Sign In with Apple - Cannot Validate the Authorization Grant Code

App & System Services General
getpat OP
Created Jul ’21
Replies 1
Boosts 1
Views 3.1k
Participants 2

I'm working on integrating Sign In with Apple into my app. The app is written in React Native using expo and I'm using this component nearly exactly for now. https://docs.expo.io/versions/latest/sdk/apple-authentication/#usage

I've been able to successfully generate the Authorization Grant code with this component, however, I've been unable to validate it server side. Here is the error I'm currently getting:

{
    "error": "invalid_grant",
    "error_description": "The code has expired or has been revoked."
}

Details

I've added a Sign In with Apple key to my app and downloaded the private key. I've published the app to TestFlight so I get my own bundle identifier and not Expo's in the simulator.

This is the format of the authorization grant code from the a first request (formatting not JSON as it's output from go):

{
   realUserStatus:1 ,
   authorizationCode:xxxx ,
   fullName:{
        middleName:null
        nameSuffix:null 
        namePrefix:null
        givenName:null 
        familyName:null
        nickname:null} 
   state:null 
   identityToken:xxxxxxx
   email:null 
   user:xxxxx      
}

I'm using this library to generate the verification request: https://github.com/pagnihotry/siwago I'm running a go script from my laptop (not the a domain associated with the app), as well as copying/pasting information into Postman.

Both methods are using x-www-form-urlencoded. The go app is signing the client_secret, and I assume it's the correct way because I'm no longer getting a 400 invalid_client. I've decode the client_secret and confirmed that the validation request is formatted:

{
  "alg": "ES256",
  "kid": "SECRET_KEY_ID"
}
{
  "iss": "TEAM_ID",
  "iat": 1626740200,
  "exp": 1629332200,
  "aud": "https://appleid.apple.com",
  "sub": "BUNDLE_ID"
}

I've confirmed that the client secret is signed with my private key by validating it against my private key's public complement.

The form data for the authorization to https://appleid.apple.com/auth/token request is (no punctuation on values):

client_id: [BUNDLE_ID]
client_secret: [signed secret]
code: [authorizationCode] (from the Authorization grant code)
grant_type: authorization_code
redirect_uri: [left empty in go, not a key in Postman]

I've requested my authorization code repeatedly and thought that I might be throttled, but then I tried a brand new one the first time but still got the invalid_grant response.

Looking for any help, I've spent the past two solid days on this and am exhausted.

Replies  1
Boosts  1
Views  3.1k
Participants  2
tfe OP
Mar ’23

Were you able to solve this? I found a couple other posts having the same problem, but none have a solution. There is one person who apparently solved it just by waiting a couple days (https://stackoverflow.com/a/68748866/203773). Did that work for you?

0
Sign In with Apple - Cannot Validate the Authorization Grant Code
First post date Last post date
 
 
Q