Sign In With Apple Fails with "Invalid Grant"

  • Which SDK this is regarding: iOS Swift SDK
  • SDK Version: 1.30.0
  • Platform Version: iOS 14

Hello,

Sign in With Apple is failing with this error in a native iOS app:

"Error from apple connection: (no description) (invalid_grant)" 

The relevant code is here:

    func performLoginWithApple() {
        let request = ASAuthorizationAppleIDProvider().createRequest()
        request.requestedScopes = [.fullName, .email]
        let controller = ASAuthorizationController(authorizationRequests: [request])
        controller.delegate = self
        controller.presentationContextProvider = self
        controller.performRequests()
    }

    func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
        guard let appleIDCredentials = authorization.credential as? ASAuthorizationAppleIDCredential,
              let token = appleIDCredentials.identityToken,
              let userToken = String(data: token, encoding: .utf8) else {
            return
        }
        Auth0
            .authentication(clientId: "ClientID", domain: "dev.domain.com")
            .login(appleAuthorizationCode: userToken, scope: "openid offline_access", audience: "https://api.dev.domain.com/")
            .start {
              ...
            }
    }

I’ve doubled check everything, (Bundle ID of the app, Key IDs, etc) and nothing.

Any clues?

Hi there,

I have not worked with this exact error before, but I remember from working with similar errors that the ones starting with “Error from apple connection” are an error we receive when we attempt to exchange the authorization code with Apple.

I don’t know if you’ve seen this Apple Developer Forums thread yet:

It has a few ideas–some of them involve the process of actually exchanging the authorization code and those don’t apply to you because we’re doing that for you. There was one comment from an Apple employee that looks promising:

The client_id used when calling the token endpoint should match the native app’s app id. The services ID should not be used here and using that would result in failure due to mismatch between the client_id for which the authorization was granted and the one that is presenting the code for validation.

“client_id” there maps to the “Client ID” field in the SIWA connection setup. It’s not very clear from our docs or the Apple docs that Services IDs and App IDs are for web and native apps, respectively.

If you DM me your tenant name and a rough timeframe when you you received one of these errors, I will see if I can find out anything else.

Matt

Hey Matt,

The tenant name is dev-videoask, and this is one of the logs https://manage.auth0.com/dashboard/eu/dev-videoask/logs/90020201030134332242000255126661216780493381505520762914

In case you don’t have access to the logs, this happened at 2020-10-30 13:43:30.379 UTC

For reference, the issue was trying to use the userToken as the authorizationCode, which was triggering the invalid grant error from apple:

Auth0
    .authentication(clientId: "ClientID", domain: "dev.domain.com")
    .login(appleAuthorizationCode: userToken, (...)

Using the authorization code instead, solved it. According to https://developer.apple.com/forums/thread/118135 it should be available as something like:

let authorizationCode = String(data: credential.authorizationCode!, encoding: .utf8)

Auth0
    .authentication(clientId: <YOUR_CLIENT_ID>, domain: <YOUR_DOMAIN>)
    .login(appleAuthorizationCode: authorizationCode, (...)

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.