When user is trying to remove login using "Stop Using Apple Id", it should remove the app and login but in my case, nothing is happening. Its not removing either login or app from the logged in list. App is in Testflight for testing. Ideally, it should remove the login and app from the list as per the following article. https://support.apple.com/en-in/102571 Read few article, which says testflight could be buggy. Anyone knows how it could be fixed?

Hello there, I have been facing an issue with apple sign in on react native app. I have been able to get the authorization and all codes in frontend part. The issue is on backend that is in php. We are firstly validating our identity token phone generated, and then we are creating a client secret and then trying to fetch the user info the issue relies in the api call of getAppleUser($authorizationCode, $clientId, $clientSecret);: function below where we are recieving error like: {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} public function appleAuth($identityToken,$authorizationCode) { if (!$identityToken || !$authorizationCode) { return $this->returnError(400,'Missing identity token or authorization code'); } try { // Validate identity token $decodedToken = $this->validateAppleToken($identityToken); // Generate client secret $teamId = isset(Yii::$app->params['apple-auth']['teamId'])?Yii::$app->params['apple-auth']['teamId']:''; $clientId = isset(Yii::$app->params['apple-auth']['clientId'])?Yii::$app->params['apple-auth']['clientId']:''; $keyId = isset(Yii::$app->params['apple-auth']['keyId'])?Yii::$app->params['apple-auth']['keyId']:''; $privateKey = isset(Yii::$app->params['apple-auth']['privateKey'])?Yii::$app->params['apple-auth']['privateKey']:''; $clientSecret = $this->generateClientSecret($teamId, $clientId, $keyId, $privateKey); // Get user info from Apple $appleUser = $this->getAppleUser($authorizationCode, $clientId, $clientSecret); // Verify the authorization code is valid if (!isset($appleUser['id_token'])) { throw new \Exception('Invalid authorization code'); } // Extract user info from the identity token $userId = $decodedToken->sub; $email = $decodedToken->email ?? ''; // login or signup code need to know about object definition to add login and signup logic return $this->returnSuccess('Request successful',200,[ 'userId' => $userId, 'email' => $email ]); } catch (\Exception $e) { // Handle errors Yii::error('Error on apple login '.$e->getMessage()); return $this->returnError(500,'Server Error'); } } **This function is where i am creating a clientSecret as per apples guidelines: ** function createClientSecret($teamId, $clientId, $keyId, $privateKey) { // $key = file_get_contents($privateKeyPath); $key=$privateKey; $headers = [ 'kid' => $keyId, 'alg' => 'ES256' ]; $claims = [ 'iss' => $teamId, 'iat' => time(), 'exp' => time() + 86400 * 180, 'aud' => 'https://appleid.apple.com', 'sub' => $clientId ]; return JWT::encode($claims, $key, 'ES256', $headers['kid']); } **This is the validate Apple Token that is not giving me error: ** function validateAppleToken($identityToken) { $client = new Client(); $response = $client->get('https://appleid.apple.com/auth/keys'); $keys = json_decode($response->getBody(), true)['keys']; $header = JWT::urlsafeB64Decode(explode('.', $identityToken)[0]); $headerData = json_decode($header, true); $kid = $headerData['kid']; $publicKey = null; foreach ($keys as $key) { if ($key['kid'] === $kid) { $publicKey = JWK::parseKey($key); break; } } if (!$publicKey) { throw new \Exception('Public key not found'); } try { $decoded = JWT::decode($identityToken, $publicKey, ['RS256']); return $decoded; } catch (\Exception $e) { throw new \Exception('Token validation failed: ' . $e->getMessage()); } } The response i got was : { aud: "com.abc" auth_time: 1718017883 c_hash: "HSNFJSBdut5vk84QyK0xHA" exp: 1718104283 iat: 1718017883 iss: "https://appleid.apple.com" nonce:"2878cd1ac1fa121f75250f453edaac47365f5144f2e605e8b526a29cb62c83da" nonce_supported: true sub: "001703.2a52ec72cb874a93986522fa35742bd4.1219" } After that we are mainly getting error as {"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."} in this function: function getAppleUser($authorizationCode, $clientId, $clientSecret) { try { $client = new Client(); $response = $client->post('https://appleid.apple.com/auth/token', [ 'form_params' => [ 'client_id' => $clientId, 'client_secret' => $clientSecret, 'code' => $authorizationCode, 'grant_type' => 'authorization_code' ] ]); if ($response->getStatusCode() !== 200) { throw new \Exception('Failed to get user information from Apple. Status code: ' . $response->getStatusCode()); } $data = json_decode($response->getBody(), true); // Check if the response contains the expected data if (!isset($data['access_token']) || !isset($data['id_token'])) { throw new \Exception('Invalid response from Apple. Missing access token or ID token.'); } // Return the decoded data return $data; } catch (\Exception $e) { // Log any other unexpected errors Yii::error('Unexpected error: ' . $e->getMessage()); // Re-throw the exception to propagate it further throw $e; } } Assumptions: bundleId = com.marchup serviceId i created as client_id= com.marchup.prod.AppSSO team ID= as usual keyId= is the id i created in apple developer consonsole. And the private key is the key inside the private key file. Can anyone please answer. What is mismatched here

We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store. Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account. Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer). Who should we handle this case? Please help.

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

Hello, I have a fully functional webauthn relying party that uses passkeys and I am trying to implement an iOS sdk for it. On the server, the AASA file is valid and well served at /.well-known/assetlinks.json. I verified its validity with branch.io and that it is indeed cached by Apple's CDN (https://app-site-association.cdn-apple.com/a/v1/service.domain.com), but even will all these I still get the following error when installing the app on a device and starting the passkey ceremony: Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier TEAM.com.APP is not associated with domain service.domain.com So I then checked the system log when installing the app on my iPhone, and under the swcd process (which is apparently responsible of fetching the AASA file) I found the following error: swcd: Domain is invalid. Will not attempt a download. The issue that I have is that my domain is actually an IDN, it has a special character in it. But everywhere I have used it, I converted it to ASCII (punycode). With this conversion, Apple's CDN is able to fetch the AASA file, and the passkey ceremony works fine on a browser. So I don't understand how the device (both iPhone or Mac) finds this domain to be invalid? In the app's entitlements, I added the capability for an associated domain, with webcredentials:service.domain.com with the domain name converted to ASCII (punycode) and developer mode doesn't address this issue as it appears when the app is installed (and is not related to Apple's CDN). The last thing I tried was to add the domain with special characters in the app's entitlements (for webcredentials:) but then Xcode was unable to install the app on the device, and gave the following error: Failed to verify code signature (A valid provisioning profile for this executable was not found.) which happened only with a special character in the domain in the app's entitlements. All this leaves me kind of in a dead end, I understand Xcode or iOS/macOS has a hard time with IDNs and special characters (so do I), but I have no idea on how to solve this (without changing the domain name), so I would really appreciate any help. Thanks in advance. PS: I tested all this previously with another domain without special characters and it was working. It also had dashes ('-') in it and the new domain converted to ASCII is basically a regular domain with '-' in it so I suppose there is some kind of conversion made from ASCII back to special characters and that then, the domain is considered as invalid, but this doesn't really help me a lot... PS2: My devices are running on iOS 17.4.1 and macOS 14.4.1 with Xcode 15.2

Hi, It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed? Thanks, Ying

Hello, I need to verify my domain and email with spf I need to use Signin with apple with private relay service Here is my records of DNS Service(AWS Route53) My domain is metapocket.io DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.metapocket.io.at.icloudmailadmin.com. SPF "v=spf1 include:zoho.com ~all" "v=spf1 include:icloud.com ~all" "v=spf1 include:metapocket.io ~all" "v=spf1 include:amazonses.com ~all" TXT "zoho-verification=zb03635298.zmverify.zoho.com" "apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS" "apple-domain=4oc6zwBOLpmdRGr9" Something wrong here?? Why i got failed spf verification.. Please help me

import AppleProvider from 'next-auth/providers/apple'; export const appleProvider = AppleProvider({ name: 'Apple', clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string, idToken: true, authorization: { url: 'https://appleid.apple.com/auth/authorize', params: { clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, scope: 'openid email name', response_type: 'code', response_mode: 'form_post', }, }, token: { url: 'https://appleid.apple.com/auth/token', async request(context) { console.log('----context', { context }); const url = https://appleid.apple.com/auth/token + ?code=${context.params.code} + &client_id=${context.provider.clientId} + &client_secret=${context.provider.clientSecret} + &redirect_uri=${context.provider.callbackUrl} + &grant_type=authorization_code; const response = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, }); console.log('----response', { response }); const tokens = await response.json(); console.log('----tokens', { tokens }); return { tokens }; }, }, });

Hi @everyone, I have set up the proper app id, serviced ID along with return URL, domains and subdomains(Example domains and subdomains: asdfjkl.firebaseapp.com and return URL: https://asdfjkl.firebaseapp.com/__/auth/handler) in developer.apple.com. And I have created the key as well and added key ID and private key, services ID in firebase apple sign in console as well. But I'm getting Error as "Invalid web redirect url". I haven't provided the App ID, services ID, firebase project ID, Key secret here as they're confidential. Please let me know if any further details are needed.

Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done. Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team) Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".

I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal. Is there a way to add something like that? I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple

I have an app (currently not released on App Store) which runs on both iOS and macOS. The app has widgets for both iOS and macOS which uses user preference (set in app) into account while showing data. Before upgrading to macOS 15 (until Sonoma) widgets were working fine and app was launching correctly, but after upgrading to macOS 15 Sequoia, every time I launch the app it give popup saying '“Kontest” would like to access data from other apps. Keeping app data separate makes it easier to manage your privacy and security.' and also widgets do not get user preferences and throw the same type of error on Console application when using logging. My App group for both iOS and macOS is 'group.com.xxxxxx.yyyyy'. I am calling it as 'UserDefaults(suiteName: Constants.userDefaultsGroupID)!.bool(forKey: "shouldFetchAllEventsFromCalendar")'. Can anyone tell, what am I doing wrong here?

Since my question exceeds 700 words, please check it in the attachment. Thank you! Question

For Sign in With Apple I recieve an expected flow including an ask to share or hide my email along with a message like this 'Create an account for Apple {some_company} using your Apple ID “{email}”.' However when i sign into an existing account i get the same flow, where on other apps i see a message like this ~ "Do you want to continue using {some_company} with your Apple ID “{email}”? How can i configure this for my own app? Note: it always logs me into the correct existing account, i'm just trying to make sure users go through the correct flow in the apple popup when their account already exists.

Hello all - we have enabled our app users to create and sign in using their passkey. However - for some users, we get a NSLocalizedFailure reason exception that the app is not associated with the domain. We have ensured that the endpoint /.well-known/apple-app-site-association isnt blocking any requests. Like I said before, 90% of our users are able to successfully create and sign in with their passkey but we receive the above error for the remaining 10%. Any suggestions/guidance on how we can resolve this would be helpful and greatly appreciated. Thank you.

Hi Team, There is situation in which I want to implement session Resumption in IOS. I am using Network Framework but I am unable to find a way, how to enable the resumption . It will more beneficial for me if you guys can help me in that. Regards,

Good afternoon, I am developing an app integrating "sign in with apple". But I can't find how to get the user's profile photo. Apart from the first name, last name and Email, can I obtain the image or its URL?

I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers & Profiles, It gives me the error 'Unable to find team with the given Team ID'

I have an app at work that supports Sign In With Apple so that users can create accounts and have their data synced to servers. A couple of years ago one of the users created an account using Sign In With Apple, choosing to use Hide My Email as well (so that their email that the app received looks like *****@privaterelay.appleid.com). The legacy in-house backend of the app unfortunately uses email addresses as user identifiers with the unlucky assumption that emails remain the same. The app doesn't offer users the ability to change email addresses. The user in question recently reported that since very recently they are no longer able to use the app. It turns out that their Sign In With Apple email address for my app had changed at some point. They shared an iPhone screenshot of their Sign In With Apple settings for the app. The screenshot says that they created an account for this app two years ago, but the email address in the "This app received" field is different to one that they initially signed up with, and it's also a Hide My Email address. It's important to note that this app was also transferred between developer accounts about a year ago, and since then this user, including thousands of other users didn't have issues using Sign In With Apple. So my main question is: in what scenario it's possible for the email associated with a Sign In With Apple account for an app to change without creating a new account?

Hello, I have implemented Sign in with Apple in my iOS app and am currently trying to implement the revocation feature. However, I keep encountering an invalid_client error when calling the Apple authentication/revocation API. Here are the details of my configuration: Team ID: HUGD2H952H Client ID: com.puppylink.puppylinkapp Key ID: KXSYK98424 I am using these details to generate a client secret with the JWT ES256 algorithm. Below is the code I am using on the backend server to generate the client secret: private fun makeClientSecret(): String { val now: ZonedDateTime = ZonedDateTime.now(ZoneOffset.UTC) val expirationTime: ZonedDateTime = now.plusMinutes(5) // Setting expiration time to 5 minutes return Jwts.builder() .setHeaderParam(JwsHeader.KEY_ID, appleProperties.keyId) .setHeaderParam("alg", "ES256") .setIssuer(appleProperties.teamId) .setIssuedAt(Date.from(now.toInstant())) .setExpiration(Date.from(expirationTime.toInstant())) .setAudience("https://appleid.apple.com") .setSubject(appleProperties.clientId) .signWith(getPrivateKey(), SignatureAlgorithm.ES256) .compact() } private fun getPrivateKey(): PrivateKey { val resource = ClassPathResource(appleProperties.privateKeyFile) val privateKey = String(Files.readAllBytes(Paths.get(resource.uri))) val pemReader: Reader = StringReader(privateKey) val pemParser = PEMParser(pemReader) val converter = JcaPEMKeyConverter() val keyInfo = pemParser.readObject() as PrivateKeyInfo return converter.getPrivateKey(keyInfo) } } Additionally, here is the code used to call the Apple authentication API from the backend server: @Service class AppleAuthService( private val appleProperties: AppleProperties, ) { private val logger = LoggerFactory.getLogger(javaClass) private val restTemplate = RestTemplate() fun getTokens(authorizationCode: String): TokenResponse { try { val clientSecret = makeClientSecret() val formData: MultiValueMap<String, String> = LinkedMultiValueMap() formData.add("client_id", appleProperties.clientId) formData.add("client_secret", clientSecret) formData.add("code", authorizationCode) formData.add("grant_type", "authorization_code") val headers = HttpHeaders() headers.contentType = MediaType.APPLICATION_FORM_URLENCODED val requestEntity = HttpEntity(formData, headers) val response = restTemplate.postForObject( "https://appleid.apple.com/auth/token", requestEntity, TokenResponse::class.java, ) return response ?: throw RuntimeException("Failed to retrieve tokens from Apple") } catch (ex: Exception) { logger.error("Error retrieving tokens: ", ex) throw ex } } data class TokenResponse( val access_token: String, val expires_in: Long, val id_token: String, val refresh_token: String, val token_type: String, ) Despite generating the client secret correctly, I am still receiving the invalid_client error when calling the API. Could you please help me identify the cause of this error and provide guidance on how to resolve it? Thank you.