Sign in with Apple REST API

RSS for tag

The Sign in with Apple REST API allows your app's servers to communicate with Apple’s authentication servers.

Sign in with Apple REST API Documentation

Pinned Posts

Posts under Sign in with Apple REST API tag

48 Posts
Sort by:
Post not yet marked as solved
0 Replies
52 Views
Hi all, I create web app laravel with function login with apple. This is any my information app and packet what i'm use : Laravel: 10.x PHP: 8.1 Packages for login: https://socialiteproviders.com/ I'm done with API appleid.apple.com/auth/authorize for auth user with apple ID. Response below : So next step i call to this API : https://appleid.apple.com/auth/token for verify token but response is below : I'm try with postman but response is same that ( invalid_client ). Everything is correct( client_id, team_id, private_key ). I use https://jwt.io/#debugger for test verify token. Signature Verified is result. Can help me for declare what is issue ? what client is invalid ? Thank you so much. P/s : Sorry for my poor English
Posted
by binhchay.
Last updated
.
Post not yet marked as solved
1 Replies
123 Views
I had implemented the Apple login feature and users were fully utilizing it. Then, all of a sudden, it started to fail with an "Invalid client scope " error. And My code is exactly scope="name email". I haven't changed any code for Apple Login, so why is this suddenly happening?
Posted
by HaehunLee.
Last updated
.
Post not yet marked as solved
0 Replies
191 Views
Hello. On my game I have Apple Sing In option that is required to keep user high score, show name in game, and for other app functionality. Game is made on Unity. Now when I'm trying to port the game to Vision Pro, Im getting error that Authentication is not supported on this platform. It may be the plugin issue that I'm using(not sure yet). But I also didn't find any documentation for native code ( so I could make plugin that unity game could use). Question: does VisionOS support Apple Sing In in the applications? if yes please give me some resources. if no - is there any plans to add that functionality? Thanks.
Posted
by Tyombo.
Last updated
.
Post not yet marked as solved
0 Replies
322 Views
Problem Situation User membership withdrawal request → revoke API call It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID. Re-request user Apple login → Email is returned as null Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired. Releated Issues https://forums.developer.apple.com/forums/thread/707181
Posted Last updated
.
Post not yet marked as solved
1 Replies
477 Views
Apple documentation is specific about the possible types of email_verified property A string or Boolean value that indicates whether the service verifies the email. The value can either be a string ("true" or "false") or a Boolean (true or false). The system may not verify email addresses for Sign in with Apple at Work & School users, and this claim is "false" or false for those users. Actually we made a mistake by supporting only String type and today had the very bad surprise to notice that we started receiving Bool types for the first time. Do you have any info about changes on the API ? Thanks Julien
Posted
by oizhef.
Last updated
.
Post not yet marked as solved
0 Replies
313 Views
We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client. We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token. In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation. However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request. The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters: response_mode: query scope: email openid profile nonce: ... state: ... response_type: code Then we get the authentication code and get an id_token like this: { "iss":"https://appleid.apple.com", "aud":"{aud}", "exp":1705584621, "iat":1705498221, "sub":"{sub}", "nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq", "at_hash":"3kLcPBlwZP6aj_mscww5zA", "authentication_time":1705498218, "nonce_supported":true } Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773
Posted Last updated
.
Post not yet marked as solved
0 Replies
276 Views
Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.
Posted
by s_sparks.
Last updated
.
Post not yet marked as solved
0 Replies
264 Views
We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}
Posted Last updated
.
Post not yet marked as solved
0 Replies
258 Views
I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal
Posted
by mattywarr.
Last updated
.
Post not yet marked as solved
0 Replies
351 Views
Hello community, In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service. We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists. We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration. Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.
Posted
by novak-ji.
Last updated
.
Post not yet marked as solved
0 Replies
333 Views
hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
Posted
by ejung2.
Last updated
.
Post not yet marked as solved
0 Replies
447 Views
hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
Posted
by ejung2.
Last updated
.
Post not yet marked as solved
1 Replies
576 Views
I have implemented Sign in with Apple in my app. The flow goes like this: User taps sign in button In the delegate method I take the auth code and post it to my server. My server sends an activation request to apple and gets an id, refresh, and access tokens. This is where I have a problem: A user requests account deletion. The server sends a request to revoke the access and refresh tokens User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way) The user then load the app again and taps the Sign in with Apple button. The delegate method provides a valid id token, but the same original auth code instead of generating a new one. The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token. The server also can't use the old refresh token as it's been revoked during deletion. Can someone tell me where I'm going wrong? I can't find any documentation for regenerating a refresh token after revoking it. Thank you
Posted
by guyguy.
Last updated
.
Post not yet marked as solved
1 Replies
936 Views
Some background: A user must sign up for an account on our platform via a browser before they can sign in to our iOS app using an Apple ID otherwise we present the following error message as shown in the attached image. Authentication and session management is handled using AWS Cognito on our platform and we believe AWS Cognito is using the relevant API for Apple ID Sign Ins. For account deletion we are providing an account deletion option within the app to the user (who has to be signed in) under Account Settings. For a valid deletion request, we are deleting a user’s records from our database. For revoking, generating, and validating tokens we are using AWS cognito to handle token revocation, generation, and validation. Ask: Apple reviewers provided additional information (shown below) to help us resolve this issue. But i am not clear how this addresses their concern and would appreciate some guidance on how i could resolve it. Apple reviewer recommendation Apps that offer Sign in with Apple should use the REST API to revoke user tokens. If you have not retained the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request. To learn more, we recommend reviewing the following resources: Handling account deletions and revoking tokens for Sign in with Apple Revoke tokens Generate and validate tokens
Posted Last updated
.
Post not yet marked as solved
0 Replies
510 Views
I cannot receive full name from Apple sign in and the app review fails. What I receive from the call is the following: { "familyName": null, "identityToken": "XXXXX", "givenName": null, "authorizationCode": "XXXXX", "user": "XXXXX", "email": null } while decoding the identityToken, I get: { iss: 'https://appleid.apple.com', aud: 'popularise.app', exp: 1697700330, iat: 1697613930, sub: 'XXXXX', nonce: 'nonce', c_hash: 'XXXX', email: 'XXXXXX', email_verified: 'true', auth_time: 1697613930, nonce_supported: true } As you can see, I have no information about given or family name. Body I am sending via api rest: { clientId: 'popularise.app', scopes: 'email name', redirectURI: '', state: '12345', nonce: 'nonce', } My tools: I am using nestJS and node (v16).
Posted Last updated
.
Post not yet marked as solved
0 Replies
438 Views
Hi! I have the following problem. We are providing the Apple Sign In option for users to register in our system. When you first login using Apple Sign In it will successfully return "Email" and we are using it for our own registration routine. The problem is with the following thing: our user can remove the account from our system. And after that, he will not be able to register using Apple Sign In. Is there any way to revoke this token? I have seen the https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens but I cannot call this method from the app: this API route returns 400 from the payload I'm sending. Is there any solution to this problem rather than asking the user to remove the app manually? Can I route the user to the page with these settings? https://developer.apple.com/forums/thread/708415 - and yeah, I have seen this thing. Thank you!
Posted
by JEuler.
Last updated
.
Post not yet marked as solved
0 Replies
394 Views
Hi, I have an website with sign in with Apple enabled (using REST API). It seems the majority of my users not aware they are sharing their private email because it is the default selected option. Is there a way to require that the real email be always shared? Alternatively, is there a way to have the "Share My Email" option be the default choice?
Posted
by antsmc2T.
Last updated
.
Post not yet marked as solved
1 Replies
583 Views
I am working on a financial application that falls under Indian jurisdiction, which has specific regulations prohibiting the use of relay or proxy emails for sign-up processes. Given that the "Hide My Email" feature in "Sign in with Apple" provides a relay email, I'm trying to understand how I can remain compliant with these regulations while offering "Sign in with Apple" as a sign-up option. My proposed flow: Allow users to use "Sign in with Apple" for authentication. Check if the user has opted for the "Hide My Email" feature. If they have, show an error message explaining the regulatory restriction and prompt them to either: a) Use "Sign in with Apple" without the "Hide My Email" option OR b) Use our standard "Sign up with Email and Password" flow. I would like to understand if such an approach is acceptable according to Apple's guidelines. Would there be any issues or recommendations from Apple's side on implementing this flow? Thank you for your assistance and guidance!
Posted Last updated
.
Post not yet marked as solved
0 Replies
602 Views
Hi everyone, we are developing Ionic mobile app with .NET server part, now we are trying to implement apple authorization, it works properly with web(user can authorize and server receives callback), but it is not working with mobile, we can authorize and get response on client side with token and code, but it not initiate callback to server, we found a difference in apple endpoint that we call for web and for mobile(in query parameters for mobile- response_mode = web_message and for web- response_mode = form_post), we can't change url for mobile app, because we are using SignInWithApple from @capacitor-community/apple-sign-in, does anyone have experience with this problem? Thanks in advance.
Posted Last updated
.