I'm trying to verify the code I got from the "Sign In with Apple" service on my Redirect Uri. I used the information from the documentation to create the post data and generate the "client_secret".
The response I'm getting is: {"error":"invalid_client"}
.
My functions to generate the "client_secret" can be found below:
function encode($data) {
$encoded = strtr(base64_encode($data), '+/', '-_');
return rtrim($encoded, '=');
}
function generateJWT($kid, $iss, $sub, $key) {
$header = [
'alg' => 'ES256',
'kid' => $kid
];
$body = [
'iss' => $iss,
'iat' => time(),
'exp' => time() + 3600,
'aud' => 'https://appleid.apple.com',
'sub' => $sub
];
$privKey = openssl_pkey_get_private($key);
if (!$privKey) return false;
$payload = encode(json_encode($header)).'.'.encode(json_encode($body));
$signature = '';
$success = openssl_sign($payloads, $signature, $privKey, OPENSSL_ALGO_SHA256);
if (!$success) return false;
return $payload.'.'.encode($signature);
}
My variables in this example:
$kid is my identifier for my private key. In this example it is JYJ5GS7N9K. I got the identifier from here https://developer.apple.com/account/resources/authkeys/list
$iss is my team identifier from my developer account. In this example it is WGL33ABCD6.
$sub is the same value as "client_id". My "client_id" in this example is "dev.hanashi.sign-in-with-apple". I got the client id from the app identifiers here: https://developer.apple.com/account/resources/identifiers/list
$key is my generated private key by developer account. The key has format like this:
-----BEGIN PRIVATE KEY-----
myrandomgeneratedkeybyappledeveloperaccount
-----END PRIVATE KEY-----
This is the php code to make the request:
$key = <<<EOD
-----BEGIN PRIVATE KEY-----
myrandomgeneratedkeybyappledeveloperaccount
-----END PRIVATE KEY-----
EOD; // replaced with correct key
$kid = 'JYJ5GS7N9K'; // identifier for private key
$iss = 'WGL33ABCD6'; // team identifier
$sub = 'dev.hanashi.sign-in-with-apple'; // my app id
$jwt = generateJWT($kid, $iss, $sub, $key);
$data = [
'client_id' => $sub,
'client_secret' => $jwt,
'code' => $_POST['code'],
'grant_type' => 'authorization_code',
'request_uri' => 'https://myurl.tld/redirect.php'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://appleid.apple.com/auth/token');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6');
$serverOutput = curl_exec($ch);
curl_close ($ch);
echo $serverOutput;
I get now the response {"error":"invalid_client"}
from the apple server. What am I doing wrong? Could it be that I'm generating the JWT token wrong?
Sign in with your Apple ID and password on a new device or browser. Look for a sign in notification on any of your trusted devices. Tap Allow to receive your verification code. Enter the verification code on your other device to complete sign in.
Go to Settings > Passwords, then select your account for the website or app. Tap Set Up Verification Code, then tap Enter Setup Key.
I had this error several times. Here are the causes I could find:
invalid_client
errors.When I solved these problems, I started to get invalid_grant
error. Here were the steps I had been doing:
https://appleid.apple.com/auth/authorize?response_type=code&state=abcdefg&client_id=com.company.apple-sign-in-abcd&scope=openid&redirect_uri=https://app.com/redirect_uri
manually on web browser, code
, I POSTeed the https://appleid.apple.com/auth/token
endpoint with x-www-form-urlencoded arguments:
If you lose a few seconds, code
gets invalidated and you'll get invalid_grant
error. If you copy and paste immediately within second, you'll get your response:
{
"access_token": "abcdefg",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "abcdefg",
"id_token": "abcdefghijklmnopqrstu"
}
The next step would be decoding id_token with Apple's public key.
The problem for me was that I forgot to verify my domain under the Service Id section of the Apple dev portal.
You need to download the key they give you, and upload it to: https://example.com/.well-known/apple-developer-domain-association.txt
The website doesn't verify automatically, you have to click the verify button and get a green tick next to the domain to be sure. After this, I had no more invalid_client
issues.
As the flow was changed, you just have to add the Domain and the Communication Email to:
Certificates, Identifiers & Profiles > More > Configure
I made a little package to generate apple client secret in php, based on jwt-framework: https://github.com/kissdigital-com/apple-sign-in-client-secret-generator
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With