Error: Invalid_Client - What?

I developed the solution: https://gist.github.com/patrickbussmann/877008231ef082cc5dc4ee5ca661a641

The problem was the specific algorithm which Apple uses.

//edit:
Now I developed a oAuth client library extension for Sign in with Apple:
https://github.com/patrickbussmann/oauth2-apple

i think here you need to use bundle id, not service id.

For him, the service id is the correct one. Because he is getting the code for web login. But when you use an app to get the code, you should use bundle id instead.

as explained here: https://forums.developer.apple.com/thread/118135

I was getting invalid_client because of the incorrect content-type sending by axios. correct form type should be application/x-www-form-urlencoded

This library is throwing a lot of errors. https://github.com/patrickbussmann/oauth2-apple

For the start, the code redirect the page to apple website and it show the following screen.

"invalid_client"

Please suggest what to do.

In my case I re-generate a new key for Sign-in with Apple and it's fixed.

For folks still struggling with this: I had to wait 48h after creating my first key for it to be picked up by Apple servers. For the last two days I've been trying every single solution I could find on-line, thinking that I made a mistake somewhere. Nope.. what fixed it was time (or somebody at apple modifying something on their end). I invoked exactly the same curl request 10 minutes ago and now, getting two different responses from apple's api. EXACTLY the same request (including all parameters).

10 minutes ago: {"error":"invalid_client"}
1 minute ago: {"error":"invalid_grant"} (yes!!!)
now: success (after updating "code" to a fresh authorizationCode generated by my iOS app)

Just be patient. Wait for 48h after creating your first key at https://developer.apple.com/account/resources/authkeys/list

We got this resolved by going into the More > Configure and adding our domain, making sure the SPF tick is green (if its not green, do a quick google to find out how to fix it for your config). After this, we stopped getting invalid_client errors.
The thing that made us stumble on this was it didn't appear important on account of it saying it was for the emails - we skimmed over it thinking we could come back to it later..

I know this is old, but I wanted to share my solution. I was using requests-oauthlib (python library) to fetch the token. I had to pass include_client_id=True in the call to OAuth2Session.fetch_token().

I've tried all the method above, but none of it works, just wondering does anyone know if there are more potential solutions for this invalid_client issue

In my case the issue was that when generating client secret (which is signed JWT) I was not attaching private key id ("kid") to JWT header. The funny thing is that it was working without providing "kid" when I had only one private key generated in developer console. When generated another one only the newest one was working without attaching "kid" to JWT so it seems that when verifying client secret (which is signed JWT) Apple takes the latest private key to check signature when "kid" is not present in JWT.

Here is how I generate ClientSecret passed to apple token endpoint (c#):

private static string GenerateAppleClientSecret(AppleSettings appleSettings)
{
    string iss = appleSettings.AccountTeamId;
    string aud = appleSettings.Authority;
    string sub = appleSettings.ClientId;
    var now = DateTime.UtcNow;

    var ecdsa = ECDsa.Create();
    ecdsa.ImportPkcs8PrivateKey(Convert.FromBase64String(appleSettings.PrivateKey), out _);

    JwtHeader jwtHeader = new JwtHeader(new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256));
    jwtHeader.Clear();
    jwtHeader.Add("alg", "ES256");
    jwtHeader.Add("typ", "JWT");
    jwtHeader.Add("kid", appleSettings.PrivateKeyId);

    JwtPayload jwtPayload = new JwtPayload(
        iss,
        aud,
        new List<Claim>()
        {
            new Claim("sub", sub),
        },
        now,
        now.Add(TimeSpan.FromMinutes(5))
    );

    var jwt = new JwtSecurityToken(jwtHeader, jwtPayload);
    return new JwtSecurityTokenHandler().WriteToken(jwt);
}

In my case my secret was expired due to max lifetime is 6 months, I recreated secret token using ruby script on my .p8 certificated and error invalid_client was fixed

I was having the same issue, the problem was the wrong curl request. Below is the code which worked!

$ch = curl_init('https://appleid.apple.com/auth/token');
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($reqDataArray));
            curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
            $serverOutput = curl_exec($ch);

            curl_close ($ch);

In our case, it turned out that the token expiration was more than 180 days.

Be careful because of this invalid_client error could be misleading (as always Apple's error messages)

$postParams = array(
    'code' => ...,
    'client_id' => ...,
    'client_secret' => ...,
    'grant_type' => 'authorization_code',
    'redirect_uri' => ...,
);

$curl = curl_init('https://appleid.apple.com/auth/token');

// never pass params as just array for apple without stringifying via http_build_query()
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postParams));

When you will use just curl_setopt($curl, CURLOPT_POSTFIELDS, $postParams); it is valid POST request but another type than Apple expects but lazy apple developers are not able to provide error that this type of POST request is unsupported.