Menu
I'm facing a very bad issue because I read so many guides and tutorials and nothing works.
The result is always the same: {"error":"invalid_client"}
I get the code, identityToken and everything I need - except the call to https://appleid.apple.com/auth/token - because of invalid_client.
Here is my url for getting the code.
https://appleid.apple.com/auth/authorize?response_type=code&client_id=org.example.service&redirect_uri=https%3A%2F%2Fexample.org
So then I have the default workflow. And after accepting / loggin in I will be redirected to my page.
https://example.org/?code=a277243e2ec324fb09ba1c3333a8e6576.0.abcde.u4xiTDP2qHXoNEaxrcrIGx
(When I'm using the JavaScript API I'll get other informations like state, code and id_token. I already tried it with the "code" there, too.)
Back to the main function.
This is my request for Apple.
'client_id' => 'org.example.service',
'client_secret' => JWT-Data encoded (OPENSSL_ALGO_SHA256) see below
'grant_type' => 'authorization_code',
'code' => 'a277243e2ec324fb09ba1c3333a8e6576.0.abcde.u4xiTDP2qHXoNEaxrcrIGx'
JWT Header:
{
"alg": "ES256",
"kid": "1ABC2345DE"
}
JWT Payload:
{
"iss": "1A234BCD56",
"iat": 1571269964,
"exp": 1571273564,
"aud": "https://appleid.apple.com",
"sub": "org.example.service"
}
Response:
{
"error": "invalid_client"
}
The useless error message of the world.
I dont know why the client should be invalid.
I have a key in https://developer.apple.com/account/resources/authkeys/list with downloaded file name AuthKey_1ABC2345DE.p8. (means 1ABC2345DE is my key id)
Then I have a native iOS app with identifier "org.example" and a service with identifier "org.example.service".
Its not working with both ids and mixed different things.
Nothing. invalid_client.
Can anyone help me please? I'm sitting here for hours and getting only invalid_client
My testing page:
<html>
<head>
</head>
<body>
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<div id="appleid-signin" data-color="black" data-border="true" data-type="sign in" data-width="330px" data-height="100px"></div>
<script type="text/javascript">
AppleID.auth.init({
clientId : 'org.example.service',
scope : 'email',
redirectURI: 'https://example.org',
state : 'EN'
});
</script>
</body>
</html>And PHP:
<?php
// index.php
// function by https://stackoverflow.com/q/56459075/1362858
function encode($data) {
$encoded = strtr(base64_encode($data), '+/', '-_');
return rtrim($encoded, '=');
}
// function by https://stackoverflow.com/q/56459075/1362858
function generateJWT($kid, $iss, $sub, $key) {
$header = [
'alg' => 'ES256',
'kid' => $kid
];
$body = [
'iss' => $iss,
'iat' => time(),
'exp' => time() + 3600,
'aud' => 'https://appleid.apple.com',
'sub' => $sub
];
$privKey = openssl_pkey_get_private($key);
if (!$privKey) return false;
$payload = encode(json_encode($header)).'.'.encode(json_encode($body));
$signature = '';
$success = openssl_sign($payload, $signature, $privKey, OPENSSL_ALGO_SHA256);
if (!$success) return false;
return $payload.'.'.encode($signature);
}
$client_id = 'org.example.service';
$data = [
'client_id' => $client_id,
'client_secret' => generateJWT('1ABC2345DE', '1A234BCD56', $client_id, file_get_contents('AuthKey_1ABC2345DE.p8')),
'code' => 'a277243e2ec324fb09ba1c3333a8e6576.0.abcde.u4xiTDP2qHXoNEaxrcrIGx',
'grant_type' => 'authorization_code'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://appleid.apple.com/auth/token');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$serverOutput = curl_exec($ch);
curl_close ($ch);
/**
* {"error":"invalid_client"}
*/
var_dump($serverOutput);
481
Create a Sign in with Apple private keyClick the blue plus icon to register a new key. Give your key a name, and check the Sign In with Apple checkbox. Click the Configure button and select the primary App ID you created earlier. Apple will generate a new private key for you and let you download it only once.
"errorDescription": "Invalid client ID or secret" } ] } This can be caused by an incorrect Key:Secret pairing or if the Key:Secret pairing is not being passed properly in the request.
In order to revoke authorization for a user, you must obtain a valid refresh token or access token. If you don't have either token for the user, you can generate tokens when validating an authorization code. For more information about user tokens and creating client secrets, see Generate and validate tokens.
well, I faced with this error "invalid_client" and just discovered, that all credentials were changed in https://developer.apple.com/account/resources/identifiers/serviceId . I think, because of changing of our legal entity (as account holder). So just check your web app ID and .p8 key, is it exist.
p.s. interesting, I been here, in this question, about a year ago, and it helped me as described above (JWT ES256 algo). And now, I hope, I'll help someone with another solution :-)
122
The problem was this special encryption. In this blog they use PHP for everything except the client_secret generation. https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
And in the text the author explains this sentence:
Some JWT libraries don’t support elliptic curve methods, so make sure yours does before you start trying this out.
Now it's working fine with exactly the code in the top - only replaced the client_secret generation.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With