FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    [ExternalAuthenticationException]AppleIdToken

    Scheduled Pinned Locked Moved
    General Discussion
    2
    7
    621
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akash
      last edited by akash

      FusionAuth version - 1.31.0
      Platform - docker

      Step 1 : Generate Authorization code
      I have successfully retrieved the authorization code from apple using the following endpoint,

      https://appleid.apple.com/auth/authorize?client_id=<my-client-id>&response_type=code&redirect_uri=<my-redirect-url>

      Step 2: Generate Tokens
      I have successfully generated an id token using code generated from Generate Authorization code from step 1 using the following request,

      POST-https://appleid.apple.com/auth/token

Content-Type: application/x-www-form-urlencodedclient_id:<my-client-id>

client_secret:<my-client-secret>
code:<code from-step-1>
grant_type:authorization_code
redirect_uri:<my-redirect-url>

      Step 3: Setup Apple Identity provider in FusionAuth

      • I have successfully imported the apple private key into Fusionauth Elliptic private key

      • I have successfully created an identity provider for apple using service id, team id, and imported Elliptic private key.

      Step 4: Complete Apple Login in FusionAuth
      I requested Fusionauth using the following request :

      POST /api/identity-provider/login

Request body
{
    "applicationId": "<my-application-id>",
    "data": {
        "code": "<code-generated-in-step-1>",
        "id_token": "<id-token-generated-in-step-2>",
        "redirect_uri": "<my-redirect-url>"
    },
  "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"
}

      I got the following error response with 401:

      {
    "generalErrors": [
        {
            "code": "[ExternalAuthenticationException]AppleIdToken",
            "message": "The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request."
        }
    ]
}

      Can you please guide me on this issue?

      joshuaJ 1 Reply Last reply Reply Quote 1
      • joshuaJ
        joshua @akash
        last edited by

        @akash,

        Can you share the output of your event logs (System > Event Log) with debug enabled on the Apple IdP?

        Thanks,
        Josh

        A 1 Reply Last reply Reply Quote 0
        • A
          akash @joshua
          last edited by

          @joshua,

          Following is the event log,
          Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

          4/12/2022 06:17:57 AM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NDk4MzA2NTUsImlhdCI6MTY0OTc0NDI1NSwic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiSEd3a0FvdlVsRkJyck1wbXJZb3JndyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjQ5NzQ0MjQxLCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.F742sVkpmI1SAMigPN8Nq4IpLdRm20xgkRfHSiEX0JQVfQDrntkuWdIJUAYgGWgvawBeL9VtfgMKSfPUsAQUDGu7DOdWTNXQjBRiywUmeXcPTmcWahbbI2KmKuqMuP03QOgGUtUx_uWXuKfHF4MKxAUeq2bh8cKdX7lIzNad2_AkGRK5q41-rtk85fl8NuIGghlBHvhPrqZyr0-VWJjo8Ty5jUB-DQTAd081-PbLjGrx-OcQ6gwTflCbcxnPaaQvDirs96LS16fDqSvDlCVNbdJEGBn7EdPchKhSaf740XP6vO40Yu8E4qdEMzp0hWb-BOaA08hiiFYToC_uiKr7uQ]
4/12/2022 06:17:57 AM GMT Decode the [id_token].
4/12/2022 06:17:57 AM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
4/12/2022 06:17:57 AM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
4/12/2022 06:17:57 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [cfbd3ee542bc646c780e40519aa1258c5.0.rxqv.jSymeElqCsLv6_lJxq1vqg].
4/12/2022 06:17:57 AM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [18lo6UM0UdBPwl7OHzLljg].

          Thanks,
          Akash

          joshuaJ 1 Reply Last reply Reply Quote 0
          • joshuaJ
            joshua @akash
            last edited by

            @akash

            This suggests to me that you are not using a hybrid grant when initially requesting the code and id token from Apple.

            In your authorize request, before you get a token, you must request to get a code, and id_token (hybrid grant) together.

            I hope this helps.

            Thanks,
            Josh

            A 1 Reply Last reply Reply Quote 0
            • A
              akash @joshua
              last edited by akash

              @joshua,
              I Have tried using hybrid grand flow and generated authorization code using the following endpoint,

              https://appleid.apple.com/auth/authorize?response_type=code%20id_token&client_id=<my-client-id>&redirect_uri=<my-redirect-url>&response_mode=form_post&scope=name%20email

              And followed the steps, I mentioned in the first post but still got the same following 401 error response,

              {
    "generalErrors": [
        {
            "code": "[ExternalAuthenticationException]AppleIdToken",
            "message": "The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request."
        }
    ]
}

              And I have noticed that the same error is also shown in debug log,

              Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

4/18/2022 09:36:50 AM GMT Validate the provided [id_token] value [eyJraWQiOiJZdXlYb1kiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTAzNjAxNTQsImlhdCI6MTY1MDI3Mzc1NCwic3ViIjoiMDAxOTM2LjExZDhmMDRlZTcxNTRjNTBhNzNlNzY0YTZiYjgxYTc4LjEyNTQiLCJhdF9oYXNoIjoiTkJqdzFiVFJCRElJd3VHZnNrQVRRdyIsImF1dGhfdGltZSI6MTY1MDI3MzczOCwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.vv2Gm8cIqaxS-hA7x7ArUJSIViv8ciWTJ78szoDUbInOwCY1jGPKCGIVQGeuAktOKBUfhhVWyyFIu26-y6Ue9lIu1n4r0UC41ZX9kjHLpk1xMP3Zf6M3IQoj7aOYRWOohc9FBmrikoARmGKEIYSMZakgniPRrLn_SvrCyTs4yG049YaClo_TUyO9kypAWaPG7PD9WMTXj28_4cOo36E5rxhzKu-1F6u9YTIw_YdoTPiKkN2Z6gcnta0PwYAwEiB61cQCQuFTD-pFPtHbyVrDxn72Jk-e2pqqo5xY1xaSZ10tG6fOPOlaltMt8Q0r4rxKnc_Qucr2lbppaGFDGoAhWg]
4/18/2022 09:36:50 AM GMT Decode the [id_token].
4/18/2022 09:36:50 AM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
4/18/2022 09:36:50 AM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
4/18/2022 09:36:50 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c667757d99b164e63b63e7c3eaa3e211d.0.rrztw.Erf15Va-FL9xxQTjq0rg3w].

              Thanks,
              Akash

              joshuaJ 1 Reply Last reply Reply Quote 0
              • joshuaJ
                joshua @akash
                last edited by

                @akash

                You can see that you are getting a new error now(?)

                4/18/2022 09:36:50 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c667757d99b164e63b63e7c3eaa3e211d.0.rrztw.Erf15Va-FL9xxQTjq0rg3w].

                Before

                4/12/2022 06:17:57 AM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [18lo6UM0UdBPwl7OHzLljg].

                Did you change how you are accessing the endpoint or maybe did the logs cut off?

                Thanks,
                Joshh

                A 1 Reply Last reply Reply Quote 0
                • A
                  akash @joshua
                  last edited by

                  @joshua

                  I have inserted the code and id_token in the API call as you mentioned and
                  My logs had been cut off, The following are the complete logs,

                  Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

7/7/2022 12:18:37 PM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTcyODI1NzcsImlhdCI6MTY1NzE5NjE3Nywic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiWTRsTVlESkRITHdteldpc3FzbTY2ZyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjU3MTk2MTU5LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.aK7dDZdZSue6gCpmba0YL8PVX2qkbru-4DE0NNNBKBKnqN2uFmwgbcjYRqb-jj4UIKCibDcUSsd4mbD9wRHK4o8rH8M_ZCBdgJ8cIr1sx8JTQ7M1BOSyap7GsxWzPdR_stCJn7xWBeUulRtpWdemj-H3_6DwMQak0E4IG2ZxAdTwmTz464FGynmbmXQaKBqqLJP5WXFagLHZNFZeCd9Tr458B3__KGcPni912IwHLl1Yhhn-oqLm7RU5Ck5iTPZfvW2oZwljtdilCONVzXHsyHnL0hPZcvzrlxWXxXhljpg_VeuS-M53amL2JgAQRjloFARBqfRWW3zt5qdRYVYl1w]
7/7/2022 12:18:37 PM GMT Decode the [id_token].
7/7/2022 12:18:37 PM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
7/7/2022 12:18:37 PM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
7/7/2022 12:18:37 PM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [].
7/7/2022 12:18:37 PM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [47DEQpj8HBSa-_TImW-5JA].
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post