Error seen in logs but unable to reproduce - Sign In With Apple: client_id mismatch (invalid_grant)

Hi,

We have had Sign In With Apple running successfully since ~ October 2019, and successfully sign in the vast majority of our users. However in a small number of cases (~0.3% of all signups), we see the following error in our logs:

UserInfo={OIDOAuthErrorResponseErrorKey={
    error = "invalid_request";
    "error_description" = "Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)";
}, NSUnderlyingError=0x28276e4c0 {Error Domain=org.openid.appauth.remote-http Code=400 "{"error":"invalid_request","error_description":"Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)"}" UserInfo={NSLocalizedDescription={"error":"invalid_request","error_description":"Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)"}}}, OIDErrorDomain=org.openid.appauth.oauth_token, OIDErrorCode=-2, NSLocalizedDescription=invalid_request: Error from apple connection: client_id mismatch. The code was not issued to net.skyscanner.iphone. (invalid_grant)}

This is returned when Auth0 is unable to exchange with Apple the Authorization Code provided by Authentication Services on the user’s device.

I have been trying to reproduce this error to understand how this edge case might happen as I’d like to see if there’s anything we can do to solve this, however I’m currently unable to reproduce this.

I’ve tried the following SIWA scenarios:

  1. Attempt SIWA with no internet connection (idea being that after 5 mins the Authorization code expires so maybe people are using a stale code when struggling with internet) - We don’t even receive an authorization code from Authentication Services, SIWA fails with ASAuthorizationErrorUnknown
  2. Attempt SIWA when not signed into iCloud account - (same result) We don’t even receive an authorization code from Authentication Services, SIWA fails with ASAuthorizationErrorUnknown
  3. Change Password for iCloud on device 1 then try SIWA with device 2 (same iCloud, old password) - No error - SIWA succeeds
  4. Forcibly remove the device from the iCloud account - SIWA fails to even complete, user is asked to Sign in again to their iCloud account before continuing.
  5. Jailbroken Device? - Unable to try this scenario as I don’t have a jailbroken device to test with

Does anyone in Auth0, or in the Community here know in which scenario the actual Sign In With Apple process on the device can succeed, but that an invalid Authorization Code is sent to Auth0 for exchange?

Thanks

1 Like

Hi @michael.baldock,

Have you seen this thread? Is it possible it is related?

https://developer.apple.com/forums/thread/679497

Do you have any way to contact or get more info from the users experiencing this issue?

Hi, I’m also getting the same issue. For reference, the ‘Try Connection’ within the Auth0 console works for me, so that makes me relatively confident I’ve got the social connection values plugged in correctly. Does that also work for you?

The issue appears when I’m on-device, similarly to OP - the actual ‘Sign in with Apple’ prompt is successful, so I send the resultant authorization code away to Auth0 in the same way as this doc, but get the same response as above (although obviously with my own iOS package ID in place of OPs).

I’m trying to work out – and hopefully someone here may be able to help with this – in step 4 of this diagram, what client/audience is sent to Apple from within Auth0? If we know where that is pulled from, we might be able to debug a bit better.

1 Like

Hi @dan.woda Thanks a lot for the link, I had a look at the thread, and it explains that this response is expected when using an emulator, which is interesting. Unfortunately in our case I think there must be some other edge case where the Authorization Code provided by Authentication Services is not valid. There are too many cases in our logs of this happening for this to be explained by developers on emulators.

Thanks, Mike

Hi @matt_is_flat I haven’t tried the ‘Try Connection’ within the Auth0 console, but I may look into that, thanks for the tip.
I think my scenario is slightly different in that we are live with SIWA, and in all cases I can reproduce, it works every time. The issue is that in ~0.3% of cases, we see the above error in the logs we record for the app in production, and I’m unable to reproduce the scenario in development.

Thanks,

@michael.baldock,

Is there any way to get more information from the users that are running into this error?

For instance, have you seen support requests from users that are running into this?

Unfortunately I haven’t had any actual in-person reports of this issue, so no I don’t have very much to go on! If I let you know the name of the tenant, is there any more information you’d be able to get from logs on the Auth0 side about this do you think?

edit: privacy