Sign In With Apple Fails with "Invalid Grant"

piercifani · October 29, 2020, 12:24pm

Which SDK this is regarding: iOS Swift SDK
SDK Version: 1.30.0
Platform Version: iOS 14

Hello,

Sign in With Apple is failing with this error in a native iOS app:

"Error from apple connection: (no description) (invalid_grant)"

The relevant code is here:

    func performLoginWithApple() {
        let request = ASAuthorizationAppleIDProvider().createRequest()
        request.requestedScopes = [.fullName, .email]
        let controller = ASAuthorizationController(authorizationRequests: [request])
        controller.delegate = self
        controller.presentationContextProvider = self
        controller.performRequests()
    }

    func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
        guard let appleIDCredentials = authorization.credential as? ASAuthorizationAppleIDCredential,
              let token = appleIDCredentials.identityToken,
              let userToken = String(data: token, encoding: .utf8) else {
            return
        }
        Auth0
            .authentication(clientId: "ClientID", domain: "dev.domain.com")
            .login(appleAuthorizationCode: userToken, scope: "openid offline_access", audience: "https://api.dev.domain.com/")
            .start {
              ...
            }
    }

I’ve doubled check everything, (Bundle ID of the app, Key IDs, etc) and nothing.

Any clues?

matt.macadam · October 30, 2020, 3:59pm

Hi there,

I have not worked with this exact error before, but I remember from working with similar errors that the ones starting with “Error from apple connection” are an error we receive when we attempt to exchange the authorization code with Apple.

I don’t know if you’ve seen this Apple Developer Forums thread yet:

https://developer.apple.com/forums/thread/118135

It has a few ideas–some of them involve the process of actually exchanging the authorization code and those don’t apply to you because we’re doing that for you. There was one comment from an Apple employee that looks promising:

The client_id used when calling the token endpoint should match the native app’s app id. The services ID should not be used here and using that would result in failure due to mismatch between the client_id for which the authorization was granted and the one that is presenting the code for validation.

“client_id” there maps to the “Client ID” field in the SIWA connection setup. It’s not very clear from our docs or the Apple docs that Services IDs and App IDs are for web and native apps, respectively.

If you DM me your tenant name and a rough timeframe when you you received one of these errors, I will see if I can find out anything else.

Matt

piercifani · October 30, 2020, 4:18pm

Hey Matt,

The tenant name is dev-videoask, and this is one of the logs https://manage.auth0.com/dashboard/eu/dev-videoask/logs/90020201030134332242000255126661216780493381505520762914

piercifani · November 2, 2020, 8:34am

In case you don’t have access to the logs, this happened at 2020-10-30 13:43:30.379 UTC

ricardo.batista · November 6, 2020, 1:57pm

For reference, the issue was trying to use the userToken as the authorizationCode, which was triggering the invalid grant error from apple:

Auth0
    .authentication(clientId: "ClientID", domain: "dev.domain.com")
    .login(appleAuthorizationCode: userToken, (...)

Using the authorization code instead, solved it. According to https://developer.apple.com/forums/thread/118135 it should be available as something like:

let authorizationCode = String(data: credential.authorizationCode!, encoding: .utf8)

Auth0
    .authentication(clientId: <YOUR_CLIENT_ID>, domain: <YOUR_DOMAIN>)
    .login(appleAuthorizationCode: authorizationCode, (...)

system · November 21, 2020, 1:57pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.