Hello,
Could anyone please tell me, if it is allowed to have email-password and passkeys as only login methods? I remember reading somthing about having to include sign-by-apple first when I want to allow third party login, and I'm wandering whether this rule only applies to OAuth like google, or if it applies to passkeys as well and allowing users to sign-in using passkeys while not providing sign by apple would make my app not pass app review.
Thanks for your answers.
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I'm currently facing an issue while implementing Sign in with Apple functionality in my Laravel application. Despite following the documentation and ensuring that my redirect URL is correctly configured, I'm encountering an "invalid_request" error with the message "Invalid web redirect URL."
Redirect URI: https://8aee-123-201-192-193.ngrok-free.app/apple/callback
Domain and Subdomain: https://8aee-123-201-192-193.ngrok-free.app
Despite ensuring that the redirect URI matches the one specified in my Apple Developer account, I'm still encountering this error. Could you please provide guidance on how to resolve this issue?
Additionally, I noticed that when creating the App ID, there's no explicit mention that the domain should not include the "http://" or "https://" prefix, yet when setting up the redirect URI, it seems that the prefix is required. Could you clarify this discrepancy and provide instructions on the correct setup procedure to avoid such issues in the future?
Hello,
I have implemented Sign in with Apple in my iOS app and am currently trying to implement the revocation feature. However, I keep encountering an invalid_client error when calling the Apple authentication/revocation API.
Here are the details of my configuration:
Team ID: HUGD2H952H
Client ID: com.puppylink.puppylinkapp
Key ID: KXSYK98424
I am using these details to generate a client secret with the JWT ES256 algorithm. Below is the code I am using on the backend server to generate the client secret:
private fun makeClientSecret(): String {
val now: ZonedDateTime = ZonedDateTime.now(ZoneOffset.UTC)
val expirationTime: ZonedDateTime = now.plusMinutes(5) // Setting expiration time to 5 minutes
return Jwts.builder()
.setHeaderParam(JwsHeader.KEY_ID, appleProperties.keyId)
.setHeaderParam("alg", "ES256")
.setIssuer(appleProperties.teamId)
.setIssuedAt(Date.from(now.toInstant()))
.setExpiration(Date.from(expirationTime.toInstant()))
.setAudience("https://appleid.apple.com")
.setSubject(appleProperties.clientId)
.signWith(getPrivateKey(), SignatureAlgorithm.ES256)
.compact()
}
private fun getPrivateKey(): PrivateKey {
val resource = ClassPathResource(appleProperties.privateKeyFile)
val privateKey = String(Files.readAllBytes(Paths.get(resource.uri)))
val pemReader: Reader = StringReader(privateKey)
val pemParser = PEMParser(pemReader)
val converter = JcaPEMKeyConverter()
val keyInfo = pemParser.readObject() as PrivateKeyInfo
return converter.getPrivateKey(keyInfo)
}
}
Additionally, here is the code used to call the Apple authentication API from the backend server:
@Service
class AppleAuthService(
private val appleProperties: AppleProperties,
) {
private val logger = LoggerFactory.getLogger(javaClass)
private val restTemplate = RestTemplate()
fun getTokens(authorizationCode: String): TokenResponse {
try {
val clientSecret = makeClientSecret()
val formData: MultiValueMap<String, String> = LinkedMultiValueMap()
formData.add("client_id", appleProperties.clientId)
formData.add("client_secret", clientSecret)
formData.add("code", authorizationCode)
formData.add("grant_type", "authorization_code")
val headers = HttpHeaders()
headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
val requestEntity = HttpEntity(formData, headers)
val response =
restTemplate.postForObject(
"https://appleid.apple.com/auth/token",
requestEntity,
TokenResponse::class.java,
)
return response ?: throw RuntimeException("Failed to retrieve tokens from Apple")
} catch (ex: Exception) {
logger.error("Error retrieving tokens: ", ex)
throw ex
}
}
data class TokenResponse(
val access_token: String,
val expires_in: Long,
val id_token: String,
val refresh_token: String,
val token_type: String,
)
Despite generating the client secret correctly, I am still receiving the invalid_client error when calling the API. Could you please help me identify the cause of this error and provide guidance on how to resolve it?
Thank you.
When user is trying to remove login using "Stop Using Apple Id", it should remove the app and login but in my case, nothing is happening. Its not removing either login or app from the logged in list. App is in Testflight for testing.
Ideally, it should remove the login and app from the list as per the following article.
https://support.apple.com/en-in/102571
Read few article, which says testflight could be buggy. Anyone knows how it could be fixed?
I have an app at work that supports Sign In With Apple so that users can create accounts and have their data synced to servers.
A couple of years ago one of the users created an account using Sign In With Apple, choosing to use Hide My Email as well (so that their email that the app received looks like *****@privaterelay.appleid.com).
The legacy in-house backend of the app unfortunately uses email addresses as user identifiers with the unlucky assumption that emails remain the same. The app doesn't offer users the ability to change email addresses.
The user in question recently reported that since very recently they are no longer able to use the app. It turns out that their Sign In With Apple email address for my app had changed at some point. They shared an iPhone screenshot of their Sign In With Apple settings for the app. The screenshot says that they created an account for this app two years ago, but the email address in the "This app received" field is different to one that they initially signed up with, and it's also a Hide My Email address.
It's important to note that this app was also transferred between developer accounts about a year ago, and since then this user, including thousands of other users didn't have issues using Sign In With Apple.
So my main question is: in what scenario it's possible for the email associated with a Sign In With Apple account for an app to change without creating a new account?
Since my question exceeds 700 words, please check it in the attachment. Thank you!
Question
import AppleProvider from 'next-auth/providers/apple';
export const appleProvider = AppleProvider({
name: 'Apple',
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string,
idToken: true,
authorization: {
url: 'https://appleid.apple.com/auth/authorize',
params: {
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
scope: 'openid email name',
response_type: 'code',
response_mode: 'form_post',
},
},
token: {
url: 'https://appleid.apple.com/auth/token',
async request(context) {
console.log('----context', { context });
const url =
https://appleid.apple.com/auth/token +
?code=${context.params.code} +
&client_id=${context.provider.clientId} +
&client_secret=${context.provider.clientSecret} +
&redirect_uri=${context.provider.callbackUrl} +
&grant_type=authorization_code;
const response = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
});
console.log('----response', { response });
const tokens = await response.json();
console.log('----tokens', { tokens });
return { tokens };
},
},
});
Hello, I need to verify my domain and email with spf
I need to use Signin with apple with private relay service
Here is my records of DNS Service(AWS Route53)
My domain is metapocket.io
DKIM
record : sig1._domainkey.metapocket.io
value : sig1.dkim.metapocket.io.at.icloudmailadmin.com.
SPF
"v=spf1 include:zoho.com ~all"
"v=spf1 include:icloud.com ~all"
"v=spf1 include:metapocket.io ~all"
"v=spf1 include:amazonses.com ~all"
TXT
"zoho-verification=zb03635298.zmverify.zoho.com"
"apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS"
"apple-domain=4oc6zwBOLpmdRGr9"
Something wrong here??
Why i got failed spf verification.. Please help me
We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store.
Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account.
Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer).
Who should we handle this case? Please help.
Good afternoon, I am developing an app integrating "sign in with apple". But I can't find how to get the user's profile photo. Apart from the first name, last name and Email, can I obtain the image or its URL?
Is it possible for two Apple devices to have serial numbers that are consecutive or differ by only one character?
when I performAutoFillAssistedRequests ,my keyboard cannot show passkeys that could choose,and nothing callback.i don't know the error reason.but I could request successfully by authController.performRequests.
When tapping on "password" in the accessory view above the keyboard, no password manger is opened. The keyboard just closes and re-opens.
I have made sure a password exists and is available to be used.
I have replicated this within my own app, but also from within the Settings app on the simulator (see attached gif) so I am confident it is not a coding issue on my side.
I have replicated it on both iOS 17 and iOS 18
I am using Xcode Version 16.0 (16A242d)
I am running macOS Sonoma Version 14.7 (23H124)
I am fairly confident I have not experienced this when working on another clients app. I was using Xcode 15 for that so not sure if this is something introduced with Xcode 16.
I see that all of my passwords moved from both login and iCloud keychains to Passwords app.
The API that worked SecItemCopyMatching now returns -25300 aka not found.
What's the API to access passwords in Sequoia ?
Hello,
I have integrated Sign In with Apple into my Swift App. Now I'd like to add Sign In with Apple into my website. I followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and resulted in an html page:
<html>
<head>
<meta name="appleid-signin-client-id" content="colourworker.SPAD">
<meta name="appleid-signin-scope" content="name email">
<meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html">
<meta name="appleid-signin-state" content="init">
<meta name="appleid-signin-nonce" content="NONCE">
<meta name="appleid-signin-use-popup" content="true">
</head>
<body>
<h1>Sign in with Apple</h1>
<div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div>
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
</head>
</html>
I have added https://colourworker.com/apps/photofolia/applesignedin.html to the list of Return URLs at https://developer.apple.com/account/resources/identifiers/serviceId/edit/ZSM7Q3SMVH.
But when clicking on the Sign In With Apple button I get the following error: "invalid_request Invalid client id or web redirect url."
Any ideas of what I'm doing wrong?
I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal.
Is there a way to add something like that?
I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple
The sign in with Apple prereqs state that:
you must have an existing app in the App Store that uses Sign in with Apple
If you want to support sign in with apple on a website but do not need an iOS app specifically for that website is possible to have a "dummy" app that isn't released to the app store but will serve to support sign in with Apple?
We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us.
We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup.
We use SES as our email provider and have added its SPF as recommended aswell.
I have attached a sample delivery log from SES below.
{"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}
Hello,
I have created a Swift app which has Apple Sign In integrated with it. We now want to add Apple Sign In to a web app but can't seem to find enough documentation on how to do this. We have followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and have ended up with a script like so:
<head>
<meta name="appleid-signin-client-id" content="colourworker.SPAD">
<meta name="appleid-signin-scope" content="name email">
<meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html">
<meta name="appleid-signin-state" content="init">
<meta name="appleid-signin-nonce" content="NONCE">
<meta name="appleid-signin-use-popup" content="true">
</head>
<body>
<h1>Sign in with Apple</h1>
<div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div>
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
</head>
</html>
But have we populated the client-id, state, and NONCE correctly? When clicking on the Sign In with Apple button we get the error in this screenshot:
I look forward to hearing from someone.
Kind regards,
Miguel
I just raised the iOS version to 17, but the login with face id doesn't appear in the react native webview. The login with face id doesn't appear, and the website loads.
If the user is on iOS 16 in the same app, the login with face id appears. Is there something I'm missing?