We have integrated Login with the Apple ID feature in our iOS App. Whenever a user tries to sign in with Apple ID from within our app, after authorizing the login process we get this error "Something went wrong". This happens with some iPhones whereas some users work fine without such an issue. At the same time the login with Apple ID in the same app works with some iPhone users without any issue. This is quite a strange problem and we cannot trace the root cause, if anyone has faced the same issue. Please do let me know.

When we transfer app A to app B, if we transfer the app but don't migrate the user to app B, will the user's previous tokens from app A be invalid? Is this failure real-time or will there be a buffer period to transfer users? If it is a live failure, we want to transfer some users during the transferation process to prevent accidents, and then test them. Is there a way to test it?

Hey, According my research and documentation provided by Apple and Outsystems I have made the right configuration in both places but after authentication from apple side it is not redirecting me to my Outsystems page. I have checked many times the redirect URL configuration it is correct but not know the issue why it is happening.

Hello. I recently transferred an app from my dev account to a different one. I'm trying to follow these instructions to generate transfer IDs, and am stuck on Step 1 (creating an access token). I keep getting {'error': 'invalid_client'}. Here's the python script I'm using to generate the access token: TEAM_ID = "..." KEY_ID = "..." KEY_FILE = "key.p8" CLIENT_ID = "com.myapp.bundle" def get_access_token() -> str: client_secret = get_client_secret() print(f"client secret: {client_secret}") url = "https://appleid.apple.com/auth/token" req_headers = {"Content-Type": "application/x-www-form-urlencoded"} data = { "grant_type": "client_credentials", "scope": "user.migration", "client_id": CLIENT_ID, "client_secret": client_secret, } response = requests.post(url, headers=req_headers, data=data) json = response.json() return json["access_token"] def get_client_secret() -> str: payload = { "iss": TEAM_ID, "iat": int(time.time()), "exp": int(time.time() + 86400 * 7), # 7 days "aud": "https://appleid.apple.com", "sub": CLIENT_ID, } key = open(KEY_FILE, "r").read() print(f"Key: {key}") headers = {"alg": "ES256", "kid": KEY_ID} return jwt.encode(payload, key, algorithm="ES256", headers=headers) print(get_access_token()) The app was transferred about 2 weeks ago, so well within the 60 day period. And the script actually briefly got an access token for about 30 minutes yesterday, but is no longer working. Any ideas? Thanks in advance.

Hey all, I'm encountering persistent issues while attempting to migrate users for an app transfer using Sign In with Apple. I hope to get some insights or solutions from those who might have faced similar challenges. Context: We're transferring an app from one developer account to another. The app previously only had Sign In with Apple configured for iOS, not for web. We're now trying to set up the user migration process as part of the transfer. Current Setup: Old App Bundle ID: old.bundle.id24 Old Team ID: 123456789 New Team ID: 234567890 Issue: When attempting to generate transfer identifiers for our users, we're encountering an "invalid_client" error. Here's what we've observed: Using old_client_id = 'old.bundle.id24': Successfully generates an access token but fails at the user migration info step with an "invalid_client" error. Using old_client_id = 'old.bundle.id' (without '24'): Fails to generate an access token with an "invalid_client" error. Simplified script I am using old_client_id = 'old.bundle.id24' old_team_id = '123456789' new_team_id = '234567890' # JWT Payload for client secret jwt_payload = { 'iss': old_team_id, 'iat': int(time.time()), 'exp': int(time.time()) + 15552000, # 180 days 'aud': 'https://appleid.apple.com', 'sub': f'{old_team_id}.{old_client_id}' } # Generate client secret client_secret = jwt.encode(jwt_payload, private_key, algorithm='ES256', headers={'kid': key_id, 'alg': 'ES256'}) # Request access token token_response = requests.post('https://appleid.apple.com/auth/token', data={ 'grant_type': 'client_credentials', 'scope': 'user.migration', 'client_id': old_client_id, 'client_secret': client_secret }, headers={'Content-Type': 'application/x-www-form-urlencoded'} ) # If successful, proceed to user migration info request if token_response.status_code == 200: access_token = token_response.json()['access_token'] migration_response = requests.post('https://appleid.apple.com/auth/usermigrationinfo', data={ 'sub': user_sub, 'target': new_team_id, 'client_id': old_client_id, 'client_secret': client_secret }, headers={ 'Authorization': f'Bearer {access_token}', 'Content-Type': 'application/x-www-form-urlencoded' } ) # This is where we get the "invalid_client" error print(migration_response.status_code, migration_response.text) What we've tried: Verified all IDs (client ID, team ID, key ID) match between our code and the Apple Developer portal. Ensured the JWT is correctly signed with the ES256 algorithm. Checked that the client secret hasn't expired. Verified the content type is set correctly for all requests. Waited 72h+ since the key was first generated. Questions: Could the lack of web configuration in the original app be causing this issue? If so, how can we rectify this post-transfer? Is there a specific way to handle migrations for apps that were only configured for iOS Sign In with Apple? Are there any known issues or additional steps required when the old and new bundle IDs differ slightly (e.g., with/without '24' at the end)? How can we further diagnose the root cause of this "invalid_client" error, given that it occurs at different stages depending on the client ID used? Any insights, suggestions, or solutions would be greatly appreciated - I really don't know what to try at this point... Thank you in advance for your help!

Hey all, I'm encountering persistent issues while attempting to migrate users for an app transfer using Sign In with Apple. I hope to get some insights or solutions from those who might have faced similar challenges. Context: We're transferring an app from one developer account to another. The app previously only had Sign In with Apple configured for iOS, not for web. We're now trying to set up the user migration process as part of the transfer. Current Setup: Old App Bundle ID: old.bundle.id24 Old Team ID: 123456789 New Team ID: 234567890 Issue: When attempting to generate transfer identifiers for our users, we're encountering an "invalid_client" error. Here's what we've observed: Using old_client_id = 'old.bundle.id24': Successfully generates an access token but fails at the user migration info step with an "invalid_client" error. Using old_client_id = 'old.bundle.id' (without '24'): Fails to generate an access token with an "invalid_client" error. Simplified script I am using old_client_id = 'old.bundle.id24' old_team_id = '123456789' new_team_id = '234567890' # JWT Payload for client secret jwt_payload = { 'iss': old_team_id, 'iat': int(time.time()), 'exp': int(time.time()) + 15552000, # 180 days 'aud': 'https://appleid.apple.com', 'sub': f'{old_team_id}.{old_client_id}' } # Generate client secret client_secret = jwt.encode(jwt_payload, private_key, algorithm='ES256', headers={'kid': key_id, 'alg': 'ES256'}) # Request access token token_response = requests.post('https://appleid.apple.com/auth/token', data={ 'grant_type': 'client_credentials', 'scope': 'user.migration', 'client_id': old_client_id, 'client_secret': client_secret }, headers={'Content-Type': 'application/x-www-form-urlencoded'} ) # If successful, proceed to user migration info request if token_response.status_code == 200: access_token = token_response.json()['access_token'] migration_response = requests.post('https://appleid.apple.com/auth/usermigrationinfo', data={ 'sub': user_sub, 'target': new_team_id, 'client_id': old_client_id, 'client_secret': client_secret }, headers={ 'Authorization': f'Bearer {access_token}', 'Content-Type': 'application/x-www-form-urlencoded' } ) # This is where we get the "invalid_client" error print(migration_response.status_code, migration_response.text) What we've tried: Verified all IDs (client ID, team ID, key ID) match between our code and the Apple Developer portal. Ensured the JWT is correctly signed with the ES256 algorithm. Checked that the client secret hasn't expired. Verified the content type is set correctly for all requests. Waited 72h+ since the key was first generated. Questions: Could the lack of web configuration in the original app be causing this issue? If so, how can we rectify this post-transfer? Is there a specific way to handle migrations for apps that were only configured for iOS Sign In with Apple? Are there any known issues or additional steps required when the old and new bundle IDs differ slightly (e.g., with/without '24' at the end)? How can we further diagnose the root cause of this "invalid_client" error, given that it occurs at different stages depending on the client ID used? Any insights, suggestions, or solutions would be greatly appreciated - I really don't know what to try at this point... Thank you in advance for your help!

"Sign in with Apple" logo - how to make personalized for MacOS using my customized logo for the specific application?

Hi! Like a bunch of people on the forums I'm having issues transferring my users from my previous Team to my new Team. When the app was still on the old team, I successfully generated transfer_subs for every one of my apple login users. Now, when trying to migrate them over, it ONLY works on users that have already signed in since the transfer, which is not good, I need to transfer the rest and get the new private relay emails. Here’s a curl of how I get my access token : I’m first generating the secret key using my team key that has apple sign in configured for it. curl --location 'https://appleid.apple.com/auth/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'scope=user.migration' --data-urlencode 'client_id=my.app.id' --data-urlencode 'client_secret=*** This works and I’m getting my access token, then I try to exchange the sub token curl --location 'https://appleid.apple.com/auth/usermigrationinfo' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Bearer *** ' --data-urlencode 'transfer_sub=xx.xxxx' --data-urlencode 'client_id=my.app.id' --data-urlencode 'client_secret=***’ This is when I receive : {"error":"invalid_request","email_verified":false} I’ve tried a lot of stuff, even got on the phone with an ex apple engineer and tried a bunch of stuff with him, but to no avail. I've submitted a report on feedback assistant on the 23rd August, but no answer yet. ID: 14898085

This is a continuation of https://developer.apple.com/forums/thread/760861 Still a mixed Qt/C++/ObjC app, developed with Qt Creator. The gist ist that I can call Sign in With Apple and authorise, but once the Authorisation Window/Panel goes away, the app is blocked. PBSigninWithApple:: PBSigninWithApple() { myImpl = [[PBSigninWithApple alloc] initWithOwner:this]; } - (id)initWithOwner:(PBSigninWithApple *) owner { self = [super init]; myOwnerSIWA = owner; ASAuthorizationAppleIDProvider *appleIDProvider = [ASAuthorizationAppleIDProvider new]; ASAuthorizationAppleIDRequest *request = appleIDProvider.createRequest; request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]]; controller.presentationContextProvider = self; controller.delegate = self; [controller performRequests]; return self; } The code example above is obviously reduced, but the real things works. I get the Sign in With Apple window and can authorise by TouchId. The didCompleteWithAuthorization and didCompleteWithError methods also work, emitting the the idendityToken to the calling superclass works, the authorisation window goes away - but not really. The calling QT app is semi-blocked. I can close windows ny using the Escape key, but any clicking just gives the dreaded beep and nothing happens. So I assume that we didn‘t tear down everything and that the anchor or whatever still has to focus. - (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithAuthorization:(ASAuthorization *)authorization API_AVAILABLE(macos(10.15)) { if ([authorization.credential isKindOfClass:[ASAuthorizationAppleIDCredential class]]) { ASAuthorizationAppleIDCredential *appleIDCredential = authorization.credential; NSString *user = appleIDCredential.user; NSData *identityToken = appleIDCredential.identityToken; NSData *authorizationCode = appleIDCredential.authorizationCode; emit myOwnerSIWA->accessCodeReceived(identityToken); } [[NSNotificationCenter defaultCenter] removeObserver:self name:ASAuthorizationAppleIDProviderCredentialRevokedNotification object:nil]; [myAnker close]; [self release]; } - (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithError:(ASAuthorization *)authorization API_AVAILABLE(macos(10.15)) { emit myOwnerSIWA->accessCodeReceived(QString("")); [[NSNotificationCenter defaultCenter] removeObserver:self name:ASAuthorizationAppleIDProviderCredentialRevokedNotification object:nil]; } -(ASPresentationAnchor)presentationAnchorForAuthorizationController:(ASAuthorizationController *)controller API_AVAILABLE(macos(10.15)) { NSRect frame = NSMakeRect(30, 30, 230, 230); NSUInteger windowStyle = NSWindowStyleMaskTitled | NSWindowStyleMaskClosable | NSWindowStyleMaskResizable | NSWindowStyleMaskFullSizeContentView; NSWindow* window = [[[NSWindow alloc] initWithContentRect:frame styleMask:windowStyle backing:NSBackingStoreBuffered defer:NO] autorelease]; window.minSize = CGSizeMake(200, 100); window.releasedWhenClosed = TRUE; myAnker = window; return window; }

We did an app transfer in mid-August as part of our process to incorporate the business. We have approximately 100,000 users who have logged in with their Apple IDs, and as part of the transfer process, we followed the documentation below to transfer the account information. https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team During the identifier exchange process, an invalid_request error occurred for approximately 10,000 users. https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team#3559300 We successfully transferred the remaining users using the same script and procedure. Even when repeated multiple times, the error consistently occurs with the same users. Based on this situation, we believe that the error may be caused by user-related factor. Specifically, we would like to understand the potential causes of request errors other than the reasons listed below. The only user-related cause, ‘The user has revoked authorization for the client,’ is not relevant to this case, as it pertains to an error when issuing the transfer identifier. (not exchanging) https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors#Possible-reasons-for-invalid-request-errors Details of the request content are documented in FB14898615. Although we submitted feedback from the account after the transfer, we have not received a response for over a week, so we are reaching out here as well. [Similar problem] https://developer.apple.com/forums/thread/761968

We recently did an app transfer of our app from one account to a parent company's account. Because we have Sign In With Apple, we need to transfer the users. We're following this doc: https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team We have about 118,000 users, and were successful in generating the transfer identifier for the majority. We assume some users have revoked access. When we try to call to exchange identifiers, we are successful for about 50k users, but for the remaining 68k users we are receiving 'invalid_request' with no other information I don't understand why we would have a transfer identifier, and then receive 'invalid_request.' If it was a configuration problem I would expect that error for all users, or invalid_client. I've already gone through this doc: https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors We've tried using a Node.js script, bash, Postman, with the same result. If an API call to exchange identifiers has an error, that user has an error every time. If a call is successful, it's successful every time. Other forum posts are dead ends with no resolution. Has anybody seen this behavior and found a fix for it?

The app comes with its own login/signup service and several other social login services. Even though our app has its own login/sign-up service, if we provide at least one social login service, should we provide Apple Login or another login service with a privacy policy as an equivalent option? Can you please answer whether I should include the sign in with apple service or the login service with privacy protection in my app?

Hello, I have implemented Sign in with Apple in my iOS app and am currently trying to implement the revocation feature. However, I keep encountering an invalid_client error when calling the Apple authentication/revocation API. Here are the details of my configuration: Team ID: HUGD2H952H Client ID: com.puppylink.puppylinkapp Key ID: KXSYK98424 I am using these details to generate a client secret with the JWT ES256 algorithm. Below is the code I am using on the backend server to generate the client secret: private fun makeClientSecret(): String { val now: ZonedDateTime = ZonedDateTime.now(ZoneOffset.UTC) val expirationTime: ZonedDateTime = now.plusMinutes(5) // Setting expiration time to 5 minutes return Jwts.builder() .setHeaderParam(JwsHeader.KEY_ID, appleProperties.keyId) .setHeaderParam("alg", "ES256") .setIssuer(appleProperties.teamId) .setIssuedAt(Date.from(now.toInstant())) .setExpiration(Date.from(expirationTime.toInstant())) .setAudience("https://appleid.apple.com") .setSubject(appleProperties.clientId) .signWith(getPrivateKey(), SignatureAlgorithm.ES256) .compact() } private fun getPrivateKey(): PrivateKey { val resource = ClassPathResource(appleProperties.privateKeyFile) val privateKey = String(Files.readAllBytes(Paths.get(resource.uri))) val pemReader: Reader = StringReader(privateKey) val pemParser = PEMParser(pemReader) val converter = JcaPEMKeyConverter() val keyInfo = pemParser.readObject() as PrivateKeyInfo return converter.getPrivateKey(keyInfo) } } Additionally, here is the code used to call the Apple authentication API from the backend server: @Service class AppleAuthService( private val appleProperties: AppleProperties, ) { private val logger = LoggerFactory.getLogger(javaClass) private val restTemplate = RestTemplate() fun getTokens(authorizationCode: String): TokenResponse { try { val clientSecret = makeClientSecret() val formData: MultiValueMap<String, String> = LinkedMultiValueMap() formData.add("client_id", appleProperties.clientId) formData.add("client_secret", clientSecret) formData.add("code", authorizationCode) formData.add("grant_type", "authorization_code") val headers = HttpHeaders() headers.contentType = MediaType.APPLICATION_FORM_URLENCODED val requestEntity = HttpEntity(formData, headers) val response = restTemplate.postForObject( "https://appleid.apple.com/auth/token", requestEntity, TokenResponse::class.java, ) return response ?: throw RuntimeException("Failed to retrieve tokens from Apple") } catch (ex: Exception) { logger.error("Error retrieving tokens: ", ex) throw ex } } data class TokenResponse( val access_token: String, val expires_in: Long, val id_token: String, val refresh_token: String, val token_type: String, ) Despite generating the client secret correctly, I am still receiving the invalid_client error when calling the API. Could you please help me identify the cause of this error and provide guidance on how to resolve it? Thank you.

I have an app at work that supports Sign In With Apple so that users can create accounts and have their data synced to servers. A couple of years ago one of the users created an account using Sign In With Apple, choosing to use Hide My Email as well (so that their email that the app received looks like *****@privaterelay.appleid.com). The legacy in-house backend of the app unfortunately uses email addresses as user identifiers with the unlucky assumption that emails remain the same. The app doesn't offer users the ability to change email addresses. The user in question recently reported that since very recently they are no longer able to use the app. It turns out that their Sign In With Apple email address for my app had changed at some point. They shared an iPhone screenshot of their Sign In With Apple settings for the app. The screenshot says that they created an account for this app two years ago, but the email address in the "This app received" field is different to one that they initially signed up with, and it's also a Hide My Email address. It's important to note that this app was also transferred between developer accounts about a year ago, and since then this user, including thousands of other users didn't have issues using Sign In With Apple. So my main question is: in what scenario it's possible for the email associated with a Sign In With Apple account for an app to change without creating a new account?

I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers &amp; Profiles, It gives me the error 'Unable to find team with the given Team ID'

Good afternoon, I am developing an app integrating "sign in with apple". But I can't find how to get the user's profile photo. Apart from the first name, last name and Email, can I obtain the image or its URL?

For Sign in With Apple I recieve an expected flow including an ask to share or hide my email along with a message like this 'Create an account for Apple {some_company} using your Apple ID “{email}”.' However when i sign into an existing account i get the same flow, where on other apps i see a message like this ~ "Do you want to continue using {some_company} with your Apple ID “{email}”? How can i configure this for my own app? Note: it always logs me into the correct existing account, i'm just trying to make sure users go through the correct flow in the apple popup when their account already exists.

Since my question exceeds 700 words, please check it in the attachment. Thank you! Question

I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal. Is there a way to add something like that? I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple

Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done. Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team) Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".