invalid_client when trying to get … | Apple Developer Forums

invalid_client when trying to get user JWT from https://appleid.apple.com/auth/token

Hello everyone,

I am aware this has been asked quite a few times, but here we go:

I am trying to get user JWT from https://appleid.apple.com/auth/token by sending a POST request via cURL in the following format (as specified at https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens ):

curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \
-d 'grant_type=authorization_code' \

Where client id is my bundle id, code is random, client_secret is generated via the ruby script that is circulating the web:

require 'jwt'

key_file = 'testkey.p8'
team_id = '...'
client_id = '...'
key_id = '...'

ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file

headers = {
  'kid' => key_id
}

claims = {
    'iss' => team_id,
    'iat' => Time.now.to_i - 86400,
    'exp' => Time.now.to_i + 2*86400,
    # 'exp' => Time.now.to_i + 86400*180,
    'aud' => 'https://appleid.apple.com',
    'sub' => client_id,
}

token = JWT.encode claims, ecdsa_key, 'ES256', headers

puts token

Ignore the timestamps, Ive been trying to play around with it quite a bit.

I would expected the error "invalid_grant", alas Im getting "invalid_client"

My flow to create the app: I registered an App ID under indetifiers, then I registered private key under keys for the created app, I also checked Sign In with Apple for both.

I tried this for the original app, where the generated key was older than 48 hours (some said it might take a while for apple to consider the key valid).

I also created a new app, where the key was just created, so Im going to try it in a few hour. Athough at the moment, its still invalid_client error.

What I tried so far (might forget a few):

Playing around with iat and exp fields for client_secret generation
sending user-agent header as well
generating client_secret via php (firebase/jwt) and ruby

Also for the architecture: I have iOS app that hits laravel (php) backend and gets user token in the end, but fails on the very first step. Ive moved to using cURL to avoid any unexpected problems and would be extremely happy if I managed to get the error "invalid_grant" via cURL.

Any help or insights would be highly appreciated!