Keep getting invalid_client

[marcotoldo]

Hi @patrickbussmann

many thanks for this project, without it I really didn't know where to start with Sign-in with Apple (official docs are a nightmare ...)

I configured everything on my Apple account (app, service, key) and strictly followed your example code (along with some other guides I found) but I'm always stuck at an undefined index "code" error on line 178 of src/Provider/Apple.php

After a bit of debugging I found the error returned is always the same (error code: 400, body: "invalid_client")

I'm sure everything is configured properly, from key file id to team file id, double checked p8 file for the key, everything is ok.

In order to understand what's going on I even created a simplified version on my own (once I understood from your code how the auth process works): the login works just fine but when trying to get the identify token on redirect, apple returns that weird error.

From other people with the same exact problem (and from an official - but pretty strange - reply on apple forum) it looks like it has something to do with jwt encoding not supporting ES256 but Lcobucci\JWT does support it.

I really don't get what could be wrong. The only "unusual" thing in my case is that the app to which the service refers to is not published yet (it had been rejected because lacking "sign-in with apple" ...) but that should have nothing to do with web login

Based on your vast experience on the argument (I saw how many project you work on this) do you have any advice about what could be wrong?

Thanks in advance

[patrickbussmann]

Can you write something about your environment so that I can check it by myself? Windows/Linux/Mac? PHP7.0/7.1/7.2/7.3/7.4?

The problem must be the encryption. Maybe you entered a wrong id somewhere? Or you have a configuration issue somewhere.

[marcotoldo]

@patrickbussmann thanks for your quick feedback.

So far I've tested it in two different environments (locally and on production server)

• locally: Debian 9 - PHP 7.1.27
• prod: Ubuntu 18.04.3 LTS‬ - PHP 7.2.17

provider configured with:

• clientId: the identifier associated with the service (the string under the column "identifier" in https://developer.apple.com/account/resources/identifiers/list/serviceId). but nothing changes if replacing this with either the app id, or with [team id].[app id] (the string "configuration" in the key page)
• teamId: the alphanumeric id associated with my apple dev account
• keyFileId: the key id
• keyFilePath: the full path to the .p8 downloaded from apple
• redirectUri: a valid redirect url (included in the list of those configured on the service)

In the meanwhile re-checked all these parameters and they are ok (also tried adding protocol to key file path as required by Lcobucci\JWT in case the Apple provider doesn't do that automagically but nothing changes :-(

Any idea? Thanks

[patrickbussmann]

And you also verified the domain?

So when you click on: https://developer.apple.com/account/resources/identifiers/list/serviceId On my side it looks like:

And when I click on configure it looks like.

The redirectUri option of the Apple-Provider must be equal with the one in the picture.

I have the same production system as you. Only PHP 7.3. (but few weeks ago with PHP7.2 it worked, too)

Dont know how I can help you. Maybe with remote support software or with your code. hmm

I checked my login few seconds ago and it works. :/

[marcotoldo]

Yes, domain verified too.

As far as I can see from your screenshot all the configurations source is the same.

Really don't know why it isn't working .. at least now I know it is not related to a mis-configuration.

Given that even a simplified code gives the same result that may have probably to do with something odd on my account :-(

Thanks again for your help.

[patrickbussmann]

@marcotoldo can you please check if this token is working for you? https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple

client_secret.rb

Please check if the token is working for you when you generate it. If it works it will be interesting because then your PHP not seems to be supporting something. Then we could check the OpenSSL version or everything. But in theory it should also fail and that means something is wrong with your configuration.

[marcotoldo]

@patrickbussmann thanks for the tip.

That's one of the guides I followed along with your code. Already tried using a token generated with that Ruby script but same exact result.

In the meanwhile I tried:

• changing service id
• connecting the service to another app
• using another key
• changing domain (re-verifying it) and redirect uris
• extracting the key as pem and using it instead of p8 one (I know ... it's meaningless but just wanted to give it a try)
• sending the post request to the token endpoint without one or more data (ie sending the request without code, client_id and so on)
• using various configurations for iss and exp claims (example an issue time smaller than curr time)

always getting the same exact "invalid_client" result :-(

As far as I could see both PHP and Ruby rely on OpenSSL to encrypt the JWT and, as you suggested, there could be something wrong with my version of OpenSSL.

I'm going to try if there's any node package capable of doing that without OpenSSL (... and if with that it works)

[marcotoldo]

That's really incredible, even with a Node script

var jwt = require('jsonwebtoken');
var fs = require('fs');
var privateKey = fs.readFileSync('myKey.p8');

var token = jwt.sign({
    iat: Math.floor(Date.now() / 1000) - 180
}, privateKey, { 
    algorithm: 'ES256',
    expiresIn: "7d",
    audience: 'https://appleid.apple.com',
    issuer: "my_team_id",
    subject: "my_client_id",
    keyid: 'my_key_id',
    header: {
        kid: 'my_key_id'
    }
}); 
console.log(token);

I keep receiving "Invalid_client" error :-(

I just submitted a feeback assistant ticket with Apple ... hope they will be able to solve my problem.

[patrickbussmann]

Maybe you have multiple teams and you're using the wrong one? Or something is wrong configurated?

Its interesting when you tried everything and it still not work :(

[marcotoldo]

Maybe you have multiple teams and you're using the wrong one?

thanks for the tip but we have a single team id.

I really got mad at this, I already spent so much time on this (we were going to publish an app with third-party login - such as Facebook and Instagram - but we were "kindly" asked to add Sign-in with Apple too)

Thanks for your help, I'll let you know if I'll eventually be able to solve it

[Darlinkster]

Hello guys i have same problem. We have also third-party login with Facebook etc. in our app and we need to add Sign with Apple, but when we try sign in we get an error 400 Bad Request with response "Invalid_client". Thanks for ideas how to solve this problem, i will let you know if something works for me.

EDIT: If we try to get authorization code it is ok, but if we try to exchange authorization code for token it will fail with "Invalid_client" error

[marcotoldo]

Hi @Darlinkster thanks for sharing your experience (glad to know I'm not the only unlucky guy out there ;-)

Concerning my problem (which afaics is the same you are experiencing too) I submitted more than one week ago a ticket with a detailed description (with all code used in PHP, Ruby and Node) to Apple Feedback assistant (https://feedbackassistant.apple.com) but haven't received a response yet (... a very disappointing behavior from a 1-trillion-dollar company)

As soon as I'll get a feedback (hoping to receive it sooner or later ;-) I'll let you know

EDIT:

If we try to get authorization code it is ok, but if we try to exchange authorization code for token it will fail with "Invalid_client" error

same exact problem here!

[patrickbussmann]

I uploaded a fix for an issue with Apples JSON Web Key Set. It seems that they replaced something and then the static key wasnt working anymore. Now its dynamically working.

Maybe this solves some issues here?

I got a mail from someone which have this issue, too. Maybe I find a solution soon for your problem here.

[marcotoldo]

@patrickbussmann thanks for the info and for the effort.

I'll try the updated library asap and let you know.

In the meanwhile no feedback from Apple at all :-( (even tried to submit a new with a different feedback category - specifically "iOS and iPad" rather than "web services" but nothing ... very, very disappointing)

[Darlinkster]

Thanks for info. I'll try new version too.

UPDATE: I'm still getting "Invalid_client" error

[w00fz]

I have it working but I was getting security token mismatch! Thanks to @patrickbussmann latest fix now everything seems to work perfectly!

Thanks!

One thing I haven't seen mentioned that I am not sure is normal is that I can only get this working via Safari on desktop. If i use Chrome i get invalid_request | No AppPlatform or Primary app for the web application

I was getting your issue originally, @marcotoldo, and that was because I was checking the _GET rather than the _POST, so both code and client_secret were missing causing that invalid_client error for me.

Hope this helps!

[marcotoldo]

@patrickbussmann unfortunately keep getting "invalid_client" same as @Darlinkster :-(

@w00fz thanks for the tip but I'm using POST data from the beginning ... that's one of the things that is driving me crazy, I even tried to remove client_secret and code on purpose but it always returns that (useless) "invalid_client" error from which you can't really understand what's going on

Actually my customer is running out of patience (and doesn't really care about the "Sign-in with Apple" feature) so I think I'm going to a use a small trick to solve:

• on signin/signup page a background request to the server asks if the current app version is in review process
• if so hide all third-party logins
• otherwise display all third-party logins as usual ("Sign-in with Apple" included)
• if "Sign-in with Apple" is selected a message tells the user an error occured suggesting him/her to use another auth method (pretending the error started to occur after the app was approved)

This is obviously just a nasty and dirty workaround (that shouldn't be done ...) but I can't see any other solution in the near future (possibly sooner or later Apple will eventually give me a feedback) so unless I'll discover by chance what's wrong I think I'll make it that way.

In the meanwhile I'll keep experimenting to understand how to solve it for real ...

[patrickbussmann]

I found a interesting story on StackOverflow: https://stackoverflow.com/a/59842760/1362858 And this was the solution which I used in the very first release.

Can you, @marcotoldo and @Darlinkster, try the 0.1.0 version of this repository?

composer require patrickbussmann/oauth2-apple:0.1.0

Then it should work - but you can only use it on PHP 7.

Thanks for testing. If it not helps maybe the StackOverflow link may help you 👍

[Darlinkster]

@patrickbussmann Thanks, i will try that version and see if it works.

[marcotoldo]

@patrickbussmann thanks, I'll try that asap (afaics I was not wrong when I tried using a pem key ... maybe I just exported it the wrong way ;-)

[marcotoldo]

Sorry for the delay.

Unfortunately couldn't test version 0.1.0 because of a dependency problem of gmp extension on my machine so I tried the code in https://stackoverflow.com/a/59842760/1362858.

Strictly followed all the steps to get the pem key and used provided code but the author of the comment forgot to post the implementation of his $this->encode() method.

That should be just some kind of base64 enconding, so I tried with this:

https://github.com/firebase/php-jwt/blob/78ec50cd5c7d0bbcaed6ece07ace040d8843b9cf/src/JWT.php#L338

but no luck. Anyhow if that code on stackoverflow works now the problem cannot be other than finding the correct base64 encoding I think.

I'll let you know if I'll manage to make it working.

(in the meanwhile I managed to get my app approved with the workaround I described in a previous comment, but I really hope to be able to make it working ...;-)

[ayalon]

I have the same issue. I'm still investigating, why this happens.

[ayalon]

After more than 5 hours of debugging I finally found the issue. Its related to the timezone. The current code give the token a validity of 10 minutes. And the server thinks, its expired.

Change ->expiresAt($time + 600) to ->expiresAt($time + 86400*180)

and the TokenValidation works.

[ayalon]

There is another issue in the code: ` protected function getAppleKey() { $data = file_get_contents('https://appleid.apple.com/auth/keys'); $array = json_decode($data, TRUE); return JWK::parseKeySet($array); } `

But then I'm stuck, because of the summer time. The server send a payloaf->iat in the future (1 hour ahead) and therefor the Token cannot be validated.

[playdayapp]

I have the same issue: invalid_client. It's unbelievable that so many people have this issue, that Apple forces us to use 'sign in with Apple', and no solution is working. Been searching for days now and tried every suggestion given here and on Stack...

This is my error when I use sign_in: Fatal error: Uncaught League\OAuth2\Client\Provider\Exception\AppleAccessDeniedException: invalid_client in /home/deb94324/vendor/patrickbussmann/oauth2-apple/src/Provider/Apple.php:176 Stack trace: #0 /home/deb94324/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(628): League\OAuth2\Client\Provider\Apple->checkResponse(Object(GuzzleHttp\Psr7\Response), Array) #1 /home/deb94324/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(537): League\OAuth2\Client\Provider\AbstractProvider->getParsedResponse(Object(GuzzleHttp\Psr7\Request)) #2 /home/deb94324/vendor/patrickbussmann/oauth2-apple/src/Provider/Apple.php(229): League\OAuth2\Client\Provider\AbstractProvider->getAccessToken(Object(League\OAuth2\Client\Grant\AuthorizationCode), Array) #3 /home/deb94324/domains/playday.be/private_html/app/test_apple2.php(41): League\OAuth2\Client\Provider\Apple->getAccessToken('authorization_c...', Array) #4 {main} thrown in /home/deb94324/vendor/patrickbussmann/oauth2-apple/src/Provider/Apple.php on line 176

I tried the suggestions of ayalon, but no luck.

The funny thing is, I can't authorise my web domain. The 'download apple-domain-verification.txt file'-option is gone on the apple developer site.

Did someone actually find a solution yet?

[marcotoldo]

@playdayapp you're right, I just tried to add new url to an existing service or create a new service, no way to download the txt to authorise the domain.

I'm lucky enough to have already authorised it many weeks ago but wth is going on with apple? Also my two tickets on the subject (dated jan 30 and feb 6 respectively) are still open on Feedback Assistant and without any reply from them, that's totally unacceptable for me.

Later I was pretty busy but I'll be able to take some "free" time this week, I'm planning to get back on this and see if I can find a solution. Now that I'm seeing again this message after a long time:

I'm wondering if I forgot to do something for step 4 ...

[playdayapp]

Yeah, this is step 4. I followed the 4 steps... It seems that the domain verification is done in step 4, automatically...

Grateful that you can make some time to look into this issue again, @marcotoldo ! Much appreciated!

[marcotoldo]

@playdayapp thanks for the hint about domain verification, hope to remember it next time I'll need it ;-)

Grateful that you can make some time to look into this issue again

no problem, I myself would like to have it working sooner or later

Neither my dev machine nor my server have any "esoteric" configuration so there should be something I'm missing either on my apple account or similar, maybe something so obvious I haven't thought about yet ...

[playdayapp]

@marcotoldo: I got it finally working!

In my case, I used the wrong entry for 'keyFileId'. On https://developer.apple.com/account/resources/authkeys/list, you can click on the key you made and then you see the keyId (see screenshot)

[marcotoldo]

@playdayapp woah ... that's great! Good job!

Unfortunately I wasn't able to focus on that during these days as I planned. I'll check in the next few days if your solution works for me too.

Thanks for sharing!

[Darlinkster]

Hello guys i got it finally working too! My problem was, that we had badly configured key. I got access to apple developer account and found, that under enabled services is only DeviceCheck, but not Sign in with Apple and that is why i was keep getting invalid client error. Hope you got it working too soon :slightly_smiling_face:

[dusterio]

@Darlinkster how did you verify your sign in domain? if it's gone from the settings

I've tried 5-7 options today and everything results in invalid_client. But there is no way to verify a domain anymore

[patrickbussmann]

@dusterio maybe you can open an new issue for that. But in theory you can easily add the domain and click on verify. Maybe you need to disable Sign in with Apple and enable it again.

[wisam22]

Hi y'all, sorry to resurrect an old thread, but I'm also getting this "invalid_client" error even though I've made no code changes on my end.

I was using release 0.2.9 of this library, recently tried upgrading to 0.2.10 to see if it would resolve the issue but no luck.

I've also checked to make sure other dependency versions haven't changed (lcobucci/jwt for example).

Any ideas? Any help would be much appreciated!

[patrickbussmann]

Maybe your settings in the apple developer portal are expired? or the service id is invalid? or some settings there.

Its very annoying that apple is not able to show a real error message there. You need to be 100% perfect to get this thing running.

[wisam22]

Thanks for the prompt response. I just looked in my portal and I don't have any expired certs, and from what I understand there's no expiration on the services ID for the sign in service.

Any other tips / suggestions for things I could try? Unfortunately I can't nuke anything in the portal to start over because I already have an app in production.

[patrickbussmann]

You can go through the list whats needed for this and check if this is 100% correct. You not need to recreate everything. The README file has something like a list in the example code. Maybe you can try it in your browser on local machine.

Its not possible to support you without any further informations and I also know thats its bad to provide some because of privacy. Maybe you can scrumble/randomise your settings and let us check if they are right. Or censored screenshots of your settings.

[umangnine]

Hello Everyone,

I had exactly same issue and after lot of try and error, I finally identify the issue!

Issue is, you might have created KEY file on Apple before creating your Service ID (Client ID). So, you need to remove your KEY ID First and then create new KEY ID and then go into KEY ID and Enable Signin With Apple for that key. It will automatically bind your service ID with that KEY.

Just download that KEY and test your app again, it should definitely work!

[wisam22]

Is this a valid solution for those of us with an app already in production? Will existing accounts created with the old key be orphaned?

[umangnine]

Hello @wisam22, Yes, I believe that above solution will be useful for production app! Also, I don't think that it will affect in anyway for the already created accounts with old key. To be on safe side, you can keep old key as it is and create new one. Once you integrate and test everything with new KEY you can just remove older one.

Let me know if my solution works for you!

[wisam22]

I just tried creating a new Key for Apple Sign In, uploaded it to my server, still getting "invalid_client".

[umangnine]

@wisam22, I am sure it is related to following the right steps! Is it possible for you to connect with me on google meet OR Skype platform so, I can look into this and help you?