Hi @everyone, I have set up the proper app id, serviced ID along with return URL, domains and subdomains(Example domains and subdomains: asdfjkl.firebaseapp.com and return URL: https://asdfjkl.firebaseapp.com/__/auth/handler) in developer.apple.com. And I have created the key as well and added key ID and private key, services ID in firebase apple sign in console as well. But I'm getting Error as "Invalid web redirect url". I haven't provided the App ID, services ID, firebase project ID, Key secret here as they're confidential. Please let me know if any further details are needed.

import AppleProvider from 'next-auth/providers/apple'; export const appleProvider = AppleProvider({ name: 'Apple', clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string, idToken: true, authorization: { url: 'https://appleid.apple.com/auth/authorize', params: { clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, scope: 'openid email name', response_type: 'code', response_mode: 'form_post', }, }, token: { url: 'https://appleid.apple.com/auth/token', async request(context) { console.log('----context', { context }); const url = https://appleid.apple.com/auth/token + ?code=${context.params.code} + &client_id=${context.provider.clientId} + &client_secret=${context.provider.clientSecret} + &redirect_uri=${context.provider.callbackUrl} + &grant_type=authorization_code; const response = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, }); console.log('----response', { response }); const tokens = await response.json(); console.log('----tokens', { tokens }); return { tokens }; }, }, });

Hello, I need to verify my domain and email with spf I need to use Signin with apple with private relay service Here is my records of DNS Service(AWS Route53) My domain is metapocket.io DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.metapocket.io.at.icloudmailadmin.com. SPF "v=spf1 include:zoho.com ~all" "v=spf1 include:icloud.com ~all" "v=spf1 include:metapocket.io ~all" "v=spf1 include:amazonses.com ~all" TXT "zoho-verification=zb03635298.zmverify.zoho.com" "apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS" "apple-domain=4oc6zwBOLpmdRGr9" Something wrong here?? Why i got failed spf verification.. Please help me

We are using aws amplify for our social logins with signInWithRedirect. When a user selects apple login on iphone and cancels the appleId popup, the user can't click any social login buttons anymore, including the apple one. Refreshing the page resolves this.

We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store. Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account. Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer). Who should we handle this case? Please help.

Hello there, I have been facing an issue with apple sign in on react native app. I have been able to get the authorization and all codes in frontend part. The issue is on backend that is in php. We are firstly validating our identity token phone generated, and then we are creating a client secret and then trying to fetch the user info the issue relies in the api call of getAppleUser($authorizationCode, $clientId, $clientSecret);: function below where we are recieving error like: {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} public function appleAuth($identityToken,$authorizationCode) { if (!$identityToken || !$authorizationCode) { return $this->returnError(400,'Missing identity token or authorization code'); } try { // Validate identity token $decodedToken = $this->validateAppleToken($identityToken); // Generate client secret $teamId = isset(Yii::$app->params['apple-auth']['teamId'])?Yii::$app->params['apple-auth']['teamId']:''; $clientId = isset(Yii::$app->params['apple-auth']['clientId'])?Yii::$app->params['apple-auth']['clientId']:''; $keyId = isset(Yii::$app->params['apple-auth']['keyId'])?Yii::$app->params['apple-auth']['keyId']:''; $privateKey = isset(Yii::$app->params['apple-auth']['privateKey'])?Yii::$app->params['apple-auth']['privateKey']:''; $clientSecret = $this->generateClientSecret($teamId, $clientId, $keyId, $privateKey); // Get user info from Apple $appleUser = $this->getAppleUser($authorizationCode, $clientId, $clientSecret); // Verify the authorization code is valid if (!isset($appleUser['id_token'])) { throw new \Exception('Invalid authorization code'); } // Extract user info from the identity token $userId = $decodedToken->sub; $email = $decodedToken->email ?? ''; // login or signup code need to know about object definition to add login and signup logic return $this->returnSuccess('Request successful',200,[ 'userId' => $userId, 'email' => $email ]); } catch (\Exception $e) { // Handle errors Yii::error('Error on apple login '.$e->getMessage()); return $this->returnError(500,'Server Error'); } } **This function is where i am creating a clientSecret as per apples guidelines: ** function createClientSecret($teamId, $clientId, $keyId, $privateKey) { // $key = file_get_contents($privateKeyPath); $key=$privateKey; $headers = [ 'kid' => $keyId, 'alg' => 'ES256' ]; $claims = [ 'iss' => $teamId, 'iat' => time(), 'exp' => time() + 86400 * 180, 'aud' => 'https://appleid.apple.com', 'sub' => $clientId ]; return JWT::encode($claims, $key, 'ES256', $headers['kid']); } **This is the validate Apple Token that is not giving me error: ** function validateAppleToken($identityToken) { $client = new Client(); $response = $client->get('https://appleid.apple.com/auth/keys'); $keys = json_decode($response->getBody(), true)['keys']; $header = JWT::urlsafeB64Decode(explode('.', $identityToken)[0]); $headerData = json_decode($header, true); $kid = $headerData['kid']; $publicKey = null; foreach ($keys as $key) { if ($key['kid'] === $kid) { $publicKey = JWK::parseKey($key); break; } } if (!$publicKey) { throw new \Exception('Public key not found'); } try { $decoded = JWT::decode($identityToken, $publicKey, ['RS256']); return $decoded; } catch (\Exception $e) { throw new \Exception('Token validation failed: ' . $e->getMessage()); } } The response i got was : { aud: "com.abc" auth_time: 1718017883 c_hash: "HSNFJSBdut5vk84QyK0xHA" exp: 1718104283 iat: 1718017883 iss: "https://appleid.apple.com" nonce:"2878cd1ac1fa121f75250f453edaac47365f5144f2e605e8b526a29cb62c83da" nonce_supported: true sub: "001703.2a52ec72cb874a93986522fa35742bd4.1219" } After that we are mainly getting error as {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} in this function: function getAppleUser($authorizationCode, $clientId, $clientSecret) { try { $client = new Client(); $response = $client->post('https://appleid.apple.com/auth/token', [ 'form_params' => [ 'client_id' => $clientId, 'client_secret' => $clientSecret, 'code' => $authorizationCode, 'grant_type' => 'authorization_code' ] ]); if ($response->getStatusCode() !== 200) { throw new \Exception('Failed to get user information from Apple. Status code: ' . $response->getStatusCode()); } $data = json_decode($response->getBody(), true); // Check if the response contains the expected data if (!isset($data['access_token']) || !isset($data['id_token'])) { throw new \Exception('Invalid response from Apple. Missing access token or ID token.'); } // Return the decoded data return $data; } catch (\Exception $e) { // Log any other unexpected errors Yii::error('Unexpected error: ' . $e->getMessage()); // Re-throw the exception to propagate it further throw $e; } } Assumptions: bundleId = com.marchup serviceId i created as client_id= com.marchup.prod.AppSSO team ID= as usual keyId= is the id i created in apple developer consonsole. And the private key is the key inside the private key file. Can anyone please answer. What is mismatched here

When user is trying to remove login using "Stop Using Apple Id", it should remove the app and login but in my case, nothing is happening. Its not removing either login or app from the logged in list. App is in Testflight for testing. Ideally, it should remove the login and app from the list as per the following article. https://support.apple.com/en-in/102571 Read few article, which says testflight could be buggy. Anyone knows how it could be fixed?

Hello, we use apple ID as a sign-up/log-in method, when we released our appstore version, did the switch from beta to market app. Our bundle ids have changed, now we are wondering that is there any way to help users to reach their old accounts using the market app with a different bundle id or any smart idea to approach to to this problem

Hello, Could anyone please tell me, if it is allowed to have email-password and passkeys as only login methods? I remember reading somthing about having to include sign-by-apple first when I want to allow third party login, and I'm wandering whether this rule only applies to OAuth like google, or if it applies to passkeys as well and allowing users to sign-in using passkeys while not providing sign by apple would make my app not pass app review. Thanks for your answers.

I'm currently facing an issue while implementing Sign in with Apple functionality in my Laravel application. Despite following the documentation and ensuring that my redirect URL is correctly configured, I'm encountering an "invalid_request" error with the message "Invalid web redirect URL." Redirect URI: https://8aee-123-201-192-193.ngrok-free.app/apple/callback Domain and Subdomain: https://8aee-123-201-192-193.ngrok-free.app Despite ensuring that the redirect URI matches the one specified in my Apple Developer account, I'm still encountering this error. Could you please provide guidance on how to resolve this issue? Additionally, I noticed that when creating the App ID, there's no explicit mention that the domain should not include the "http://" or "https://" prefix, yet when setting up the redirect URI, it seems that the prefix is required. Could you clarify this discrepancy and provide instructions on the correct setup procedure to avoid such issues in the future?

Good day folks, We have a workflow setup where a new Sign in with Apple user registers (first SIWA login where user can pick name and show/hide email), and the server-side code obtains a refresh token from SIWA REST API. That refresh token is stored internally against the user's profile in the DB for future use. Whenever user account is deleted from server-side, we use that refresh token to revoke Sign in with Apple (so that the user would need to go through registration flow rather than sign in- where they have an option to specify name and show/hide email). That has been working beautifully until we have added an AppClip to the app. The code which obtains the refresh token "respects" the correct bundle ID for the main app / app clip, and everything seems to work. Both of Apple's APIs return OK codes. In fact, we even get the email from Apple when token is revoked which reads "APP_NAME has revoked your Sign in with Apple account. Next time you use Sign in with Apple to sign in to your onUgo Access account, you will have to share your name and email again". Problem is- it doesn't. SIWA still offers to "sign in" as if account is still linked, and the app still shows up as "App using Sign in with Apple" in iPhone settings. What's even more mysterious is that you can't delete/revoke/"Stop using Apple ID" on that SIWA link with the app from iPhone settings too! It seems to work, but the app never goes away from the list, as if it fails silently. Could anyone please help shed some light on this?

Trying to implement sign in with apple for a web app project that does not have an associated mobile app. Do I really need an app ID in this situation as there's no option to proceed without selecting one?

Hi, We did all the configuration as requested in documentation for Apple SignIn, Sign In from app is happening properly but when we are trying to verify token with Backend. We are getting below Error from Service { "error": "invalid_grant", "error_description": "The code has expired or has been revoked." } Are we missing anything?

I'm working on implementing Apple Sign In in an Angular application. I've successfully obtained the 'id_token', but I've noticed that the user's name is missing . I'm uncertain whether Apple provides the user's name in the 'id_token'. If it does, I'd like to know the steps to retrieve it correctly.

I'm setting up 'Sign in with Apple ID,' and the signup process is running smoothly. Users are redirected to the Apple login page, where they grant permission to share their email and name, followed by a callback. However, a problem occurs with users who are already registered. Ideally, for these users, the process should simply verify their credentials without asking for additional permissions, since the app is already authorized to access their email and name. But, they are being asked again for these permissions after logging in, suggesting they are creating the account in the app again. How can I indicate in the authorization request that a user has already been authorized so that the permissions screen doesn't reappear? Other providers handle this by adding the parameter 'prompt=none' to the request.

Hi We getting error in Apple Sign In "Sign-Up not completed", Apple sign in working fine for old Apps and old Bundle ids, But it's not working in new Apps and new Bundle ids We checked with other Apple Developer team accounts Apple Sign In is working on the same source code. But my Team account is getting an error. We enabled signing capabilities and added Sign in with Apple and we added Provisioning profile certificate also , but I am still getting the same error.

I am trying add Sign in with Apple but when I attempt to capability in my app nothing happens in the list does apple not able to provide this feature yet in Vision OS or is there any bug or may be ami missing something which does not seems?

Hello, The issues we previously identified still need your attention. If you have any questions, we are here to help. Reply to this message in App Store Connect and let us know. Review Environment Submission ID: 00fc9b08-3da8-4b89-8810-740174730062 Review date: April 21, 2024 Version reviewed: 1.0 Guideline 3.2.1 - Business - Other Business Model Issues - Acceptable Your app provides financial services but does not meet all the requirements for apps providing these services. Specifically: The app must be published under a seller and company name that is associated with the organization or company providing the services. In this case, your app must be published under a seller name and company name that reflects the Askmefund name. The account that submits the app must be enrolled in the Apple Developer Program as an organization, and not as an individual. These requirements give App Store users confidence that apps offering financial services are qualified to provide these services and will responsibly manage their data. Please provide ownership documentation or modify the vendor seller name. Please Help me.

Summary: Need help with Certificates, Identifiers and Profiles settings to allow two apps to use Sign in with Apple. Background: We have a web application (React, static JavaScript) that allows users to sign in with Apple, Google or Microsoft via OAuth/OIDC. We are developing a mobile application using React Native and Expo. Both the web application and the mobile application use the same backend (Django). For the mobile application, we added Google and Microsoft sign in via the same web-based OAuth/OIDC flow. For Sign in with Apple, we are using the expo-apple-authentication package to get the required native sign in experience. We have two active app identifiers: org.terraso.terraso; web app; primary Apple ID org.terraso.test.Terraso-LandPKS; mobile apple; Group with an existing primary App ID (selected (1), the web app) We have one services identifier: org.terraso.app; primary ID is web app (app identifier 1) above; URLs have been configured We have one app group: group.org.terraso (seems unused) On our backend app, we have code: https://github.com/techmatters/terraso-backend/blob/abc655e83eaca849e2bc24389946cc4f0bcd9d48/terraso_backend/apps/auth/providers.py#L84 and APPLE_CLIENT_ID is set to org.terraso.app (which matches the services identifier above In my local development environment, I have tried a few different combinations of IDs attempting to get this to work using the iOS simulator: (i) backend client id: org.terraso.app mobile app bundle Id: org.terraso.test.Terraso-LandPKS result: error: jwt.exceptions.InvalidAudienceError: Audience doesn't match (ii) backend: org.terraso.app mobile app: org.terraso.app result: clicking "Sign In" in Apple ID dialog is a no-op (no errors from client or server) (iii) backend: org.terraso.test.Terraso-LandPKS mobile app: org.terraso.test.Terraso-LandPKS result: works (but I can't use that in production, because the client ID is wrong) How can I configure Sign in with Apple to allow both the web app, the mobile app (and possible additional mobile apps) to work with the same backend? Do I need to us app groups? When do you use app groups vs "group with an existing primary apple id"?

We’re experiencing an issue with Apple SSO/OAuth that has started happening recently (first encountered about a week ago, but we’re not sure if that’s actually the first instance). When a NEW registration is received (including when a user unlinks their “login with apple” from their settings), we’re not getting the email or fullName despite our scopes including them. When we try with a brand new iCloud account that we know hasn’t been used on our service, we get the email but still no name. Has something changed recently in how we should be retrieving this data? We’re working with firebase and react-native, and it’s happening on both web and native. There’s nothing that’s changed auth-wise on our end. We did migrate subdomains but we updated them in the services section for private relay.