Sign in with Apple REST API

RSS for tag

The Sign in with Apple REST API allows your app's servers to communicate with Apple’s authentication servers.

Sign in with Apple REST API Documentation

Pinned Posts

Handling account deletions and revoking tokens for Sign in with Apple

Posts under Sign in with Apple REST API tag

49 Posts
Sort by:
Post not yet marked as solved
0 Replies
839 Views

Use token from “sign in with apple” to query apple music api

Context I am trying to make webservice that fetches the users name and email from his Apple account and place a Song or Artist in his library. For adding a Song to the library I found this apple-music-api. library. To make requests on behalf of a user you need to request a user token with Apple MusicKit JS library. For fetching the name and email of the user I use this oauth2 client that uses the signin with Apple functionality. Problem A Using the apple music kit... I can not query any user profile data. At least I cannot seem to find an example of this. If there is a possibility to get user email and name using this route? B Using the Sign in with Apple oauth flow I receive an access token which contains the name and email. But I cannot use the token to query the apple music api. It seems their scopes are limited to name and email...and no music or something. Is there a possibility to get an user token that can be user on the music api? C Are there any other possibilities to accomplish this without requiring the user to sign in twice on apple (once for the email and once for pushing the Song to his library) PS: I also asked this question on stackoverflow https://stackoverflow.com/questions/67649023/use-token-from-sign-in-with-apple-to-query-apple-music-api
Posted
by Ridder90.
Last updated
.
Post not yet marked as solved
8 Replies
742 Views

Create a JLS KeyStore from an Apple .p8 key

Hi, Starting from a .p8 file which contains both a private and a public key, I'm looking for the required steps to create a certificate, then create a JKS KeyStore, and finally import the certificate into the KeyStore. I've searching on the Net without success. Maybe someone could help on this one? Thank you
Posted
by David5781.
Last updated
.
Post not yet marked as solved
0 Replies
321 Views

The Error "Unable to get user context"

I am getting this error Error: The data is not obtainable due to following:{"data":null,"pagination":null,"error":{"errors":[{"messageCode":"FORBIDDEN","message":"Unable to get user context","field":""}]}}, STATUS_CODE: 403 I am a Data Engineer, and I am getting data for campaigns with keywords using the Apple Search Ads API. There is a long list of keywords, and its so long that the Access Token expires since its set for one hour. So for every POST request I make, I change the access token, so could this be the issue that I am changing too many times... I haven't made a refresh token because it needs a redirect_url, and I am not using this data for an APP, its for a datawarehouse... I hope someone can help me with this part
Posted
by AxieReptile.
Last updated
.
Post not yet marked as solved
1 Replies
807 Views

Automation of Reporter API Sales.generateToken()

Hi I have been working with the Reporter API 2.2 outlined as per the documentation here https://help.apple.com/itc/contentreporterguide/en.lproj/static.html#itcbe21ac7db . Everything is working fine however I've noted that the access token has an expiry of 180 days, therefore I would like to automate the process of generating new tokens every so often so that I do not have to do this manually for the number of accounts that I am handling and plethora of reports i am pulling out. I've tried numerous methods to automate this but ultimately none has worked. The following tries result in an instant null response: echo "user pass" | java -jar Reporter.jar p=Reporter.properties Sales.generateToken echo "user\npass\n" | java -jar Reporter.jar p=Reporter.properties Sales.generateToken java -jar Reporter.jar p=Reporter.properties Sales.generateToken < credentials.txt (echo "user"; sleep 1; echo "pass") | java -jar Reporter.jar p=Reporter.properties Sales.generateToken So directly piping does not work. I also wrote a shell script using spawn expect send workflow, although it looks like the prompts are being answered in order, there is no output at the end: #!/usr/bin/expect spawn java -jar Reporter.jar p=Reporter.properties Sales.generateToken expect "username"; send "user\n"; expect "password"; send "pass\n"; I also tried to write a python script to achieve the same thing but seem to be getting to the same problem. Is this not allowed? Is there a workaround or native support? To me it doesnt seem like this command takes any additional arguments. Thanks
Posted
by pet3rxz.
Last updated
.
Post not yet marked as solved
0 Replies
377 Views

Sign in with Apple - Unifying user sign in coming from two service ids under different teams

I've read in the documentation the private relay and user identifier (sub) are team scoped. If I have 2 or more teams that have their separate Sign in with Apple service ids configured, each under their own (separate) team account is there any way to unify these into one common service id so that the team-scoped user identifier is the same whether the user signs in through Team1-AppleServiceId1 or Team2-AppleServiceId2?
Posted
by Lorand_V.
Last updated
.
Post marked as solved
4 Replies
1.2k Views

Apple Sign In - invalid_client

Hello, I am working on apple sign in verification process. Currently, I have a React Native iOS app that uses the @invertase/react-native-apple-authentication package to handle verification on the frontend. This seems to be working just fine. My iOS app Bundle Id is "com.appname.appname" When the user signs in, I get an IdentityToken and a AuthorizationCode. I pass both of these values to the backend. The backend is a .NET Core API. In the Apple Developer Portal, I created 1 key with the enabled service, "Sign In with Apple" and the Primary App Id points to my 1 app. Under Grouped App IDs, it points to my service, "com.appname.appnameservice". I downloaded the .p8 file from here and saved it for later. My KeyId is "T5LGCK354D". Then, in Identifiers, I created 2. 1 App ID with the identifier, "com.appname.appname". That also has "Sign In with Apple" and is linked to my primary app id. The other Identifier is a ServiceId and its Identifier name is "com.appname.appnameservice". It too has "Sign In with Apple" configured, pointed to my Primary app (com.appname.appname) and has 2 domains configured, and 1 return url configured. It is worth noting, that I also configured Sign in with Apple for Email Communications, and my domain has a green check with SPF next to it. Finally, in the backend, I have tried a bunch of things. Currently, my api has the following to generate the client secret: public string GenerateAppleClientSecret() { string privateKey = "MIGTAgEAMBMGByqGSM49..............5rn4GrzFepyloJrr6ECn.....gYIKoZIzj0DAQehR......UZOi88Qdb8ZTU9zM4/jzt0pHZ9uU2HyAbK2//UA6.....mGqkKDqybf"; string keyId = "T5LGCK354D"; //The 10-character key identifier from the portal. string clientId = "com.appname.appnameservice"; string teamId = "SLT8SJ897V"; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); var cngKey = CngKey.Import(Convert.FromBase64String(privateKey), CngKeyBlobFormat.Pkcs8PrivateBlob); var now = DateTime.UtcNow; var handler = new JwtSecurityTokenHandler(); var token = handler.CreateJwtSecurityToken( issuer: teamId, audience: "https://appleid.apple.com", subject: new ClaimsIdentity(new List<Claim> {new Claim("sub", clientId)}), expires: DateTime.UtcNow.AddMinutes(5), // expiry can be a maximum of 6 months issuedAt: DateTime.UtcNow, notBefore: DateTime.UtcNow, signingCredentials: new SigningCredentials(new ECDsaSecurityKey(new ECDsaCng(cngKey)), SecurityAlgorithms.EcdsaSha256) ); token.Header.Add("kid", keyId); return handler.WriteToken(token); } I have tried this too public string GenerateAppleClientSecret() { string privateKey = "MIGTAgEAMBMGByqGSM49..............5rn4GrzFepyloJrr6ECn.....gYIKoZIzj0DAQehR......UZOi88Qdb8ZTU9zM4/jzt0pHZ9uU2HyAbK2//UA6.....mGqkKDqybf"; string keyId = "T5LGCK354D"; string clientId = "com.appname.appnameservice"; string teamId = "SLT8SJ897V"; JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); //Import the key using a Pkcs8PrivateBlob. var cngKey = CngKey.Import(Convert.FromBase64String(privateKey), CngKeyBlobFormat.Pkcs8PrivateBlob); //Create new ECDsaCng object with the imported key. var ecDsaCng = new ECDsaCng(cngKey); ecDsaCng.HashAlgorithm = CngAlgorithm.ECDsaP256; //Create new SigningCredentials instance which will be used for signing the token. var signingCredentials = new SigningCredentials(new ECDsaSecurityKey(ecDsaCng), SecurityAlgorithms.EcdsaSha256); var now = DateTime.UtcNow; //Create new list with the required claims. var claims = new List<Claim> { new Claim("iss", teamId), new Claim("iat", EpochTime.GetIntDate(now).ToString(), ClaimValueTypes.Integer64), new Claim("exp", EpochTime.GetIntDate(now.AddMinutes(5)).ToString(), ClaimValueTypes.Integer64), new Claim("aud", "https://appleid.apple.com"), new Claim("sub", clientId) }; //Create the JSON Web Token object. var token = new JwtSecurityToken( issuer: teamId, claims: claims, expires: now.AddMinutes(5), signingCredentials: signingCredentials); token.Header.Add("kid", keyId); //Return the JSON Web Token as a string. return tokenHandler.WriteToken(token); } Then to validate the token I have this public async Task<AppleVerifySignInTokenResponse> ValidateSignInToken(...) { try { using (var httpClient = new HttpClient()) { httpClient.BaseAddress = "https://appleid.apple.com/auth/token"; var jsonItem = JsonConvert.SerializeObject(new { client_id = "com.appname.appnameservice", client_secret = GenerateAppleClientSecret(), code = authorizationCode, // AuthorizationCode from frontend grant_type = "authorization_code", redirect_uri = "https://myredirecturi.com" // identical to the one in developer portal }); var httpContent = new StringContent(jsonItem, Encoding.UTF8, "application/x-www-form-urlencoded"); var response = await httpClient.PostAsync("", httpContent).ConfigureAwait(false); if (response.IsSuccessStatusCode == true && response.Content != null) { var json = response.Content.ReadAsStringAsync().Result; return JsonConvert.DeserializeObject<AppleVerifySignInTokenResponse>(json); } return null; } } catch (Exception ex) { return null; } } The response from above keeps returning "invalid_client" no matter what I do... I have tried changing the clientId from "com.appname.appnameservice" to "com.appname.appname", in some of the places and all of the places. I have tried generating a new .p8 file and using that. Any Ideas? I have spent probably a week on this :'( Thanks! Note: The private key has a bunch of periods in it because I wanted to redact most of the content. I will generate a new one once I get this working. Also, this is kind of insane. If apple is going to require us to support apple sign in, they need better documentation and error messages. There seems to be so many developers lost on what to do with very little success.
Posted
by jwags.
Last updated
.
Post not yet marked as solved
0 Replies
399 Views

Invalid Client Issue

I have followed all steps in below documentation using c#. I am able to generate client secret token. However, I am receiving an error saying "Invalid Client" while generating access token. Link: https://developer.apple.com/documentation/apple_search_ads/implementing_oauth_for_the_apple_search_ads_api Can someone help me with this.
Posted
by Bhavyaka.
Last updated
.