invalid_client on hitting REST API with iOS App authorizationCode & identityToken

App & System Services General
gcledingham OP
Created Jul ’19
Replies 7
Boosts 0
Views 19k
Participants 8

Hey there, I'm trying to get Sign In with Apple integrated into a native iOS app, and am running into troubles trying to validate the data coming back in ASAuthorizationAppleIDCredential over the REST API on my app's server-side.


I am using the endpoint https://appleid.apple.com/auth/token with the body data containing client_id, code, grant_type and client_secret.


The values for these are as follows:


client_id: <the iOS app's ID com.blah.blah.blah..>

code: <authorizationCode from ASAuthorizationAppleIDCredential>
grant_type: <authorization_code - as I am trying to verify the authorization code>
client_secret: <identityToken from ASAuthorizationAppleIDCredential>


When I submit the post request, I constantly get invalid_client on grant_type of authorization_code. No further error response is present at all, so I'm grasping at straws a bit.


If anyone has experience fetching the code/secret from native, and then verifying these over the REST API from a server, I'd be very appreciative to hear any insights.


Thanks!

Answered by gcledingham in 374764022

After digging further online, I managed to find a blog post by Curtis Herbert here: https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/


This article is the missing documentation that Apple is lacking currently, would definitely reccomend giving it a read over if you are similarily trying to validate client tokens on your own server.


I had misunderstood the provided Sign In with Apple API's and was trying to use the web token API to do this job for me, when you really need to use the auth/token endpoint to grab Apple's public key, and decode the identityToken signed JWT using that.


I built a very simple PHP plugin to do this job after my continued research, if it could be of any help to anyone:
https://github.com/GriffinLedingham/php-apple-signin

Replies  7
Boosts  0
Views  19k
Participants  8
OP
Apple
Jul ’19

Hi


You said:

"client_secret: <identityToken from ASAuthorizationAppleIDCredential>"


The ID token is not the client secret to use when invoking the token endpoint. See the section "Creating the Client Secret" at https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

0
gcledingham OP
Aug ’19
Accepted Answer

After digging further online, I managed to find a blog post by Curtis Herbert here: https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/


This article is the missing documentation that Apple is lacking currently, would definitely reccomend giving it a read over if you are similarily trying to validate client tokens on your own server.


I had misunderstood the provided Sign In with Apple API's and was trying to use the web token API to do this job for me, when you really need to use the auth/token endpoint to grab Apple's public key, and decode the identityToken signed JWT using that.


I built a very simple PHP plugin to do this job after my continued research, if it could be of any help to anyone:
https://github.com/GriffinLedingham/php-apple-signin

2
carere OP
Sep ’19

Hello here,


I always get the error `invalid_client`.


I don't understand how can i pass this error. Can you xplain what you did ?


I don't unserstand your solution... or how i should use your php plugin


Best regards

1
AJ OP
Feb ’20

How does this reply help. The reply does not go into the issue with auth/token endpoint. That endpoint requires a client_secret and a client_id, and it looks like Apple does not like one of the two. Why?

1
Yernur OP
Jul ’21

Same error happen with me. I try to many methods and anything helped me. I read description about error "invalid_client" from Apple documentation .

"The client authentication failed, typically due to a mismatched or invalid client identifier, invalid client secret (expired token, malformed claims, or invalid signature), or mismatched or invalid redirect URI."

Not helpful description.

1
faranshery OP
Jun ’22

go to Certificates, Identifiers & Profiles -> identifiers -> select the service id you are using and click "configure" against the sign in with apple option and add your domain names that you are trying to access the apple services from in "Website URLs" section.

0
Sithara OP
Sep ’22

Hi,

I have the same issue. Tried the following curl with the postman also. but continuously receiving 400 bad request responses with invalid_client.

curl --location --request POST 'https://appleid.apple.com/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=<code>' \
--data-urlencode 'redirect_uri=<base_url>/oauth2/callback/apple' \
--data-urlencode 'client_id=<service_id_from_developer_console>' \
--data-urlencode 'client_secret=<private_key_downloaded_from_keys_in_developer_console>'

please let me know if there's a way to overcome this issue.

Note: Do I need to verify the web applications domain prior to this

Thank you

0
invalid_client on hitting REST API with iOS App authorizationCode & identityToken
First post date Last post date
 
 
Q