search

klausbetz / apple-identity-provider-keycloak

An extension for Keycloak, that enables web-based sign in with Apple and token exchange
Apache License 2.0
193 stars 27 forks source link

token-exchange 400 The code has expired or has been revoked #50

Closed khaounen closed 1 year ago

khaounen commented 1 year ago

Hi and thanks for this amazing project,

I was able to setup the extention correctly for my web application and I can authenticate with my Apple ID credentials,

But when I try to exchange the token it fails with the following error

2023-08-26 19:41:00,868 WARN  [at.klausbetz.provider.AppleIdentityProvider] (executor-thread-74) Error response from apple: status=400, body={"error":"invalid_grant","error_description":"The code has expired or has been revoked."}
2023-08-26 19:41:00,876 WARN  [org.keycloak.events] (executor-thread-74) type=TOKEN_EXCHANGE_ERROR, realmId=a560bdf6-af41-4292-8780-5f105b4f202a, clientId=client-service, userId=null, ipAddress=51.158.56.143, error=invalid_issuer, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=apple, client_auth_method=client-secret

But when I check the token on jwt.io the token is valid still,

I've activated the preview feature on my keycloak and did all the needed config (exchange works for google)

Here is the commande I run

curl --location 'https://keycloak-dev.tanker.ae/realms/tanker/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'client_id=client-service' \
--data-urlencode 'client_secret=client-secret...' \
--data-urlencode 'subject_token=<ID-TOKEN-GENERATED-FROM-MY-RN-APP>' -d 'subject_issuer=apple'

Any idea what can be wrong with what I did? Exchange token need only to validate the signature and the aud field (apple identifier) right?

klausbetz commented 1 year ago

Hi @khaounen,

I see. Thank you for the logs and command 👍

I assume you use the access_token for the Google Token exchange?

For the Apple Token exchange the ID Token should be used (as you hinted with <ID-TOKEN-GENERATED-FROM-MY-RN-APP>). For the ID Token to work, make sure to use grant_type=urn:ietf:params:oauth:token-type:id_token.

khaounen commented 1 year ago

Thank you @klausbetz for your reply, it worked with id_token thank you!