Source: StackOverflow thread

Pain

  • The response I’m getting is: {"error":"invalid_client"}.

  • I get now the response {“error”:”invalid_client”} from the apple server. What am I doing wrong? Could it be that I’m generating the JWT token wrong?

 

Keywords

  • Sign in with Apple
  • URI
  • function
  • JWT (JSON Web Token)
  • ES256
  • Elliptic Curve
  • OpenSSL

 

Recommendation

  • From Apple docs: “Some JWT libraries don’t support elliptic curve methods, so make sure yours does before you start trying this out.”. I think this is a reason.

 

(OP marked as accepted answer)

  • The problem for me was that I forgot to verify my domain under the Service Id section of the Apple dev portal.

  • You need to download the key they give you, and upload it to: https://example.com/.well-known/apple-developer-domain-association.txt

  • The website doesn’t verify automatically, you have to click the verify button and get a green tick next to the domain to be sure. After this, I had no more invalid_client issues.

 

 

The {“error”:”invalid_client”} message could be related to an invalid signature generated by the openssl_sign function. The ES256 algorithm must be used in order to sign the JWT and the generated signature should be the concatenation of two unsigned integers, denoted as R and S. It turns out that openssl_sign function generates a DER-encoded ASN.1 signature which is not correct for Apple (see here).

So the solution is to convert the DER-encoded ASN.1 signature generated by openSSL into a simple concatenation of the R and S values.

 

 

I had this error several times. Here are the causes I could find:

  1. Improper Domain Verification and invalid redirect_uri
  2. Client ID is not correct: your client ID could be incorrect.
  3. JWT encoder is not working properly: maybe it doesn’t support the ES256 algorithm?
  4. Request type: for /auth/authorize, you need to use x-www-form-urlencode, oherwise you get invalid_client errors.

When I solved these problems, I started to get invalid_grant error. Here were the steps I had been doing:

  1. I created client_secret via JWT
  2. I navigated to https://appleid.apple.com/auth/authorize?response_type=code&state=abcdefg&client_id=com.company.apple-sign-in-abcd&scope=openid&redirect_uri=https://app.com/redirect_uri manually on web browser,
  3. authorized
  4. it redirected back to backend url (which gave 404 because it was not deployed yet).
  5. I copied the code argument in the url bar when
  6. With the copied code, I POSTeed the https://appleid.apple.com/auth/token endpoint with x-www-form-urlencoded arguments:
    • code
    • client_id
    • client_secret
    • redirect_uri
    • grant_type=”authorization_code”

If you lose a few seconds, code gets invalidated and you’ll get invalid_grant error. If you copy and paste immediately within second, you’ll get your response:

{
    "access_token": "abcdefg",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "abcdefg",
    "id_token": "abcdefghijklmnopqrstu"
}

The next step would be decoding id_token with Apple’s public key.

 

 

I made a little package to generate apple client secret in php, based on jwt-framework: https://github.com/kissdigital-com/apple-sign-in-client-secret-generator

 

Worldview