So far I followed this post and it helped me so much, however, I now get a "invalid_grant". Following : https://developer.apple.com/documentation/signinwithapplerestapi/errorresponse I understand that I have an issue either because of the authorization grant or refresh token is invalid.
In despite of my searches and tries (and retries), I am still stuck and I don't know where does it come from. I used the app given at https://developer.apple.com/documentation/authenticationservices/adding_the_sign_in_with_apple_flow_to_your_app
Now that I get my token from the app above, I try to validate it from C# backend but I get a 400 response code invalid_grant
.
The only difference I could notice from the post is that I don't have any [Verify]
button (option) or [Download]
button from the portal compared to the image below. I don't know if this is related but I am trying to provide as much details as I can:
Hopefully someone can help, thanks for any help :) feel free to ask for more details if required
Max
If you are authorizing on iOS, the authorization grant code validation must use the iOS bundle ID as well; otherwise, if you received the grant code via your client_id should be your Services ID created for the web application. Whenever these client_id values mismatch, the grant code validation will fail as the code was issued for another client.
The first thing you should do is to re-login your Apple ID on any of the Apple services that you often utilize. The services you can try include Apple Online Store, Apple Retail store services, iTunes, Apple TV, FaceTime, iCloud, Apple Support Communities, etc. When trying to login again, you will be prompted to enter your Apple ID and password.
When the Activation lock screen shows, click “Unlock with Password”. Then, choose “Use Device Passcode”. Lastly, input your screen passcode to complete the process. With this, the Apple ID has been removed from your device, and the “verification failed error connecting to Apple ID server” issue will be off.
According to the errorResponse documentation: The authorization grant or refresh token is invalid, typically due to a mismatched or invalid client identifier, invalid code (expired or previously used authorization code), or invalid refresh token. Any recommended test solutions to diagnose this issue?
I also had the same issue, I found the solution here:
https://forums.developer.apple.com/thread/118135
as explained in the link, when you are using the code you got from the app, you should use app id instead of service id.
Could you share how you try to create the JWT? I ve tried a couple of stuff Im at this right know (which doesnt work either, Ill update if I find a real solution)
const string iss = "7#######G"; // team ID
const string aud = "https://appleid.apple.com";
const string sub = "com.######.weblogin"; // serviceid
const string privateKey = "MIGTA#######"; // contents of .p8 file
var d = DateTime.UtcNow.AddDays(-5);
var cngKey = CngKey.Import(
Convert.FromBase64String(privateKey),
CngKeyBlobFormat.Pkcs8PrivateBlob);
var handler = new JwtSecurityTokenHandler();
var securityKey = new ECDsaSecurityKey(new ECDsaCng(cngKey) { KeySize = 256 , HashAlgorithm = CngAlgorithm.ECDsaP256});
securityKey.KeyId = "G#######W";
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.EcdsaSha256);
return handler.CreateEncodedJwt(iss, aud, new ClaimsIdentity(new List<Claim> { new Claim("sub", sub) }),d, expires: d.AddMonths(3),d, signingCredentials: signingCredentials);
Headers look like that in the jwt, from what Ive gathered there might be the "typ" header which is not present in many implentation, perhaps I shoud get rid of it :
{
"alg": "ES256",
"kid": "G#######W",
"typ": "JWT"
}
body:
{
"sub": "com.#####.weblogin",
"nbf": 1583088895,
"exp": 1591037695,
"iat": 1583088895,
"iss": "7######G",//teamid
"aud": "https://appleid.apple.com"
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With