Summary: Need help with Certificates, Identifiers and Profiles settings to allow two apps to use Sign in with Apple.
Background: We have a web application (React, static JavaScript) that allows users to sign in with Apple, Google or Microsoft via OAuth/OIDC.
We are developing a mobile application using React Native and Expo.
Both the web application and the mobile application use the same backend (Django).
For the mobile application, we added Google and Microsoft sign in via the same web-based OAuth/OIDC flow. For Sign in with Apple, we are using the expo-apple-authentication package to get the required native sign in experience.
We have two active app identifiers:
- org.terraso.terraso; web app; primary Apple ID
- org.terraso.test.Terraso-LandPKS; mobile apple; Group with an existing primary App ID (selected (1), the web app)
We have one services identifier:
- org.terraso.app; primary ID is web app (app identifier 1) above; URLs have been configured
We have one app group:
- group.org.terraso (seems unused)
On our backend app, we have code: https://github.com/techmatters/terraso-backend/blob/abc655e83eaca849e2bc24389946cc4f0bcd9d48/terraso_backend/apps/auth/providers.py#L84
and APPLE_CLIENT_ID
is set to org.terraso.app (which matches the services identifier above
In my local development environment, I have tried a few different combinations of IDs attempting to get this to work using the iOS simulator:
(i) backend client id: org.terraso.app
mobile app bundle Id: org.terraso.test.Terraso-LandPKS
result: error: jwt.exceptions.InvalidAudienceError: Audience doesn't match
(ii) backend: org.terraso.app
mobile app: org.terraso.app
result: clicking "Sign In" in Apple ID dialog is a no-op (no errors from client or server)
(iii) backend: org.terraso.test.Terraso-LandPKS
mobile app: org.terraso.test.Terraso-LandPKS
result: works (but I can't use that in production, because the client ID is wrong)
How can I configure Sign in with Apple to allow both the web app, the mobile app (and possible additional mobile apps) to work with the same backend?
Do I need to us app groups? When do you use app groups vs "group with an existing primary apple id"?