I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core
It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error.
OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'.
Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway).
Any idea whats been done wrong? Code below, replacing sensitive data.
Startup.cs
.AddOpenIdConnect("apple", async options =>
{
options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration
options.ClientId = "com.rackemapp.applelogin"; // Service ID
options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI
options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support
options.ResponseMode = "form_post"; // form post due to prevent PII in the URL
options.UsePkce = false; // apple does not currently support PKCE (April 2021)
options.DisableTelemetry = true;
options.Scope.Clear(); // apple does not support the profile scope
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("name");
options.Events.OnAuthorizationCodeReceived = context =>
{
context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken();
return Task.CompletedTask;
};
});
Apple Token Generator
public static class AppleTokenGenerator
{
public static string CreateNewToken()
{
const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal
const string aud = "https://appleid.apple.com";
const string sub = "com.rackemapp.applelogin"; // same as client_id
var now = DateTime.UtcNow;
// contents of your .p8 file
const string privateKey = "[MyKey]";
var ecdsa = ECDsa.Create();
ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _);
var handler = new JsonWebTokenHandler();
return handler.CreateToken(new SecurityTokenDescriptor
{
Issuer = iss,
Audience = aud,
Claims = new Dictionary<string, object> { { "sub", sub } },
Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration
IssuedAt = now,
NotBefore = now,
SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256)
});
}
}
Also attached, images of my keys and setp in developer portal
Sign in with Apple REST API
RSS for tagThe Sign in with Apple REST API allows your app's servers to communicate with Apple’s authentication servers.
Posts under Sign in with Apple REST API tag
51 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello community,
In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service.
We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists.
We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration.
Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.
hello.
I am using the app with webview.
When I log in to Apple, a typeerror appears.
How can I solve this?
TypeError: this.attr(...).serialize is not a function
at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511)
at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485)
at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608)
at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378)
at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277)
at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200)
at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888)
at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827)
at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194)
at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930)
TypeError: Cannot read properties of undefined (reading 'serialize')
at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897)
at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673)
at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204)
at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258)
at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412)
at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129)
at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985)
at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
hello.
I am using the app with webview.
When I log in to Apple, a typeerror appears.
How can I solve this?
TypeError: this.attr(...).serialize is not a function
at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511)
at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485)
at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608)
at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378)
at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277)
at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200)
at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888)
at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827)
at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194)
at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930)
TypeError: Cannot read properties of undefined (reading 'serialize')
at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897)
at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673)
at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204)
at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258)
at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412)
at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129)
at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985)
at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
I have implemented Sign in with Apple in my app.
The flow goes like this:
User taps sign in button
In the delegate method I take the auth code and post it to my server.
My server sends an activation request to apple and gets an id, refresh, and access tokens.
This is where I have a problem:
A user requests account deletion.
The server sends a request to revoke the access and refresh tokens
User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way)
The user then load the app again and taps the Sign in with Apple button.
The delegate method provides a valid id token, but the same original auth code instead of generating a new one.
The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token.
The server also can't use the old refresh token as it's been revoked during deletion.
Can someone tell me where I'm going wrong?
I can't find any documentation for regenerating a refresh token after revoking it.
Thank you
Some background:
A user must sign up for an account on our platform via a browser before they can sign in to our iOS app using an Apple ID otherwise we present the following error message as shown in the attached image.
Authentication and session management is handled using AWS Cognito on our platform and we believe AWS Cognito is using the relevant API for Apple ID Sign Ins.
For account deletion we are providing an account deletion option within the app to the user (who has to be signed in) under Account Settings. For a valid deletion request, we are deleting a user’s records from our database.
For revoking, generating, and validating tokens we are using AWS cognito to handle token revocation, generation, and validation.
Ask: Apple reviewers provided additional information (shown below) to help us resolve this issue. But i am not clear how this addresses their concern and would appreciate some guidance on how i could resolve it.
Apple reviewer recommendation
Apps that offer Sign in with Apple should use the REST API to revoke user tokens. If you have not retained the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request. To learn more, we recommend reviewing the following resources:
Handling account deletions and revoking tokens for Sign in with Apple
Revoke tokens
Generate and validate tokens
I cannot receive full name from Apple sign in and the app review fails.
What I receive from the call is the following:
{
"familyName": null,
"identityToken": "XXXXX",
"givenName": null,
"authorizationCode": "XXXXX",
"user": "XXXXX",
"email": null
}
while decoding the identityToken, I get:
{
iss: 'https://appleid.apple.com',
aud: 'popularise.app',
exp: 1697700330,
iat: 1697613930,
sub: 'XXXXX',
nonce: 'nonce',
c_hash: 'XXXX',
email: 'XXXXXX',
email_verified: 'true',
auth_time: 1697613930,
nonce_supported: true
}
As you can see, I have no information about given or family name.
Body I am sending via api rest:
{
clientId: 'popularise.app',
scopes: 'email name',
redirectURI: '',
state: '12345',
nonce: 'nonce',
}
My tools:
I am using nestJS and node (v16).
As the title says. Tried to find the answer on Apple's website but no dice.
Hi! I have the following problem. We are providing the Apple Sign In option for users to register in our system. When you first login using Apple Sign In it will successfully return "Email" and we are using it for our own registration routine.
The problem is with the following thing: our user can remove the account from our system. And after that, he will not be able to register using Apple Sign In. Is there any way to revoke this token? I have seen the https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens
but I cannot call this method from the app: this API route returns 400 from the payload I'm sending.
Is there any solution to this problem rather than asking the user to remove the app manually? Can I route the user to the page with these settings?
https://developer.apple.com/forums/thread/708415 - and yeah, I have seen this thing.
Thank you!
Hi,
I have an website with sign in with Apple enabled (using REST API). It seems the majority of my users not aware they are sharing their private email because it is the default selected option. Is there a way to require that the real email be always shared? Alternatively, is there a way to have the "Share My Email" option be the default choice?
I am working on a financial application that falls under Indian jurisdiction, which has specific regulations prohibiting the use of relay or proxy emails for sign-up processes. Given that the "Hide My Email" feature in "Sign in with Apple" provides a relay email, I'm trying to understand how I can remain compliant with these regulations while offering "Sign in with Apple" as a sign-up option.
My proposed flow:
Allow users to use "Sign in with Apple" for authentication.
Check if the user has opted for the "Hide My Email" feature.
If they have, show an error message explaining the regulatory restriction and prompt them to either:
a) Use "Sign in with Apple" without the "Hide My Email" option OR
b) Use our standard "Sign up with Email and Password" flow.
I would like to understand if such an approach is acceptable according to Apple's guidelines. Would there be any issues or recommendations from Apple's side on implementing this flow?
Thank you for your assistance and guidance!
Hi everyone, we are developing Ionic mobile app with .NET server part, now we are trying to implement apple authorization, it works properly with web(user can authorize and server receives callback), but it is not working with mobile, we can authorize and get response on client side with token and code, but it not initiate callback to server, we found a difference in apple endpoint that we call for web and for mobile(in query parameters for mobile- response_mode = web_message and for web- response_mode = form_post), we can't change url for mobile app, because we are using SignInWithApple from @capacitor-community/apple-sign-in, does anyone have experience with this problem? Thanks in advance.
I'm using apple login in my web app and passing the redirect URI to apple URL. It's working fine on all browsers except Safari. On Safari instead of opening the URL in a new tab it's showing the finger touch enabled login popup. Which is causing the issue and my redirect URI is not getting passed and I'm not able to receive the code and other details from apple.
Can anyone please help me resolve this issue.
Angular Code:
const openNewWindow = window.open(
'https://appleid.apple.com/auth/authorize?response_type=code&response_mode=form_post&scope=name%20email&state=W4cL2JgRJq&client_id=CLIENT_ID&redirect_uri='+ this.AppleURL',"_blank"
);
try {
openNewWindow.opener = window;
window.addEventListener('message', event => {
this.signInWithApple(JSON.parse(event.data));
});window.addEventListener('message', event => {
this.signInWithApple(JSON.parse(event.data));
});
} catch (error) {
console.log("error",error);
}
Redirect URI js code:
Is there any documentation about the server to server notification, specifically what sort of data Apple servers send to our server when there is an update to users who used Sign in with Apple?
I'm in the process of setting up Apple Sign-In for our web portal. The web portal doesn't have a related Apple application. I've been reviewing the documentation provided at https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ and attempting to set it up. It appears that this might not be possible without an existing Apple application associated with the web portal.
According to https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/:
To configure web authentication, you must create a Services ID and associate your website to an existing primary iOS, macOS, tvOS, or watchOS App ID enabled for Sign in with Apple.
Does this imply that it's not feasible without an existing Apple application?
Hi,
We have a iOS app where users can purchase videos from others. Purchasing happens through In-app purchasing and our client get the money. So when the owner of the videos need to cashout the money he gets from the video selling, we need to implement an option for that. Currently we have a manual process for that.
Our major mode of receiving payments is CashApp
but when automating it with custom API it is giving error code : 8447435879 , 18447435879
Can Anyone tell me what exactly is this error code about?
Note : we are synchronising the API with REST API
We recently are adding apple signup in our app and in our db we have 50 chars as max length of user identifiers. i was wondering how long they can be on apple and whether we should tweak the max length on our side.
I am sending a user to the apple authentication site where they fill in their apple login information on a form:
const signInWithApple = () => {
const params = {
client_id: Config.APPLE_AUTH_CLIENT_ID,
redirect_uri: 'https://www.example-site.com/auth/apple/',
scope: 'name email',
response_type: 'code',
response_mode: 'form_post',
};
const loginUrl = `https://appleid.apple.com/auth/authorize?${queryString.stringify(params)}`;
window.open(loginUrl, '_blank', `scrollbars=yes, width=520, height=570`);
};
After it has authenticated the user, it redirects the user to the URL that is defined in the redirect_uri property. Then I verify the token and log in the user on my end. That works beautifully.
The problem occurs when, instead of opening the window with the form fields, it opens a sheet at the bottom of the Safari mobile browser to allow the user to use face id. If you follow through with that, it looks like it recognizes your face and closes the sheet but it never redirects the user to my URL page where I log in the user after verifying their token.
Has anybody encountered this? I would love some ideas on how to solve this please!
Hello - migrated from darksky to WeatherKit in April of this year. With some difficulty finally got the REST API to work via the following resources:
https://developer.apple.com/weatherkit/get-started/
which is horribly inadequate for JWT instructions. So i also used:
https://dev.iachieved.it/iachievedit/weatherkit-rest-api/
which was quite helpful.
As stated, in April i managed to get this working. About a week ago it stopped working.
The response from my calls are 401 Unauthorized in the header and { "reason": "NOT_ENABLED" } in the body.
I believe the key i created expired and thus WeatherKit stopped responding. So i tried to re-enable access using the same Apple key and a new JWT signature. That did not seem to work, so i removed the old key and created a new one. Downloaded the p8 file and used openssl on my ubuntu server to create pem and pub files for the jwt token. Still nothing. I have tried almost all combinations of keys and ID #s in the JWT.io console that i can think of.
Importantly, nowhere in the official Apple documentation does it say what parameters the key creation and expiry dates can be. Does the key creation date have to match the date the key was created in Apple Developer Console??? What expiry dates are valid???? No idea.
I have submitted a code level request, but they punted me to feedback which apparently does nothing. Still no resolution, nor have i been contacted once by an Apple representative. This is what my $200 developer fee gets me?! Unacceptable.
If anyone has any idea on how to resolve this issue and/or create valid jwt tokens easier (via PHP preferably), i'm all ears.
Thanks, airyt
I want to know if the user identity(sub) maintains the same when the user un-links the linked app from the Apple ID setting and re-links it.
I would be grateful if you could give me an reply.