should fail the request with "415 Unsupported Media Type" status instead "400 Bad Request".

How can I login with apple using nestjs framework in nodejs?

Always getting invalid_client when trying to authorize token...
 
 
Q