[IOS] Error: ID token from apple login is expired or Revoked

[2ez4tt]

What did you do?

After logging in using Apple login I passed the Id token received to my backend API to register user but it gives error that token is expired or revoked. I also get null in display name variable.

What did you expect?

The API should redirect to next screen. I am unable to identify if the problem is with the id token received or with the backend API.

What happened actually?

I get the error token is expired or revoked. Is this auth token that we receive? is it already used and can't be used again for another api? Or is this an issue from my backend team?

Your environment?

Unity 2021.3.16

Some information of the environment in which the issue happened. Universal SDK version, Unity version, Android version, iOS version, etc.

Screenshots or Log

please fine attached

It would be appreciated if you can provide a screenshot or log that i can infer the issue. logapplelogin.txt

[coolishbee]

1. displayName contains information only when the user logs in for the first time. From the second time, displayName is not provided.(This is the Apple Login Policy)
2. What were you trying to do with the idToken in the backend?
3. Is it to validate the idToken?

[2ez4tt]

1. I am not getting any display name even on first call as shown in logs the response from result.displayname
2. I am trying to pass the idtoken to get information from apple such as email id and passing it to my backend database.

On Thu, 16 Feb 2023, 1:06 pm James Cheon, @.***> wrote:

1. displayName contains information only when the user logs in for the first time. From the second time, displayName is not provided.(This is the Apple Login Policy) 2-1. What were you trying to do with the idToken in the backend? 2-2. Is it to validate https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user the idToken?

— Reply to this email directly, view it on GitHub https://github.com/coolishbee/universal-sdk-unity/issues/15#issuecomment-1432678079, or unsubscribe https://github.com/notifications/unsubscribe-auth/AECKWZIMRKFQEG76JXODYNTWXXN2HANCNFSM6AAAAAAU5G6VDQ . You are receiving this because you authored the thread.Message ID: @.***>

[2ez4tt]

3. Yes I asked the backend team they are also validating id token. I think its revoked after we extract that information right? is there a way that I don't extract any other info but just the IDtoken so that it is not revoked?

[coolishbee]

Go to Sign in with Apple and click Disable in the app you are testing and log in again and your name will be displayed. Save it as playerprefs if you want your name to be displayed even when you log in again.

idtoken is jwt. Since jwt is personal information, there is no need to store it in DB. jwt is a token scheme designed for the scenario where a client takes a token. The backend server verifies the validity of the identityToken, recognizes the sub (user ID) contained in the identityToken as the user's unique ID, and saves the information. For any login(Google, FB), the jwt token is one-time. So there is an expiration time and there is no way to renew it. The purpose of jwt is to validate the id token without any server to server communication.

That's why Apple is guiding you to Verify the identity token.

• Verify the JWS E256 signature using the server’s public key
• Verify the nonce for the authentication
• Verify that the iss field contains https://appleid.apple.com
• Verify that the aud field is the developer’s client_id
• Verify that the time is earlier than the exp value of the token

[2ez4tt]

1. once the app is live should we enable it again? and I need to save in player prefs at what point exactly?in loginController script->OnClickAppleLogin() - > after result.match value-> UserInfoManager.Instance.loginResult.UserProfile.DisplayName; should I save this?
2. I have asked the backend team they are saying we are following the mentioned steps.
3. I am attaching sample code for both functions OnclickAppleLogin and checkLoginAppleAPICall. Later one is where I hit our server (api provided by backend ) and expected result was refresh token,accesstoken and email) samplecode.txt

[2ez4tt]

I just need to be 100% sure that there is nothing wrong from front end. That we are not causing the apple id to be revoked from our end. I was in doubt because we are getting the display name and other data from apple after calling this in OnClickAppleLogin() function

UniversalSDK.Ins.Login(LoginType.APPLE, result => { result.Match( value => { UserInfoManager.Instance.loginResult = value;

If this is not the case I can tell backend team to recheck the methods and sort it put in thier end

[coolishbee]

1. example:

   public void OnClickAppleLogin()
   {
   UniversalSDK.Ins.Login(LoginType.APPLE,
       result =>
       {
           result.Match(
               value =>
               {
                   if (value.Name.Contains("null") == true)
                   {
                       Debug.Log("PlayerPrefs Load");
                   }
                   else
                   {
                       Debug.Log("PlayerPrefs Save");
                   }
               },
               error =>
               {                        
               });
       });
   }

2. I don't know why the client needs access_token and refresh_token

[2ez4tt]

Our App is Martvers (3D-Groccery Store)- already deployed in Android play store but we can't deploy in Apple Store without including Log in with Apple (new policy). Let me explain how current app works and what I understood from backend team regarding this problem.

We initially had 3 modules to sign in - (register,google,facebook) process is when user signs in after registering I get access and refresh token which is used for other Api calls (add to cart, place order against that access token etc.). Now for google I gave them token Id and client Id from firebase and for Facebook the id and Facebook app id from developer account. Now when user signs in using google/Facebook I get the access token and refresh token from martvers server which is used in other Apis. But when I sign in from Apple, we get invalid grant token expired or has been revoked against the ID received after login.

Now possible reason could be that it gets revoked because we are fetching information like user display name and email id etc. like you said I have to store it in player pref and it will be loaded. So can we not fetch data and just stop after getting ID token and pass it on to martvers server's Api so that I can get refresh and access token against our server. (IFF we are causing the token Id to be revoked)

OR

Token doesn't get revoked because we are fetching information, but backend team is making a mistake while passing the token. However, they claim that we are doing everything as mentioned in the Apple docs.

[2ez4tt]

Are we identifying/validating token in this plugin right after getting the ID token after loggin in?

[coolishbee]

idtoken validation must be done on the server side of the user. Because it's to identify a normal user before entering the user database.

[2ez4tt]

Hey I figured out the problem. I created an empty project and did Apple Login using this Github code After logging in I recieved IDtoken,email,name and AuthorizationCode. I used this Authorization code in my backend body and it worked. do we get this Auth code inresponse from Apple? I can add this as string ijn profile but i am not sure if it will return empty field or not. For now I will use this new plugin for Apple login as I am short on time for now. But thanks for your help and for your amazing all in one plugin !

[coolishbee]

Okay, I'll research it so that it can proceed like this repository in the next update.