Using native apple sign in
- 
 [https://fusionauth.io/community/forum/topic/808/using-native-controls-for-apple-login] We are using native controls for apple sign in and trying to use the identity provider login api but running into an issue with a message The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request.We have gone through the "Apple Identity Provider" documentation and followed all the steps on the apple developer settings as well as on the fusionauth. The access token is generated from the native app so we don't have code and redirect properties and we are setting those values to empty strings since thosre are required to call the api unlike facebook and google native login. Api call 
 POSTapi/identity-provider/loginBody { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": { "code": "", "redirect_uri": "", "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY2ODIwNDU0MywiaWF0IjoxNjY4MTE4MTQzLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6ImdkZjNHN3BHaHFWZW9TVzNYYlBvSHciLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NjgxMTgxNDMsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.e5e_MZ1mER7hqRPy-ZylNTidu8Gr6d7HrXpDgu8sbj5idXqYr4YvO6_wEAzfAlTfBsi7lwZI9szo239bvn0m3u5Rwe4dGd6DKgX226Z5vmTctUGCDY0oW2-2zYWXZfb4MLMSrKPd7Kg_Xup-5gE-uHiAuyiBdm07HatNCWyQgMW_hoLZJHMZxtzgtyn79P0yfpZ-4ho2pwRUJAFHwZq66w4QOqAmn4CmRJw3G2Vuf3WPITr4LE3k5eyZURQLPs48qAaiL96L9Vhvx4IKRERrYVFqZEacNihhX3S0yiWtMVc0QASuC9E87pqqMyUa6JjINrXUrQ_QlVR2Umckum90Pg" }, "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775" }Log error: Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775] 11/10/2022 11:32:06 PM Z Validate the provided [id_token] value [eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY2ODIwNDU0MywiaWF0IjoxNjY4MTE4MTQzLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6ImdkZjNHN3BHaHFWZW9TVzNYYlBvSHciLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NjgxMTgxNDMsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.e5e_MZ1mER7hqRPy-ZylNTidu8Gr6d7HrXpDgu8sbj5idXqYr4YvO6_wEAzfAlTfBsi7lwZI9szo239bvn0m3u5Rwe4dGd6DKgX226Z5vmTctUGCDY0oW2-2zYWXZfb4MLMSrKPd7Kg_Xup-5gE-uHiAuyiBdm07HatNCWyQgMW_hoLZJHMZxtzgtyn79P0yfpZ-4ho2pwRUJAFHwZq66w4QOqAmn4CmRJw3G2Vuf3WPITr4LE3k5eyZURQLPs48qAaiL96L9Vhvx4IKRERrYVFqZEacNihhX3S0yiWtMVc0QASuC9E87pqqMyUa6JjINrXUrQ_QlVR2Umckum90Pg] 11/10/2022 11:32:06 PM Z Decode the [id_token]. 11/10/2022 11:32:06 PM Z Assert the [iss] claim is equal to [https://appleid.apple.com]. 11/10/2022 11:32:06 PM Z Assert the [aud] claim is equal to [com.urbansitter.mobile.local]. 11/10/2022 11:32:06 PM Z Calculate the [c_hash] to ensure the integrity of the provided [code] value [gdf3G7pGhqVeoSW3XbPoHw]. 11/10/2022 11:32:06 PM Z The [id_token] integrity check failed. Expected a [c_hash] of [gdf3G7pGhqVeoSW3XbPoHw] and found [K9t2pCrAVLpt1gRBI6i3wQ].
- 
 @tashi This failure is related to how you are asking FusionAuth to complete the login. For apple, you must complete a hybrid grant. At a high level, here is how you will use the FusionAuth IdP Login API with Apple when you are not using our hosted login pages. - Begin the Authorization Code grant with Apple using a hybrid grant response_type=code id_token.
- Collect the two tokens code and id_token sent to you by Apple on the redirect URL specified by the redirect_uri query parameter.
- Send these two values to the FusionAuth IdP Login API. Do not complete the Authorization Code exchange with Apple using the Token endpoint.
 Please also note that Apple has a separate configuration for Web and Mobile-based authentication. There are a few open issues that may be worth reviewing as well and could be influencing the behavior you are seeing - https://github.com/FusionAuth/fusionauth-issues/issues/778
- https://github.com/FusionAuth/fusionauth-issues/issues/1248
 Josh 
- 
 We've updated the apple provider doc to be more clear: https://fusionauth.io/docs/v1/tech/apis/identity-providers/apple#complete-the-apple-login 
- 
 [SUCCESS] We found that apple native sign has a way to get the authorization code using their sdk. 
 ASAuthorizationAppleIDCredential::authorizationCode
 We are using that property to pass in the place ofcodefor the api call to api/identity-provider/login.API: [POST] - api/identity-provider/login { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": { "code": "c4cb505812c5343798fa8478cf9c64fa9.0.srzss.wUaW_U9LTn24TjiKdaPKMQ", "redirect_uri": "", "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY3MDM1MjkzMCwiaWF0IjoxNjcwMjY2NTMwLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6IjJTY1R6YUZySmxKYVU3c2ppNGtiWEEiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NzAyNjY1MzAsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.aVRm7_i1Cn7gyy6NxspZRNta6LaI6knitgGkgIsNkzskxbHXJfMUQbbTE9sYL9xUDpfi-si7sGPRdlvnKCOqtXUKcE0hiHsCOgOQykP1mLrd27qaYiwa__vd9EdWgPYPnujulaI14L1lfvT79Ss_mxOeJiwpsXoy3VI4vRpI7LNHU_QguSD2xFV9ZX-WwOJCzfqFl7dMPOnISYgu1sVjO2couokzlwZEkv96yBQqRByOeeQ0jOVvURJ_FpLuQ2jj0xs5U2S-vvkDStVWuiSiKQIiwons-aHdXAjB__3ASfQamntl1AHCMZWTSaSlh5C1zxSZdH4NQhd-eR4m_wZej" }, "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"RESULT: { "refreshToken": "tRbop7_4hhKsdp2XVBLuJwvVWlf030cd2-AzJGQSnY8xLI6THtbVhQ", "refreshTokenId": "28b74a97-4286-4259-bc46-c8857f59fe73", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUxMmQxMzQzYSJ9.eyJhdWQiOiJiYzMwNTZhYi1lZGI1LTQyYTItYWY0NS1iNGY4MTY2ODk5OTciLCJleHAiOjE2NzAyNjY2MjYsImlhdCI6MTY3MDI2NjU2NiwiaXNzIjoidXJiYW5zaXR0ZXIubmV0Iiwic3ViIjoiZTRhZTcxZWQtYzEzNy00YmUxLTg2ZDEtMjQ0MTYwNjY3YzBlIiwianRpIjoiZTY3M2U2YmEtODc2Yi00YjY2LTljYjEtNDdjZGVlMzZjNzM3IiwiYXV0aGVudGljYXRpb25UeXBlIjoiQVBQTEUiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFzaGktYmh1dGlhIiwiYXBwbGljYXRpb25JZCI6ImJjMzA1NmFiLWVkYjUtNDJhMi1hZjQ1LWI0ZjgxNjY4OTk5NyIsInJvbGVzIjpbXSwic2lkIjoiMjhiNzRhOTctNDI4Ni00MjU5LWJjNDYtYzg4NTdmNTlmZTczIiwiYXV0aF90aW1lIjoxNjcwMjY2NTY2LCJ0aWQiOiJmMmM0OTQ3Ni1hNzdhLThmZDItZDQxZC0wMjA2ODA3NjNlZDQiLCJkYXRhIjp7ImlkIjoiMTExMTM5NiIsInJvbGVzIjpbIjUiXX0sImN1c3RvbSI6ImN1c3RvbSJ9.BCGm0b1GHTPKuQRi0VrhqxPX6kGOB-rwkkkuYn3gkm", "tokenExpirationInstant": 1670266626871, "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "data": { "id": "1111396", "roles": [ "5" ] }, "email": "janesmith11223344@gmail.com", "fullName": "null null", "id": "e4ae71ed-c137-4be1-86d1-244160667c0e", "imageUrl": "https://assets-local.urbansitter.net/assets/img/us-default-avatar-320.png", "insertInstant": 1669939131457, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566856, "memberships": [], "passwordChangeRequired": false, "passwordLastUpdateInstant": 1669939131538, "preferredLanguages": [], "registrations": [ { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": {}, "id": "c1ed7f48-f29c-483b-a3a4-381c834327a4", "insertInstant": 1669939131544, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566860, "preferredLanguages": [], "roles": [], "tokens": {}, "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "f2c49476-a77a-8fd2-d41d-020680763ed4", "twoFactor": { "methods": [], "recoveryCodes": [] }, "uniqueUsername": "jane-smith", "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } }Thanks for all the help. 
- 
 @tashi That's great! 
- 
T tashi has marked this topic as solved on
- 
 @tashi said in Using native apple sign in: [SUCCESS] We found that apple native sign has a way to get the authorization code using their sdk. mcdvoice 
 ASAuthorizationAppleIDCredential::authorizationCode
 We are using that property to pass in the place ofcodefor the api call to api/identity-provider/login.API: [POST] - api/identity-provider/login { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": { "code": "c4cb505812c5343798fa8478cf9c64fa9.0.srzss.wUaW_U9LTn24TjiKdaPKMQ", "redirect_uri": "", "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY3MDM1MjkzMCwiaWF0IjoxNjcwMjY2NTMwLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6IjJTY1R6YUZySmxKYVU3c2ppNGtiWEEiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NzAyNjY1MzAsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.aVRm7_i1Cn7gyy6NxspZRNta6LaI6knitgGkgIsNkzskxbHXJfMUQbbTE9sYL9xUDpfi-si7sGPRdlvnKCOqtXUKcE0hiHsCOgOQykP1mLrd27qaYiwa__vd9EdWgPYPnujulaI14L1lfvT79Ss_mxOeJiwpsXoy3VI4vRpI7LNHU_QguSD2xFV9ZX-WwOJCzfqFl7dMPOnISYgu1sVjO2couokzlwZEkv96yBQqRByOeeQ0jOVvURJ_FpLuQ2jj0xs5U2S-vvkDStVWuiSiKQIiwons-aHdXAjB__3ASfQamntl1AHCMZWTSaSlh5C1zxSZdH4NQhd-eR4m_wZej" }, "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"RESULT: { "refreshToken": "tRbop7_4hhKsdp2XVBLuJwvVWlf030cd2-AzJGQSnY8xLI6THtbVhQ", "refreshTokenId": "28b74a97-4286-4259-bc46-c8857f59fe73", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUxMmQxMzQzYSJ9.eyJhdWQiOiJiYzMwNTZhYi1lZGI1LTQyYTItYWY0NS1iNGY4MTY2ODk5OTciLCJleHAiOjE2NzAyNjY2MjYsImlhdCI6MTY3MDI2NjU2NiwiaXNzIjoidXJiYW5zaXR0ZXIubmV0Iiwic3ViIjoiZTRhZTcxZWQtYzEzNy00YmUxLTg2ZDEtMjQ0MTYwNjY3YzBlIiwianRpIjoiZTY3M2U2YmEtODc2Yi00YjY2LTljYjEtNDdjZGVlMzZjNzM3IiwiYXV0aGVudGljYXRpb25UeXBlIjoiQVBQTEUiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFzaGktYmh1dGlhIiwiYXBwbGljYXRpb25JZCI6ImJjMzA1NmFiLWVkYjUtNDJhMi1hZjQ1LWI0ZjgxNjY4OTk5NyIsInJvbGVzIjpbXSwic2lkIjoiMjhiNzRhOTctNDI4Ni00MjU5LWJjNDYtYzg4NTdmNTlmZTczIiwiYXV0aF90aW1lIjoxNjcwMjY2NTY2LCJ0aWQiOiJmMmM0OTQ3Ni1hNzdhLThmZDItZDQxZC0wMjA2ODA3NjNlZDQiLCJkYXRhIjp7ImlkIjoiMTExMTM5NiIsInJvbGVzIjpbIjUiXX0sImN1c3RvbSI6ImN1c3RvbSJ9.BCGm0b1GHTPKuQRi0VrhqxPX6kGOB-rwkkkuYn3gkm", "tokenExpirationInstant": 1670266626871, "user": { "active": true, "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72", "data": { "id": "1111396", "roles": [ "5" ] }, "email": "janesmith11223344@gmail.com", "fullName": "null null", "id": "e4ae71ed-c137-4be1-86d1-244160667c0e", "imageUrl": "https://assets-local.urbansitter.net/assets/img/us-default-avatar-320.png", "insertInstant": 1669939131457, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566856, "memberships": [], "passwordChangeRequired": false, "passwordLastUpdateInstant": 1669939131538, "preferredLanguages": [], "registrations": [ { "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997", "data": {}, "id": "c1ed7f48-f29c-483b-a3a4-381c834327a4", "insertInstant": 1669939131544, "lastLoginInstant": 1670266566856, "lastUpdateInstant": 1670266566860, "preferredLanguages": [], "roles": [], "tokens": {}, "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } ], "tenantId": "f2c49476-a77a-8fd2-d41d-020680763ed4", "twoFactor": { "methods": [], "recoveryCodes": [] }, "uniqueUsername": "jane-smith", "username": "jane-smith", "usernameStatus": "ACTIVE", "verified": true } }Thanks for all the help. Very helpful and informative. Thank for sharing this post. 

