`invalid_request` when validating Apple sign-in token generated from app

We've had Signin with Apple integrated & working since 2020. Recently we've started seeing invalid_request errors in token validation API when we submitted our app for review. However, we are unable to reproduce this issue when testing it on the TestFlight build (occurring only on the App Review team's device). We've also tested on a device with similar specs and failed to reproduce the issue.

App Review device details:

  • Device type: iPad Air (5th generation)
  • OS version: iOS 17.4.1

Here's a sample of the validation request.

url = "https://appleid.apple.com/auth/token"
headers = { "content-type": "application/x-www-form-urlencoded" }
body = {
  "client_secret": "generated_jwt_token",
  "code": code generated in the app,
  "client_id": bundle id of the app,
  "grant_type": "authorization_code"
}

We are not adding redirect_uri in body since we don't use Apple signin on web.

We generate the client_secret with the private key from Keys in Apple developer dashboard and use the following header & payload.

header = {
  "alg": "ES256",
  "typ": "JWT",
  "kid": key id
}
payload = {
  "iss": team id,
  "iat": current timestamp in seconds ,
  "exp": current timestamp + 180 days,
  "aud": "https://appleid.apple.com",
  "sub": bundle id of the app (same as client_id above)
}

The only error description we get is invalid_request which does not help find the root cause of the issue.

We haven't done any changes wrt to Apple sign-in in this build, the only change we have done is update all third-party SDKs and added the Privacy manifest file which I'm sure should not affect the Signin with Apple.

@billsby did you find a solution to this?

Hi @billsby,

Before I begin my investigation, I want to explain our code-level support process for issues related to Sign in with Apple—as the issue you’re reporting may be the result of any of the following:

  • An error in your app or web service request.
  • A configuration issue in your Developer Account.
  • An internal issue in the operation system or Apple ID servers.

To ensure the issue is not caused by an error within your app or web service request, please review TN3107: Resolving Sign in with Apple response errors to learn more about common error causes and potential solutions when performing requests.

If the technote does not help identify the cause of the error, I need more information about your app or web services to get started. To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback.

For issues occurring with your native app, perform the following steps:

  1. Install the Accounts/AuthKit profile on your iOS, macOS, tvOS, watchOS, or visionOS device.
  2. Reproduce the issue and make a note of the timestamp when the issue occurred, while optionally capturing screenshots or video.
  3. Gather a sysdiagnose on the same iOS, macOS, tvOS, watchOS, or visionOS device.
  4. Ensure your feedback contains the following information:
    1. the primary App ID or Bundle ID
    2. the user’s Apple ID, email address, and/or identity token
    3. the sysdiagnose gathered after reproducing the issue
    4. the timestamp of when the issue was reproduced
    5. screenshots or videos of errors and unexpected behaviors (optional)

For issues occurring with your web service, ensure your feedback contains the following information:

  • the primary App ID and Services ID
  • the user’s Apple ID, email address, and/or identity token
  • the failing request, including all parameter values, and error responses (if applicable)
  • the timestamp of when the issue was reproduced (optional)
  • screenshots or videos of errors and unexpected behaviors (optional)

Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least three (3) days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue.

Submitting your feedback

Before you submit to Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client.

After your submission to Feedback Assistant is complete, please respond to this post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug.

Cheers,

Paris

`invalid_request` when validating Apple sign-in token generated from app
 
 
Q