occurred invalid_grant when using authorization code

"Sign in with Apple" implemented about a month ago worked well, but suddenly the following error began to occur on the 27th.

No changes have been made so far.


I tested it like this,

1. i got authorization code using Service ID


2. and then, i tried validate the authorization grant code to obtain tokens

curl -X "POST" "https://appleid.apple.com/auth/token?client_id={corrected service id}&client_secret={corrected client_secret}&code={corrected code}&grant_type=authorization_code"


3. response is fails with an

invalid_grant
error, 400 status, invalid_grant
  • i tried get authorization code and validate the authorization grant code both using same service id
  • is not invalid_client error, and client secret is not expired too.
    My decoded token looks like the following :
    "iss": "XFY******",
    "iat": 1584347794,
    "exp": 1599899794,
    "aud": "https://appleid.apple.com",
    "sub": "{service_id}"


same test was working well for nearly two months. However, it is currently failing.

I am having a hard time to solve this problem

Has anyone experienced the same problem at about the same time?

Answered by DTS Engineer in 417533022

On Apr 29, 2020, kyuillee wrote:


> Has anyone experienced the same problem at about the same time?


Could you please confirm if `redirect_uri` is included in your query parameters to the `/auth/token` HTTP POST request?

Could you also please confirm if the `alg` and `kid` are included in your JWT header?


Both requirements are documented on "Generate and validate tokens".


If so, please submit a bug report via Feedback Assistant or submit a Technical Support Incident (TSI) so I can help you each directly with your web application

Accepted Answer

On Apr 29, 2020, kyuillee wrote:


> Has anyone experienced the same problem at about the same time?


Could you please confirm if `redirect_uri` is included in your query parameters to the `/auth/token` HTTP POST request?

Could you also please confirm if the `alg` and `kid` are included in your JWT header?


Both requirements are documented on "Generate and validate tokens".


If so, please submit a bug report via Feedback Assistant or submit a Technical Support Incident (TSI) so I can help you each directly with your web application

Yeah, stopped working for me as well. Did you figure out a solution?

Did anyone figured this out?
I have checked everything (redirecturi etc)... all is there and I still get invalidgrant
Have anyone found a solution? It works ok when using Bundle ID but returns invalid_grant
when using android/web based solution.
HI, I was having the same issue too but managed to solve it.

Apps should use the Bundle ID rather than the Service ID for the client_id value. You will need to make sure you generate a corresponding client_secret using the Bundle ID too otherwise you will get an invalid_client error. The Bundle ID should not include the Team ID.

Hope that helps.
I am getting this issue as well. I successfully created the client_secret with the help of this code [https://gist.github.com/ameen-sarsour/e14a1d5bae5b61080dfdd5b1430c3e10) and the after passing all the relevant information from APPLE. It successfully returned me the

Code Block JSON
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"....",
"id_token": "..."
}

by the help of above I updated my backend REST APIs for apple sign in and submitted the APIs and sign in feature for QA.

Today, I am surprised to know that the same code is now throwing this error
Code Block JSON
{"error":"invalid_grant"}


I am not able to digest WHY is this happening? Can anyone suggest any solution or what happened ? Did apple change its policies in 1 night?
I hit the same problem, the problem is about the algorithm to generate the secret_token. (For more information: https://stackoverflow.com/a/64114694/13799822)
  • teamid is AppID

  • client

  • id is bundle ID
  • keyid is KeyID

  • key

  • file is the path to .p8 file
This is the sample code for generating the secret_token.

NOTED: *Seem the authorizationCode expirations is 5 minutes, so please make sure the authorizationCode is valid before making the request.*

Code Block
require 'jwt'
# Update these values with your app's information
team_id = '' #AppID
client_id = '' #bundle ID
key_id = '' #KeyID
key_file = './AuthKey_XXXX.p8'
# Define the JWT's headers and claims
headers = {
# The token must be signed with your key
'kid' => key_id,
'alg' => 'ES256'
}
claims = {
# The token is issued by your Apple team
'iss' => team_id,
# The token applies to Apple ID authentication
'aud' => 'https://appleid.apple.com',
# The token is scoped to your application
'sub' => client_id,
# The token is valid immediately
'iat' => Time.now.to_i,
# The token expires in 6 months (maximum allowed)
'exp' => Time.now.to_i + 86400*180,
}
# Read in the key and generate the JWT
ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file
token = JWT.encode claims, ecdsa_key, 'ES256', headers
# Print the JWT to stdout
puts token

As stated before use app id instead of service id when generating the client_secret.
Did you find the solution?
I already tested using nodejs, .net core, insomnia and curl.
My secret means ok, because I passed about "invalid_client", but now, I've been faced the same problem.

jwt:

Code Block
{"alg":"ES256","typ":"JWT"}.{"sub":"com.XXXX.XXXX","nbf":1612152911,"exp":1613016911,"iat":1612152911,"iss":"7MXXXXXXDM","aud":"https://appleid.apple.com"}





I'm still facing this issue. Did anyone find any solution to this?

I've also posted my problem here

https://developer.apple.com/forums/thread/709366

occurred invalid_grant when using authorization code
 
 
Q