Apple Business Chat

I am using auth0 to test protocols with Apple Business Chat which allows Messaging users to sign-in to authenticate themselves within a conversation.

Described on Apple’s developer site here:
https://developer.apple.com/documentation/businesschatapi/messages_sent/interactive_messages/authentication

And here:
https://developer.apple.com/documentation/businesschatapi/sending_an_authentication_message

I’m working on behalf of an MSP partner with Apple for their Business Chat program.

At the moment, I have created auth0 apps and am able to invoke the UX of the App through Business Chat.
However, while auth0 site logs says my login is successful – the handshake back to Apple seems to missing a “token”. At least the “failed” authentication message I am getting back to my service suggests:

[{“domain”:“com.apple.icloud.messages.business.authentication.error”,“message”:“Missing access token from response”,“code”:2}]

I have tried virtually every incantation of the auth0 app imaginable – and as directed by Apple support – and nothing seems to make it happy.

For reference my app parameters are:

  • “Regular Web Application” (as suggested by Apple support)
  • Token Endpoint Authentication Method: “None”
  • Allowed Callback URLs: https://auth.businesschat.apple.com
  • Non-Rotating token
  • Grant types: “implicit” and “Authorization Code” (also as suggested by Apple support)

And I am using the following “endpoints” from obtained from auto0 and configured on the Apple site:

  • Client ID
  • OAuth Authorization URL
  • OAuth Token URL

Anybody else using auth0 for Apple Business Chat with a recipe that I might copy?

Can you share a bit more about the specific requests you’ve set up? (Maybe while filtering out the actual URL of your tenant)

Can you also check your tenant logs? Are you seeing anything out of the ordinary there? In your case, I think “failed exchange” or “successful exchange” would be the ones we’re looking for. Or, if those aren’t there at all, that’s also telling: then Apple isn’t even trying to exchange the code for an access token.

My “success” determined by the login form opening within Apple business chat – it accepting my (valid) credentials – then completing the cycle (unsuccessfully to apple it seems). But my log on auth0 says this is success. Here’s a (slightly edited) transaction log:

{
“date”: “2020-06-17T20:57:43.570Z”,
“type”: “s”,
“connection_id”: “”,
“client_id”: “MY_CLIENT_ID_HERE”,
“client_name”: “Cyberdyne Authorization”,
“ip”: “73.15.65.85”,
“user_agent”: “Mobile Safari UI/WKWebView 6.1.4 / iOS 6.1.4”,
“details”: {
“prompts”: ,
“completedAt”: 1592427463569,
“elapsedTime”: null,
“session_id”: “EL3Xqx1Y2rtBjS6ff3OX7kPMQ9Yb9Z7v”
},
“hostname”: “MYHOST_HERE.us.auth0.com”,
“user_id”: “auth0|5ee94f96edd19d0b995081be”,
“user_name”: “MY_VALID_USER_EMAIL_HERE”,
“log_id”: “90020200617205747809000213117706361647195860463234580482”,
“_id”: “90020200617205747809000213117706361647195860463234580482”,
“isMobile”: true,
“description”: “Successful login”
}

I have done this from both my iPhone and my Mac – both of which support iMessage in Apple Business Chat – and the result seems to be the same. So Apple coming back to auth0 after the login to get a token for a code would make some sense in that part is failing. If so, then that reduces the moving parts I have to play with I guess.

Figure 1. on this short page shows what is (theoretically) going on. And it seems like there is some problem in the last part in the steps “OAuth Response” and “Encrypt Token” – which seems to be missing.
https://developer.apple.com/documentation/businesschatapi/sending_an_authentication_message

Beyond the auth0 app constants – the only things I get to give Apple to carry this out are:

“responseType” : “code”,
“scope” : [“r_basicprofile”], // NOT SURE WHAT TO PUT HERE – IT’S APP SPECIFIC???
“state” : “A_NONCE_CREATED_ON_THE_FLY”,
“responseEncryptionKey” : “THE_PUBLIC_KEY_I_CREATED_ON_THE_FLY“,
“clientSecret” : “MY_AUTH0_CLIENT_SECRET”`

(Thanks for your help. I promise to post the final success recipe here when that happens).

Can you try changing the scope to include ['openid', 'profile', 'email']? Not including openid in the scopes can really trip up Auth0, so the advice is to always include at least that.

@peter.froeberg I have roughly the same issue. Did you ever figure it out?

In order to debug, I installed Fiddler to monitor outgoing requests from my desktop Messages app. It looks like auth0 itself is rejecting the /oauth/token requests as Unauthorized. The Messages app seems to issue the requests with all the details as query parameters instead of JSON body data.

In any event, it now makes perfect sense why Business Chat says Missing access token from response for a response which looks like

{"error":"access_denied","error_description":"Unauthorized"}

Now it seems like it’s a matter of making auth0 tenant accept token requests with query parameters and no body.