Sign in with Apple = invalid_client

Pain

I’m facing a very bad issue because I read so many guides and tutorials and nothing works.
The result is always the same: {"error":"invalid_client"}
I get the code, identityToken and everything I need - except the call to https://appleid.apple.com/auth/token - because of invalid_client.
The useless error message of the world. (Apple’s error message doesn’t indicate what is wrong nor how to fix)
I dont know why the client should be invalid.
Its not working with both ids and mixed different things.
Nothing. invalid_client.
Can anyone help me please? I’m sitting here for hours and getting only invalid_client

I don’t think client_id is the same as your iOS app’s bundle ID, as “Sign in with Apple” is intended to also be available to non-app websites.

The problem was this special encryption. In this blog they use PHP for everything except the client_secret generation. https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
And in the text the author explains this sentence:
Some JWT libraries don’t support elliptic curve methods, so make sure yours does before you start trying this out.
Now it’s working fine with exactly the code in the top - only replaced the client_secret generation.

Adding some details for those who are interested: the {“error”:”invalid_client”} message could be related to an invalid signature generated by the openssl_sign function. The ES256 algorithm must be used in order to sign the JWT and the generated signature should be the concatenation of two unsigned integers, denoted as R and S. It turns out that openssl_sign function generates a DER-encoded ASN.1 signature which is not correct for Apple. See stackoverflow.com/questions/59737488/… for details

Error message should be useful, which guide developer on how to fix what is wrong