I cannot get apple sign in to post to my redirectURI if I set usePopup: true. When I set it to false I am however able to get it to work with no problems. I am not doing any of this on localhost and everything is HTTPS so I don't think that is the issue. Here is the error I message I get in the safari console (does not show up on firefox or chrome) when I successfully sign in to apple and press continue: Unable to post message to https://my-staging-site.soundstripe.com. Recipient has origin https://ea88-2601-1c2-780-c240-e9ee-17e4-e1c4-7cbd.ngrok.io. index.js:29 And here is my implementation AppleID.auth.init({ clientId: "com.soundstripe.web", scope: "name email", redirectURI: "https://my-staging-site.com/auth/apple", nonce: String(Date.now()), usePopup: true, }) const appleAuth = async () => { const response = await window.AppleID.auth.signIn() return response }

Hi Apple Developers,I'm facing a very bad issue because I read so many guides and tutorials and nothing works.The result is always the same: {"error":"invalid_client"}I get the code, identityToken and everything I need - except the call to https://appleid.apple.com/auth/token - because of invalid_client.Here is my url for getting the code.https://appleid.apple.com/auth/authorize?response_type=code&client_id=org.example.service&redirect_uri=https%3A%2F%2Fexample.orgSo then I have the default workflow.And after accepting / loggin in I will be redirected to my page.https://example.org/?code=a277243e2ec324fb09ba1c3333a8e6576.0.abcde.u4xiTDP2qHXoNEaxrcrIGx(When I'm using the JavaScript API I'll get other informations like state, code and id_token. I already tried it with the "code" there, too.)Back to the main function.This is my request for Apple. 'client_id' => 'org.example.service', 'client_secret' => JWT-Data encoded (OPENSSL_ALGO_SHA256) see below 'grant_type' => 'authorization_code', 'code' => 'a277243e2ec324fb09ba1c3333a8e6576.0.abcde.u4xiTDP2qHXoNEaxrcrIGx'JWT Header:{ "alg": "ES256", "kid": "1ABC2345DE" }JWT Payload:{ "iss": "1A234BCD56", "iat": 1571269964, "exp": 1571273564, "aud": "https://appleid.apple.com", "sub": "org.example.service" }Response:{ "error": "invalid_client" }The useless error message of the world.I dont know why the client should be invalid.I have a key in https://developer.apple.com/account/resources/authkeys/list with downloaded file name AuthKey_1ABC2345DE.p8. (means 1ABC2345DE is my key id)Then I have a native iOS app with identifier "org.example" and a service with identifier "org.example.service".Its not working with both ids and mixed different things.Nothing. invalid_client.Can anyone help me please? I'm sitting here for hours and getting only invalid_client 😭

Hi, a couple of weeks ago I had a conversation with app review regarding the fact that it's required in the app a way for the user to delete it's account (and related resources) In our app we already provide this functionality for users worldwide. Is it sufficient to have our deletion or we must use also the revocation from apple in the deletion process? We use sign in with Apple functionality in our application Once we delete the user on our side, isn't the token invalid/ususable anyway? Moreover, we don't store the token at all on sign up. Should we just revoke it right away perhaps?

Hi, I´m implementing SIWA in an existing app. The app has the function to delete the user account, the problem comes when I want to delete the account from SIWA too, there is not an API to do that. Anyway I can handle that, I just delete the data from my server and when the user logins again with SIWA I register him again. But the problem is that with SIWA you can only get the name and mail the first time you do the sign in, so if the user deleted the account I can not get again the name or the user e-mail for the register. Is there any workaround for this? Thanks in advance.

Hi All, We implemented Sign in with Apple a year ago and we never used an authorization code to get access and refresh tokens as we never needed that. We stored an identity token and a user identifier for our purpose and using these two we managed to do signup on our own server. Now the problem is How I can get an access token without asking users to Sign in Again. If I log out and sign in again I'm getting a new authorization code and when using this code I get an invalid grant error with an invalid token or token expired error message. One thing I found is that If I manually go to settings and tap "Stop using App" after this we're getting an access token and refresh token in (https://appleid.apple.com/auth/token) API response using authorization code. So my main problem is how I can get access code for existing users?

https://appleid.apple.com/auth/token The valid time of access_token is 3600 seconds. How long is the valid time of refresh_token?

Hi, My app is refusing to move past the login screen for some strange reason. Both Apple and Google sign in are not working. My app has been working properly for almost a year and this issue appeared suddenly over the last week. is there anything you suggest i should check before i start looking for a developer to help? This seems a little bit past my noob skills and i need your help! Thank you

I am trying to generate access token accroding to https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens for apple sign in and revoke it after. However always getting "{"error":"invalid_client"}" what I am doing wrong? ` func validateTokens(completion: (([String: Any]?, Error?) -> Void)? = nil) {     guard let code = keychain["code"],       let userId = Bundle.main.bundleIdentifier     else {       log("Failed getting token")       return     }     let paramString: [String: Any]     do {       let key = try privateKey()       let token = try jwtSignedToken(ecSECp256rPrivateKey: key)       paramString = [         "client_id": userId, //"com.MyCompany.Name",         "client_secret": token,         "grant_type": "authorization_code",       ]     } catch {       return     }     let url = URL(string: "https://appleid.apple.com/auth/token")!     var request = URLRequest(url: url)     request.httpMethod = "POST"     do {       request.httpBody = try JSONSerialization.data(withJSONObject: paramString, options: .prettyPrinted)     } catch let error {       log("Account apple delete %@", error.localizedDescription)       completion?(nil, error)     }     request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")     let task = URLSession.shared.dataTask(with: request as URLRequest) { (data, response, error) in       guard         let response = response as? HTTPURLResponse,         error == nil       else {         print("error", error ?? URLError(.badServerResponse))         return       }       guard (200...299) ~= response.statusCode else {         log("statusCode should be 2xx, but is %@", "\(response.statusCode)")         log("response = %@", "\(response)")         return       }       if let error = error {         log("%@", error.localizedDescription)       } else {         log("token just has generated")       }     }     task.resume()   } } extension Data {   init?(base64URLEncodedString: String) {     let unpadded =       base64URLEncodedString       .replacingOccurrences(of: "-", with: "+")       .replacingOccurrences(of: "_", with: "/")     let padCount: Int     switch unpadded.count % 4 {     case 0: padCount = 0     case 1: return nil     case 2: padCount = 2     case 3: padCount = 1     default: fatalError()     }     self.init(base64Encoded: String(unpadded + String(repeating: "=", count: padCount)))   }   var base64URLEncodedString: String {     let base64 = self.base64EncodedString()     return String(base64.split(separator: "=").first!)       .replacingOccurrences(of: "+", with: "-")       .replacingOccurrences(of: "/", with: "_")   } } func jwtHeader(kid: String) -> String {   struct Header: Codable {     var alg: String     var kid: String    }   let header = Header(alg: "ES256", kid: kid)   return (try? JSONEncoder().encode(header).base64URLEncodedString) ?? "" } func jwtPayload(iss: String, exp: Date) -> String {   // We round the expiry date up because it’s not clear how servers are going   // to cope with fractional values.   let exp = Date(timeIntervalSinceReferenceDate: exp.timeIntervalSinceReferenceDate.rounded(.up))   struct Payload: Codable {     var iss: String     var exp: Date     var iat: Int     var aud: String     var sub: String   }   let payload = Payload(iss: iss, exp: exp, iat: 1437179036, aud: "https://appleid.apple.com", sub: Keys.appBundleId)   let encoder = JSONEncoder()   encoder.dateEncodingStrategy = .secondsSince1970   return (try? encoder.encode(payload).base64URLEncodedString) ?? "" } func jwtSignedToken(   kid: String = "keyId", iss: String = "teamId", exp: Date = Date().addingTimeInterval(120),   ecSECp256rKeyK keyK: Data ) throws -> String {   let header = jwtHeader(kid: kid)   let payload = jwtPayload(iss: iss, exp: exp)   let signingInput = "\(header).\(payload)"   let privateKey = try P256.Signing.PrivateKey(rawRepresentation: keyK)   let sig = try privateKey.signature(for: Data(signingInput.utf8)).rawRepresentation   return "\(signingInput).\(sig.base64URLEncodedString)" } func privateKey() throws -> SecKey {   let privateKeyRawBytes = [UInt8]([ ///generate like in https://developer.apple.com/forums/thread/681267   ])   var error: Unmanaged<CFError>?   let privateSecKey = SecKeyCreateWithData(     Data(privateKeyRawBytes) as CFData,     [       kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,       kSecAttrKeyClass: kSecAttrKeyClassPrivate,     ] as NSDictionary, &error)   return privateSecKey! } func jwtSignedToken(   kid: String = "keyId", iss: String = teamId", exp: Date = Date().addingTimeInterval(120),   ecSECp256rPrivateKey privateKey: SecKey ) throws -> String {   var errorCF: Unmanaged<CFError>?   guard let keyData = SecKeyCopyExternalRepresentation(privateKey, &errorCF) as Data? else {     throw errorCF!.takeRetainedValue()   }   let keyK = keyData.suffix(0x20)   return try jwtSignedToken(kid: kid, iss: iss, exp: exp, ecSECp256rKeyK: keyK) }

Hi,We are using "Sign in with Apple" to onboard users to our system. We need to send instructions to the user using the email provided at signup. We use Mandrill in the backend to send emails. I have configured the sender email in "Individual Email Addresses" under "Certificates, Identifiers &amp; Profiles" in developer account (&amp; it shows a green check mark). The emails sent to private relay addresses (e.g. xxxxxprm23@privaterelay.appleid.com) bounces.I have verified another email using gmail &amp; it works fine.Am I missing some settings?-------------Bounce message from Mandrill-----------------------------------Received: from mail178-28.suw51.mandrillapp.com (unknown [198.2.178.28])by relay-3.us-west-2.relay-prod (Postfix) with ESMTPS id C5BCA20EF5for &lt;bounce-md_31096458.5d52843d.v1-61f4bb207bb443e7a3d9e4482eb7beb3@mandrillapp.com&gt;; Tue, 13 Aug 2019 09:34:54 +0000 (UTC)Date: Tue, 13 Aug 2019 09:34:54 +0000From: postmaster@mail178-28.suw51.mandrillapp.comSubject: Delivery reportTo: bounce-md_31096458.5d52843d.v1-61f4bb207bb443e7a3d9e4482eb7beb3@mandrillapp.comMIME-Version: 1.0Content-Type: multipart/report; report-type=delivery-status; boundary="report5D52843E@mail178-28.suw51.mandrillapp.com"--report5D52843E@mail178-28.suw51.mandrillapp.comContent-Type: text/plainHello, this is the mail server on mail178-28.suw51.mandrillapp.com.I am sending you this message to inform you on the delivery status of amessage you previously sent. Immediately below you will find a list ofthe affected recipients; also attached is a Delivery Status Notification(DSN) report in standard format, as well as the headers of the originalmessage. &lt;xxxxxprm23@privaterelay.appleid.com&gt; delivery failed; will not continue trying--report5D52843E@mail178-28.suw51.mandrillapp.comContent-Type: message/delivery-statusReporting-MTA: dns;mail178-28.suw51.mandrillapp.comX-PowerMTA-VirtualMTA: mail178-28.suw51.mandrillapp.comReceived-From-MTA: dns;pmta05.mandrill.prod.suw01.rsglab.com (127.0.0.1)Arrival-Date: Tue, 13 Aug 2019 09:34:53 +0000Final-Recipient: rfc822;xxxxxprm23@privaterelay.appleid.comAction: failedStatus: 5.1.1 (bad destination mailbox address)Remote-MTA: dns;smtp4.privaterelay.appleid.com (17.57.8.145)Diagnostic-Code: smtp;550 5.1.1 bad mailbox nameX-PowerMTA-BounceCategory: bad-mailbox--report5D52843E@mail178-28.suw51.mandrillapp.comContent-Type: text/rfc822-headersDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill; d=oya.world;h=From:Subject:List-Unsubscribe:To:Message-Id:Date:MIME-Version:Content-Type; i=welcome@oya.world;bh=Ops6f/AgWvI27tyFlbRhsYYWTqOPpMm/99FtJ/vbAkU=;b=ZyT9AzPQ4TJM+s0zXmp9FZyQOLWH2g8FF424o84vD9z3gaNgBL8UuTt9ZLVqDUvpNT4Zgl1lx2Zt s1l++42QqfiKzNs/k+EEkhukc4wO6aO0N/ETiVx88HPDO5L3sHnaFh7AR/7ibvcepdgi/wLu1Oi2 kwRyG1yYZeoKbgMxFQo=Received: from pmta05.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail178-28.suw51.mandrillapp.com id haa23s22s10h for &lt;xxxxxprm23@privaterelay.appleid.com&gt;; Tue, 13 Aug 2019 09:34:53 +0000 (envelope-from &lt;bounce-md_31096458.5d52843d.v1-61f4bb207bb443e7a3d9e4482eb7beb3@mandrillapp.com&gt;)DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1565688893; h=From :Subject : List-Unsubscribe : To : Message-Id : Date : MIME-Version :Content-Type : From : Subject : Date : X-Mandrill-User :List-Unsubscribe; bh=Ops6f/AgWvI27tyFlbRhsYYWTqOPpMm/99FtJ/vbAkU=;b=j7KbsqOEd5ne5OxhO1V1d3jrClWzwhaQ+i6PVGLzgM7MoOYiSBRhK5PCmPIJsxSiigqDhxRlVQBLmcKVo0f/m+/qtxV0cU0oODP4YsZnc8b4uDhxjSKQBG0kUiFg5FTagNWmqKAAfdVEmLFVL780ppE+A+W+FoMVMEW3Bvk7H74=From: "[TEST] OYA" &lt;welcome@oya.world&gt;Subject: [TEST] Download OYA Data-only eSIM using this QR codeReturn-Path: &lt;bounce-md_31096458.5d52843d.v1-61f4bb207bb443e7a3d9e4482eb7beb3@mandrillapp.com&gt;List-Unsubscribe: &lt;mailto:unsubscribe-md_31096458.5d52843d.v1-61f4bb207bb443e7a3d9e4482eb7beb3@mailin1.us2.mcsv.net?subject=unsub&gt;To: &lt;xxxxxprm23@privaterelay.appleid.com&gt;X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.comX-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=31096458.61f4bb207bb443e7a3d9e4482eb7beb3X-Mandrill-User: md_31096458Message-Id: &lt;31096458.20190813093453.5d52843d50edc9.32051422@mail178-28.suw51.mandrillapp.com&gt;Date: Tue, 13 Aug 2019 09:34:53 +0000MIME-Version: 1.0Content-Type: multipart/alternative; boundary="_av-aFtqyPtvVIKqh7D4k70iuw"--report5D52843E@mail178-28.suw51.mandrillapp.com--

The requirement to revoke authorization tokens when a user deletes their account for an ios app requires two api calls to the appleid.apple.com framework. The first requires passing the authorization code to the /auth/token which returns a token that can be used to revoke app credentials. But this code is returned as part of the sign-in authentication, and expires in 5 minutes. So, if a user signs in, has an app session for longer than 5 minutes, then wants to delete their account, how is this managed? Would they need to sign in again to apple to get a valid code that can be used to revoke authentication? Is there any other way to get a "fresh" authorization code?

We are not able to retrieve name and, address and ethnicity after using Sign in with Apple. We are able to get email only. May I know where can we get resource to retrieve these information? Please advise.

Do we have to offer user ways to delete game center? If it does, then how to do it? Is there any documents for reference? Thanks

Hi all. In order to prepare for the new "Account deletion guidance", I have been trying to retrieve access_token and refresh_token from the authorization_code but the POST request to https://appleid.apple.com/auth/token always results invalid_grant error. https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens I've tested with fresh authorization_codes that were not expired and generated by actual devices (not simulators), but I always end up with "The code has expired or has been revoked" message. Can somebody please help? {"error":"invalid_grant","error_description":"The code has expired or has been revoked."}%   Here's my request via cURL. curl -v POST "https://appleid.apple.com/auth/token" -H 'content-type: application/x-www-form-urlencoded' -d 'client_id={bundle_id}' -d 'client_secret={new JWT string}' -d 'code={authorization_code'} -d 'grant_type=authorization_code' Here are the headers and claims for generating a new JWT string. headers = { 'kid' => private_key_id (.p8), } claims = { 'iss' => team_id, 'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 86400*180, 'aud' => 'https://appleid.apple.com', 'sub' => bundle_id, } For alg Im using ES256.

error: "invalid_grant" error_description: "Invalid credentials. Please try again." This is my error. I wasn't able to find anything online about the issue. All of my keys are correct as i checked so many times. Anyone know the reason i keep getting this error ?

When signing-in with Apple, where does it get the app name being shown in the Apple sign-in screen? When testing from builds coming from Testflight, it is still showing the old app name in the Apple sign-in prompt. What we did so far: Changed all references of the old app name in the Xcode project Changed the "Description" of the app ID with the new app name in Apple Developer Console Changed any references of the old app name both in codes and in configurations The only remaining reference with the old app name is the App store metadata. Do we need to wait for the app to be deployed in production before we can see the new app name to be reflected in the Apple sign-in screen?