Hi everyone, I'm developing a minimal Safari web extension for macOS and trying to implement "Sign in with Apple" directly from the extension popup, as per Apple's guidelines it's prohibited to open a new tab/window: Guideline 4.0 - Design: The user is taken to a new Safari window or tab to sign in or register for an account, which provides a poor user experience. What I've Done So Far Created an App ID with "Sign in with Apple" enabled and configured. Created a Service ID with the "Sign in" feature enabled. Enabled "Sign in with Apple" for native targets in Xcode Added the following JavaScript code in my popup.html file to initialize the Apple JS API and handle authentication via a popup: <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> <script> // have tried many different configurations here - nothing works! AppleID.auth.init({ clientId: '<valid client ID>', redirectURI: '<valid URL>', usePopup: true, }); document.getElementById('sign-in-button-apple') .addEventListener('click', () => { AppleID.auth.signIn().then((response) => { console.log('Success', response) }).catch((error) => { console.error('Error', error) }); }); </script> I also added event listeners for AppleID events: document.addEventListener('AppleIDSignInOnSuccess', (event) => { console.log('Success', event); }); document.addEventListener('AppleIDSignInOnFailure', (event) => { console.log('Error', event); }); Issue When I click the "Sign in" button in the popup, a native macOS dialog appears for authorization. However, after confirming sign-in, the modal just closes and no response (success or error) is logged in the console. Expected behavior To receive a success message or an error in the console about the authorization process result. Questions Service ID Configuration: Since the popup's location URL is safari-web-extension://<random-url>, I can't add it to the supported redirect URLs in the Service ID settings. Is there a way to work around this? Safari Web Extension Setup: Are there specific configurations required in Xcode to enable "Sign in with Apple" within a Safari web extension? Sign-In Method: Am I correctly implementing the signIn method in the JavaScript code? Could there be any constraints or special considerations for running it within an extension popup? I would greatly appreciate any guidance, examples, or documentation that can help resolve this issue. Thank you in advance!

I am trying to send email from our internal server. We are using gmail as smtp client. Gmail is bound to a domain hosted on squarespace. I have all the required DNS records - DKIM, DMARC, SPF configured in squarespace. In the Apple Developer Portal, I have also added allowed domains and email addresses in the Sign In with Apple settings. SPF verification passed. The problem is that emails sent to @privaterelay.appleid.com are not reaching the final recipient. On our end, the emails are sent and there are no errors. In the email signature the DKIM domain and the domain in the From: address match completely. Domain on tools like mxtoolbox passes all checks. Also, there is no response from the gmail server that the email was not delivered. To all other emails the emails are being sent with no problems. Please help me figure this out, maybe I am missing something.

Hi there - I maintain the react-native-apple-authentication module which allows react native developers to implement sign in with Apple When testing we noticed that code working perfectly in iOS17 Simulators now fails on iOS18/18.1 Simulators. Specifically, the credential status is always revoked when testing on an iOS18+ Simulator. The same code works perfectly on a real device running iOS18 or 18.1 so this appears to be a Simulator bug. This is problematic because App review is frequently performed on a Simulator, so there are false-negative test results for Sign In With Apple from reviewers when they use iOS18 emulators, resulting in App submission rejections. We're tracking this here, with some results posted and an example app in-repo that demonstrates the issue: https://github.com/invertase/react-native-apple-authentication/issues/356 It would be great to see the Simulator fixed so that it works correctly with Sign In With Apple again. Thanks

Hello community, In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service. We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists. We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration. Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.

I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal

Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.

We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client. We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token. In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation. However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request. The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters: response_mode: query scope: email openid profile nonce: ... state: ... response_type: code Then we get the authentication code and get an id_token like this: { "iss":"https://appleid.apple.com", "aud":"{aud}", "exp":1705584621, "iat":1705498221, "sub":"{sub}", "nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq", "at_hash":"3kLcPBlwZP6aj_mscww5zA", "authentication_time":1705498218, "nonce_supported":true } Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773

Problem Situation User membership withdrawal request → revoke API call It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID. Re-request user Apple login → Email is returned as null Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired. Releated Issues https://forums.developer.apple.com/forums/thread/707181

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&amp;redirect_uri=' + backEndURL + '&amp;response_type=id_token%20code&amp;response_mode=form_post&amp;scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to XXX with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Hi everyone, I'm working on a hybrid web application that will serve as a unified login page for two of my existing apps. Both apps currently utilize Apple Sign In with separate app IDs. To provide a seamless user experience, I plan to create a unified login page that displays two distinct Apple Sign In buttons: "Log in with A Service" and "Log in with B Service". Each button will link to the respective Apple Sign In flow for that specific service and app ID. I'm seeking guidance on the following: Apple's Guidelines: Are there any specific Apple guidelines or restrictions that prohibit or discourage the display of multiple Apple Sign In buttons on a single page within a hybrid web app context? I appreciate any insights or suggestions you can provide. Thank you

I once changed my Apple ID. Before changing it, I had set up a passkey for the Apple ID website. After changing my Apple ID, whenever I log in to Apple ID, it still shows my previous Apple ID. Additionally, the passkey for the Apple ID website is not present in my 'Passwords' app, so I am unable to delete it.

I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers &amp; Profiles, It gives me the error 'Unable to find team with the given Team ID'

I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number. So I would like to ask:
 Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply? Many thanks!

Hi, I need to make a "Sign with apple" button. I followed all the instructions and I managed to get apple's response with id_token. I have to continue testing the application but I no longer get the "user" object (name, lastname). How can I get the user object back to continue development?

Hello I have a problem with provisionprofile file. I have created Identifier with Sign in with Apple capability turned on, created Profile with Developer ID selected and now I try to export archive with generated Developer ID provision file but it says "Profile doesn't support Sign in with Apple" Also interesting thing that default provisions like macOS App Development Mac App Store Connect don't show such error when I try to export archive Maybe this problem is only related to Developer ID provision and Direct Distribution doesn't support Sign in with Apple, but I havent found proves about this idea

Hello everyone, I’m encountering an issue with Sign in with Apple in my watchOS app and would appreciate any guidance. Background: Initially, I did not have the Sign in with Apple capability enabled on my watchOS app. I have since enabled the capability and grouped it with my iOS app. For new user accounts created after this change, everything works perfectly: The credentialState check returns .authorized on both iOS and watchOS. However, for existing user accounts (created before enabling the capability on watchOS): The credentialState check returns not authorized on watchOS. The check still returns .authorized on iOS for these accounts. Error Details: When calling ASAuthorizationAppleIDProvider.credentialState(forUserID:) on watchOS for existing accounts, I receive the following error: Error Domain=AKAuthenticationError Code=-7074 "(null)" My Suspicions: I believe the issue arises because the existing Sign in with Apple tokens are only associated with the iOS app’s bundle identifier and not with the watchOS app’s bundle identifier. Since the capability wasn’t enabled on the watchOS app when these accounts were created, their tokens aren’t valid for the watchOS app. Questions: Is this the correct explanation for why the credentialState check fails on watchOS for existing accounts, resulting in the AKAuthenticationError Code=-7074 error? Can I update or migrate the existing accounts so that their Sign in with Apple tokens are valid for the watchOS app as well? If so, how can this be achieved? Are there any best practices for handling this situation without requiring users to re-authenticate or removing the credentialState check from the watchOS app? Goal: I want to maintain the credentialState check on the watchOS app because it works correctly for new accounts and is important for security. I’m looking for a solution that allows existing users to continue using the app on their Apple Watch without interruption or additional sign-in steps. Any help or suggestions would be greatly appreciated! Thank you!

When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.

I have implemented Sign in with Apple on website one weeks ago, and it work perfectly. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue.... in ios app site , we used bundle id for client_id. in web site , we used service id for client_id; I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error.... I tested it like this, i got authorization code using Service ID i tried authorization code with Service ID using browser : successfully got the code and requested access_token immately 2 and then, i tried validate the authorization grant code to obtain tokens curl like this curl -X POST https://appleid.apple.com/auth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=my_service_id" \ -d "client_secret=my_client_secret" \ -d "code=sent_from_frontend" \ -d "grant_type=authorization_code" \ -d "redirect_uri=my_redirect_uri" then get fail and no error_description error_code is 400 invalid_grant is not invalid_client error, and client secret is not expired too My decoded token looks like the following : { "alg": "ES256", "typ": "JWT", "kid": "my_kid" } { "aud": "https://appleid.apple.com", "sub": "my_service_id", "iss": "team_id", "exp": 1744012650, "iat": 1728460650 }

Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly. We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us. According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are: The client_id does not match the client for which the code was issued. The code has expired or has been previously consumed by the validation server. Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

Hello, Following a company split we are planning to transfer one of our apps, which has Sign in With Apple enabled, to another team. We want to provide a smooth migration experience for the users by minimizing downtime and avoiding the duplication of accounts in our database. In our backend we generate a client secret using the transferring team’s ID. We then use this client secret with the “https://appleid.apple.com/auth/token” endpoint which returns the identity token. With the above in mind, I have the following questions: If we don’t update the team ID immediately after the transfer in our backend, will the identity token returned by the endpoint above contain the transferring team user ID in the sub field or, will it contain the recipient team user ID? Is there any possibility that we will ever receive an identity token containing a transferring team user ID in the sub field after we accept the transfer? Thanks, Bruno