occurred invalid_grant when using authorization code

On Apr 29, 2020, kyuillee wrote:

> Has anyone experienced the same problem at about the same time?

Could you please confirm if `redirect_uri` is included in your query parameters to the `/auth/token` HTTP POST request?

Could you also please confirm if the `alg` and `kid` are included in your JWT header?

Both requirements are documented on "Generate and validate tokens".

If so, please submit a bug report via Feedback Assistant or submit a Technical Support Incident (TSI) so I can help you each directly with your web application

Yeah, stopped working for me as well. Did you figure out a solution?

Did anyone figured this out?
I have checked everything (redirecturi etc)... all is there and I still get invalidgrant

Have anyone found a solution? It works ok when using Bundle ID but returns invalid_grant
when using android/web based solution.

HI, I was having the same issue too but managed to solve it.

Apps should use the Bundle ID rather than the Service ID for the client_id value. You will need to make sure you generate a corresponding client_secret using the Bundle ID too otherwise you will get an invalid_client error. The Bundle ID should not include the Team ID.

Hope that helps.

I am getting this issue as well. I successfully created the client_secret with the help of this code [https://gist.github.com/ameen-sarsour/e14a1d5bae5b61080dfdd5b1430c3e10) and the after passing all the relevant information from APPLE. It successfully returned me the

Code Block JSON
{
"access_token":"...",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"....",
"id_token": "..."
}

by the help of above I updated my backend REST APIs for apple sign in and submitted the APIs and sign in feature for QA.

Today, I am surprised to know that the same code is now throwing this error

Code Block JSON
{"error":"invalid_grant"}

I am not able to digest WHY is this happening? Can anyone suggest any solution or what happened ? Did apple change its policies in 1 night?

I hit the same problem, the problem is about the algorithm to generate the secret_token. (For more information: https://stackoverflow.com/a/64114694/13799822)

• teamid is AppID

• client

• id is bundle ID

• keyid is KeyID

• key

• file is the path to .p8 file

This is the sample code for generating the secret_token.

NOTED: *Seem the authorizationCode expirations is 5 minutes, so please make sure the authorizationCode is valid before making the request.*

Code Block 
require 'jwt'
# Update these values with your app's information
team_id = '' #AppID
client_id = '' #bundle ID
key_id = '' #KeyID
key_file = './AuthKey_XXXX.p8'
# Define the JWT's headers and claims
headers = {
  # The token must be signed with your key
  'kid' => key_id,
  'alg' => 'ES256'
}
claims = {
  # The token is issued by your Apple team
  'iss' => team_id,
  # The token applies to Apple ID authentication
  'aud' => 'https://appleid.apple.com',
  # The token is scoped to your application
  'sub' => client_id,
  # The token is valid immediately
  'iat' => Time.now.to_i,
  # The token expires in 6 months (maximum allowed)
  'exp' => Time.now.to_i + 86400*180,
}
# Read in the key and generate the JWT
ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file
token = JWT.encode claims, ecdsa_key, 'ES256', headers
# Print the JWT to stdout
puts token

As stated before use app id instead of service id when generating the client_secret.

Did you find the solution?
I already tested using nodejs, .net core, insomnia and curl.
My secret means ok, because I passed about "invalid_client", but now, I've been faced the same problem.

jwt:

Code Block 
{"alg":"ES256","typ":"JWT"}.{"sub":"com.XXXX.XXXX","nbf":1612152911,"exp":1613016911,"iat":1612152911,"iss":"7MXXXXXXDM","aud":"https://appleid.apple.com"}

I'm still facing this issue. Did anyone find any solution to this?

I've also posted my problem here

https://developer.apple.com/forums/thread/709366