Sign in with Apple REST API

RSS for tag

The Sign in with Apple REST API allows your app's servers to communicate with Apple’s authentication servers.

Posts under Sign in with Apple REST API tag

49 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Handling account deletions and revoking tokens for Sign in with Apple
The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.
0
0
11k
Jun ’22
Sign in with Apple intermittent 400 invalid_request
Hello, We are currently facing an issue with Apple Sign In that only occurs very rarely, and that for some reason mainly affects the Apple Review team, as everyone in the company can register with their personal Apple Account, and we can see multiple users in production using Apple Login. The problem is that when our BackEnd tries to validate the information on https://appleid.apple.com/auth/token we receive a "{"error":"invalid_request"}". We have no idea what is causing this intermittent issue and we currently have no way to reproduce it. We have been loging both succesull request and failing request and all look very simmilar and we have no ideia what may be causing the 400 here is an example of a curl that generated the problem curl --location 'https://appleid.apple.com/auth/token' --header 'Accept: application/json' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=----SECRET----'' --data-urlencode 'client_secret=----SECRET----' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code=----SECRET----'' --data-urlencode 'redirect_uri=----SECRET----'' Any ideia what may be causing this?
1
0
68
3d
Migrating "Sign in with Apple" users
We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store. Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account. Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer). Who should we handle this case? Please help.
0
0
52
5d
Sign In With Apple on IPhone
Hello there, I have been facing an issue with apple sign in on react native app. I have been able to get the authorization and all codes in frontend part. The issue is on backend that is in php. We are firstly validating our identity token phone generated, and then we are creating a client secret and then trying to fetch the user info the issue relies in the api call of getAppleUser($authorizationCode, $clientId, $clientSecret);: function below where we are recieving error like: {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} public function appleAuth($identityToken,$authorizationCode) { if (!$identityToken || !$authorizationCode) { return $this->returnError(400,'Missing identity token or authorization code'); } try { // Validate identity token $decodedToken = $this->validateAppleToken($identityToken); // Generate client secret $teamId = isset(Yii::$app->params['apple-auth']['teamId'])?Yii::$app->params['apple-auth']['teamId']:''; $clientId = isset(Yii::$app->params['apple-auth']['clientId'])?Yii::$app->params['apple-auth']['clientId']:''; $keyId = isset(Yii::$app->params['apple-auth']['keyId'])?Yii::$app->params['apple-auth']['keyId']:''; $privateKey = isset(Yii::$app->params['apple-auth']['privateKey'])?Yii::$app->params['apple-auth']['privateKey']:''; $clientSecret = $this->generateClientSecret($teamId, $clientId, $keyId, $privateKey); // Get user info from Apple $appleUser = $this->getAppleUser($authorizationCode, $clientId, $clientSecret); // Verify the authorization code is valid if (!isset($appleUser['id_token'])) { throw new \Exception('Invalid authorization code'); } // Extract user info from the identity token $userId = $decodedToken->sub; $email = $decodedToken->email ?? ''; // login or signup code need to know about object definition to add login and signup logic return $this->returnSuccess('Request successful',200,[ 'userId' => $userId, 'email' => $email ]); } catch (\Exception $e) { // Handle errors Yii::error('Error on apple login '.$e->getMessage()); return $this->returnError(500,'Server Error'); } } **This function is where i am creating a clientSecret as per apples guidelines: ** function createClientSecret($teamId, $clientId, $keyId, $privateKey) { // $key = file_get_contents($privateKeyPath); $key=$privateKey; $headers = [ 'kid' => $keyId, 'alg' => 'ES256' ]; $claims = [ 'iss' => $teamId, 'iat' => time(), 'exp' => time() + 86400 * 180, 'aud' => 'https://appleid.apple.com', 'sub' => $clientId ]; return JWT::encode($claims, $key, 'ES256', $headers['kid']); } **This is the validate Apple Token that is not giving me error: ** function validateAppleToken($identityToken) { $client = new Client(); $response = $client->get('https://appleid.apple.com/auth/keys'); $keys = json_decode($response->getBody(), true)['keys']; $header = JWT::urlsafeB64Decode(explode('.', $identityToken)[0]); $headerData = json_decode($header, true); $kid = $headerData['kid']; $publicKey = null; foreach ($keys as $key) { if ($key['kid'] === $kid) { $publicKey = JWK::parseKey($key); break; } } if (!$publicKey) { throw new \Exception('Public key not found'); } try { $decoded = JWT::decode($identityToken, $publicKey, ['RS256']); return $decoded; } catch (\Exception $e) { throw new \Exception('Token validation failed: ' . $e->getMessage()); } } The response i got was : { aud: "com.abc" auth_time: 1718017883 c_hash: "HSNFJSBdut5vk84QyK0xHA" exp: 1718104283 iat: 1718017883 iss: "https://appleid.apple.com" nonce:"2878cd1ac1fa121f75250f453edaac47365f5144f2e605e8b526a29cb62c83da" nonce_supported: true sub: "001703.2a52ec72cb874a93986522fa35742bd4.1219" } After that we are mainly getting error as {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} in this function: function getAppleUser($authorizationCode, $clientId, $clientSecret) { try { $client = new Client(); $response = $client->post('https://appleid.apple.com/auth/token', [ 'form_params' => [ 'client_id' => $clientId, 'client_secret' => $clientSecret, 'code' => $authorizationCode, 'grant_type' => 'authorization_code' ] ]); if ($response->getStatusCode() !== 200) { throw new \Exception('Failed to get user information from Apple. Status code: ' . $response->getStatusCode()); } $data = json_decode($response->getBody(), true); // Check if the response contains the expected data if (!isset($data['access_token']) || !isset($data['id_token'])) { throw new \Exception('Invalid response from Apple. Missing access token or ID token.'); } // Return the decoded data return $data; } catch (\Exception $e) { // Log any other unexpected errors Yii::error('Unexpected error: ' . $e->getMessage()); // Re-throw the exception to propagate it further throw $e; } } Assumptions: bundleId = com.marchup serviceId i created as client_id= com.marchup.prod.AppSSO team ID= as usual keyId= is the id i created in apple developer consonsole. And the private key is the key inside the private key file. Can anyone please answer. What is mismatched here
0
0
68
1w
`invalid_request` when validating Apple sign-in token generated from app
We've had Signin with Apple integrated & working since 2020. Recently we've started seeing invalid_request errors in token validation API when we submitted our app for review. However, we are unable to reproduce this issue when testing it on the TestFlight build (occurring only on the App Review team's device). We've also tested on a device with similar specs and failed to reproduce the issue. App Review device details: Device type: iPad Air (5th generation) OS version: iOS 17.4.1 Here's a sample of the validation request. url = "https://appleid.apple.com/auth/token" headers = { "content-type": "application/x-www-form-urlencoded" } body = { "client_secret": "generated_jwt_token", "code": code generated in the app, "client_id": bundle id of the app, "grant_type": "authorization_code" } We are not adding redirect_uri in body since we don't use Apple signin on web. We generate the client_secret with the private key from Keys in Apple developer dashboard and use the following header & payload. header = { "alg": "ES256", "typ": "JWT", "kid": key id } payload = { "iss": team id, "iat": current timestamp in seconds , "exp": current timestamp + 180 days, "aud": "https://appleid.apple.com", "sub": bundle id of the app (same as client_id above) } The only error description we get is invalid_request which does not help find the root cause of the issue. We haven't done any changes wrt to Apple sign-in in this build, the only change we have done is update all third-party SDKs and added the Privacy manifest file which I'm sure should not affect the Signin with Apple.
2
3
201
1w
AppleID Login API is not activated after 2 months
This is Saeid from Drion.ai Ag company in Germany. We are s marketing startup and we are developing a marketing platform we need to give opportunity to our users to sign in using Apple ID. I have sent all of the company documents, my ID card, and all documents that we have in our company just to activate the AppID login API and it is nothing after more than 2 months. I had a call from Apple support and she told me to send some documents I did it, but nothing yet. Is this Apple company's suport for developers?!
0
0
150
May ’24
Issue with Sign in with Apple Token Revocation API
Hello everyone! I'm encountering an issue while trying to use the Sign in with Apple token revocation API. I've followed the steps outlined in the official documentation (https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens), but when I consume the API, I receive a 200 status code instead of the expected code. I've double-checked my implementation and can't find any obvious errors. Has anyone else experienced this issue before? I would greatly appreciate any suggestions or advice on how to resolve this issue. Thank you in advance for your help!
1
0
153
May ’24
Sign in with Apple Revocation goes through but ineffective? Radar time?
Good day folks, We have a workflow setup where a new Sign in with Apple user registers (first SIWA login where user can pick name and show/hide email), and the server-side code obtains a refresh token from SIWA REST API. That refresh token is stored internally against the user's profile in the DB for future use. Whenever user account is deleted from server-side, we use that refresh token to revoke Sign in with Apple (so that the user would need to go through registration flow rather than sign in- where they have an option to specify name and show/hide email). That has been working beautifully until we have added an AppClip to the app. The code which obtains the refresh token "respects" the correct bundle ID for the main app / app clip, and everything seems to work. Both of Apple's APIs return OK codes. In fact, we even get the email from Apple when token is revoked which reads "APP_NAME has revoked your Sign in with Apple account. Next time you use Sign in with Apple to sign in to your onUgo Access account, you will have to share your name and email again". Problem is- it doesn't. SIWA still offers to "sign in" as if account is still linked, and the app still shows up as "App using Sign in with Apple" in iPhone settings. What's even more mysterious is that you can't delete/revoke/"Stop using Apple ID" on that SIWA link with the app from iPhone settings too! It seems to work, but the app never goes away from the list, as if it fails silently. Could anyone please help shed some light on this?
1
1
294
1w
Configuring Sign in with Apple for web and mobile apps
Summary: Need help with Certificates, Identifiers and Profiles settings to allow two apps to use Sign in with Apple. Background: We have a web application (React, static JavaScript) that allows users to sign in with Apple, Google or Microsoft via OAuth/OIDC. We are developing a mobile application using React Native and Expo. Both the web application and the mobile application use the same backend (Django). For the mobile application, we added Google and Microsoft sign in via the same web-based OAuth/OIDC flow. For Sign in with Apple, we are using the expo-apple-authentication package to get the required native sign in experience. We have two active app identifiers: org.terraso.terraso; web app; primary Apple ID org.terraso.test.Terraso-LandPKS; mobile apple; Group with an existing primary App ID (selected (1), the web app) We have one services identifier: org.terraso.app; primary ID is web app (app identifier 1) above; URLs have been configured We have one app group: group.org.terraso (seems unused) On our backend app, we have code: https://github.com/techmatters/terraso-backend/blob/abc655e83eaca849e2bc24389946cc4f0bcd9d48/terraso_backend/apps/auth/providers.py#L84 and APPLE_CLIENT_ID is set to org.terraso.app (which matches the services identifier above In my local development environment, I have tried a few different combinations of IDs attempting to get this to work using the iOS simulator: (i) backend client id: org.terraso.app mobile app bundle Id: org.terraso.test.Terraso-LandPKS result: error: jwt.exceptions.InvalidAudienceError: Audience doesn't match (ii) backend: org.terraso.app mobile app: org.terraso.app result: clicking "Sign In" in Apple ID dialog is a no-op (no errors from client or server) (iii) backend: org.terraso.test.Terraso-LandPKS mobile app: org.terraso.test.Terraso-LandPKS result: works (but I can't use that in production, because the client ID is wrong) How can I configure Sign in with Apple to allow both the web app, the mobile app (and possible additional mobile apps) to work with the same backend? Do I need to us app groups? When do you use app groups vs "group with an existing primary apple id"?
0
0
399
Apr ’24
Apple Sign-In: transfer an app twice in a row
When transferring an app from one team to another, Sign in with Apple users have to me carefuly migrated since their unique identifiers are team-scoped. To migrate users from Team A to Team B, a transient transfer identifier, aka transfer_sub, has to be generated by Team A before the transfer to prepare the app data, using specific migration endpoints provided by Apple. "Preparing the app data" means, for example, associate database entries to the transfer id instead of the team-specific id. One the app has been transferred, and during 60 days, Team B will find the transfer_sub in ID tokens issued by Apple Sign In, and thanks to this shared identifier they can retrieve the user data and associate it to their new unique identifier. So far so good ! Now, the question : if an app is transferred from Team A to Team B, and then, shortly thereafter (a few days later), from team B to team C, will the transfer_sub related to the B-C transfer be different ? Or will they remain the same as the ones issued for the A-B transfer ? (I'm asking this question in order to avoid the possible catastrophe of an ill-prepared double app transfer) Thank you !
0
1
374
Apr ’24
Email is returned only once
We are implementing Sign Up with Apple ID and facing the following issue: Email is returned only on the first response. All subsequent responses for this user do not return email. But our system is email-driven. So, if user first signs up on our TST environment then we will not be able to Sign up this user on UAT and Prod without an email in response. Could anyone please advise how to approach this problem.
0
0
294
Mar ’24
Login issue with socialiteproviders in laravel
Hi all, I create web app laravel with function login with apple. This is any my information app and packet what i'm use : Laravel: 10.x PHP: 8.1 Packages for login: https://socialiteproviders.com/ I'm done with API appleid.apple.com/auth/authorize for auth user with apple ID. Response below : So next step i call to this API : https://appleid.apple.com/auth/token for verify token but response is below : I'm try with postman but response is same that ( invalid_client ). Everything is correct( client_id, team_id, private_key ). I use https://jwt.io/#debugger for test verify token. Signature Verified is result. Can help me for declare what is issue ? what client is invalid ? Thank you so much. P/s : Sorry for my poor English
1
0
710
Mar ’24
Apple Sing In on VisionOS
Hello. On my game I have Apple Sing In option that is required to keep user high score, show name in game, and for other app functionality. Game is made on Unity. Now when I'm trying to port the game to Vision Pro, Im getting error that Authentication is not supported on this platform. It may be the plugin issue that I'm using(not sure yet). But I also didn't find any documentation for native code ( so I could make plugin that unity game could use). Question: does VisionOS support Apple Sing In in the applications? if yes please give me some resources. if no - is there any plans to add that functionality? Thanks.
0
0
403
Mar ’24
Even when calling the Apple Login Revoke API, the app still remains in the user's account.
Problem Situation User membership withdrawal request → revoke API call It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID. Re-request user Apple login → Email is returned as null Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired. Releated Issues https://forums.developer.apple.com/forums/thread/707181
0
0
503
Feb ’24
Sign in with Apple REST API
Apple documentation is specific about the possible types of email_verified property A string or Boolean value that indicates whether the service verifies the email. The value can either be a string ("true" or "false") or a Boolean (true or false). The system may not verify email addresses for Sign in with Apple at Work & School users, and this claim is "false" or false for those users. Actually we made a mistake by supporting only String type and today had the very bad surprise to notice that we started receiving Bool types for the first time. Do you have any info about changes on the API ? Thanks Julien
1
1
693
Feb ’24
Email is not included in id_token
We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client. We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token. In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation. However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request. The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters: response_mode: query scope: email openid profile nonce: ... state: ... response_type: code Then we get the authentication code and get an id_token like this: { "iss":"https://appleid.apple.com", "aud":"{aud}", "exp":1705584621, "iat":1705498221, "sub":"{sub}", "nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq", "at_hash":"3kLcPBlwZP6aj_mscww5zA", "authentication_time":1705498218, "nonce_supported":true } Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773
0
0
547
Feb ’24
Sign in with Apple invalid_client first time only
Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.
0
0
466
Jan ’24
Unable to send emails to users who opt to "Hide my Email" when using Sign in with Apple
We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}
0
0
477
Jan ’24
invalid_client Sign In With Apple
I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal
0
0
457
Jan ’24