Error seen in logs but unable to reproduce - Sign In With Apple: client_id mismatch (invalid_grant)

michael.baldock · January 12, 2022, 10:18am

Hi,

We have had Sign In With Apple running successfully since ~ October 2019, and successfully sign in the vast majority of our users. However in a small number of cases (~0.3% of all signups), we see the following error in our logs:

UserInfo={OIDOAuthErrorResponseErrorKey={
    error = "invalid_request";
    "error_description" = "Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)";
}, NSUnderlyingError=0x28276e4c0 {Error Domain=org.openid.appauth.remote-http Code=400 "{"error":"invalid_request","error_description":"Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)"}" UserInfo={NSLocalizedDescription={"error":"invalid_request","error_description":"Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)"}}}, OIDErrorDomain=org.openid.appauth.oauth_token, OIDErrorCode=-2, NSLocalizedDescription=invalid_request: Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)}

This is returned when Auth0 is unable to exchange with Apple the Authorization Code provided by Authentication Services on the user’s device.

I have been trying to reproduce this error to understand how this edge case might happen as I’d like to see if there’s anything we can do to solve this, however I’m currently unable to reproduce this.

I’ve tried the following SIWA scenarios:

Attempt SIWA with no internet connection (idea being that after 5 mins the Authorization code expires so maybe people are using a stale code when struggling with internet) - We don’t even receive an authorization code from Authentication Services, SIWA fails with ASAuthorizationErrorUnknown
Attempt SIWA when not signed into iCloud account - (same result) We don’t even receive an authorization code from Authentication Services, SIWA fails with ASAuthorizationErrorUnknown
Change Password for iCloud on device 1 then try SIWA with device 2 (same iCloud, old password) - No error - SIWA succeeds
Forcibly remove the device from the iCloud account - SIWA fails to even complete, user is asked to Sign in again to their iCloud account before continuing.
Jailbroken Device? - Unable to try this scenario as I don’t have a jailbroken device to test with

Does anyone in Auth0, or in the Community here know in which scenario the actual Sign In With Apple process on the device can succeed, but that an invalid Authorization Code is sent to Auth0 for exchange?

Thanks

dan.woda · January 13, 2022, 7:27pm

Hi @michael.baldock,

Have you seen this thread? Is it possible it is related?

https://developer.apple.com/forums/thread/679497

Do you have any way to contact or get more info from the users experiencing this issue?

matt_is_flat · January 16, 2022, 11:18am

Hi, I’m also getting the same issue. For reference, the ‘Try Connection’ within the Auth0 console works for me, so that makes me relatively confident I’ve got the social connection values plugged in correctly. Does that also work for you?

The issue appears when I’m on-device, similarly to OP - the actual ‘Sign in with Apple’ prompt is successful, so I send the resultant authorization code away to Auth0 in the same way as this doc, but get the same response as above (although obviously with my own iOS package ID in place of OPs).

I’m trying to work out – and hopefully someone here may be able to help with this – in step 4 of this diagram, what client/audience is sent to Apple from within Auth0? If we know where that is pulled from, we might be able to debug a bit better.

michael.baldock · January 18, 2022, 12:52pm

Hi @dan.woda Thanks a lot for the link, I had a look at the thread, and it explains that this response is expected when using an emulator, which is interesting. Unfortunately in our case I think there must be some other edge case where the Authorization Code provided by Authentication Services is not valid. There are too many cases in our logs of this happening for this to be explained by developers on emulators.

Thanks, Mike

michael.baldock · January 18, 2022, 12:54pm

Hi @matt_is_flat I haven’t tried the ‘Try Connection’ within the Auth0 console, but I may look into that, thanks for the tip.
I think my scenario is slightly different in that we are live with SIWA, and in all cases I can reproduce, it works every time. The issue is that in ~0.3% of cases, we see the above error in the logs we record for the app in production, and I’m unable to reproduce the scenario in development.

Thanks,

dan.woda · January 18, 2022, 2:30pm

@michael.baldock,

Is there any way to get more information from the users that are running into this error?

For instance, have you seen support requests from users that are running into this?

michael.baldock · January 18, 2022, 4:48pm

Unfortunately I haven’t had any actual in-person reports of this issue, so no I don’t have very much to go on! If I let you know the name of the tenant, is there any more information you’d be able to get from logs on the Auth0 side about this do you think?

edit: privacy

system · May 11, 2023, 12:52pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.