Hi all. In order to prepare for the new "Account deletion guidance", I have been trying to retrieve access_token and refresh_token from the authorization_code but the POST request to https://appleid.apple.com/auth/token always results invalid_grant error.
https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens
I've tested with fresh authorization_codes that were not expired and generated by actual devices (not simulators), but I always end up with "The code has expired or has been revoked" message. Can somebody please help?
{"error":"invalid_grant","error_description":"The code has expired or has been revoked."}%
Here's my request via cURL.
curl -v POST "https://appleid.apple.com/auth/token"
-H 'content-type: application/x-www-form-urlencoded'
-d 'client_id={bundle_id}'
-d 'client_secret={new JWT string}'
-d 'code={authorization_code'}
-d 'grant_type=authorization_code'
Here are the headers and claims for generating a new JWT string.
headers = { 'kid' => private_key_id (.p8), }
claims = { 'iss' => team_id, 'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 86400*180, 'aud' => 'https://appleid.apple.com', 'sub' => bundle_id, }
For alg Im using ES256.