invalid_grant while token validation

Question

morsha OP

Created 3w

Replies 2

Boosts 4

Participants 3

Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly.

We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process.

However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us.

According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are:

The client_id does not match the client for which the code was issued.
The code has expired or has been previously consumed by the validation server.

Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

Answered by DTS Engineer in 812005022

Hi @morsha,

You wrote:

Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

The underlying cause depends on which token you are validating. When validating the authorization grant code in exchange for user tokens (e.g., identity token, refresh token, and access token), ensure the client_id of your request and client secret match the client ID of the initial authorization request. However, most of the time this invalid scenario will result in an invalid_client error, not invalid_grant.

If the auth code was previously consumed or had already expired, you will always receive an invalid_grant error; you could log your own server-sider requests to detect any duplicate requests and track the timing of each request. The best way to confirm your implement is correct is to compare it with a request via Terminal using curl, as documented below:

Generate and validate tokens https://developer.apple.com/documentation/accountorganizationaldatasharing/generate-and-validate-tokens

Another thing to consider is confirming your JWS library creates a valid JWT with the claims supported by Sign in with Apple. Please see the documentation below to learn more:

Creating a client secret https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

Boost

Answer 1

misaka1234 OP

3w

me too

0

Answer 2

DTS Engineer OP

Apple

13h

Recommended

Hi @morsha,

You wrote:

Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

The underlying cause depends on which token you are validating. When validating the authorization grant code in exchange for user tokens (e.g., identity token, refresh token, and access token), ensure the client_id of your request and client secret match the client ID of the initial authorization request. However, most of the time this invalid scenario will result in an invalid_client error, not invalid_grant.

If the auth code was previously consumed or had already expired, you will always receive an invalid_grant error; you could log your own server-sider requests to detect any duplicate requests and track the timing of each request. The best way to confirm your implement is correct is to compare it with a request via Terminal using curl, as documented below:

Generate and validate tokens https://developer.apple.com/documentation/accountorganizationaldatasharing/generate-and-validate-tokens

Another thing to consider is confirming your JWS library creates a valid JWT with the claims supported by Sign in with Apple. Please see the documentation below to learn more:

Creating a client secret https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret

Cheers,

Paris X Pinkney |  WWDR | DTS Engineer

0