Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.

We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}

I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal

Hello community, In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service. We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists. We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration. Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.

hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)

hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)

Hi, I need to make a "Sign with apple" button. I followed all the instructions and I managed to get apple's response with id_token. I have to continue testing the application but I no longer get the "user" object (name, lastname). How can I get the user object back to continue development?

The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&amp;redirect_uri=' + backEndURL + '&amp;response_type=id_token%20code&amp;response_mode=form_post&amp;scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to XXX with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms