Not able to Login with Apple ID

progressman

Request to the [https://appleid.apple.com/auth/token] endpoint failed. Status code [400].

Error response is
{
"error" : "invalid_client"
}

Does anyone know what could be an issue here?

Here are more details:
FusionAuth ver.1.22.2

Apple IdP Response Debug Log
1/21/2021 12:15:58 PM GMT Validate the provided [id_token] value [--JWT-SKIPED--]
1/21/2021 12:15:58 PM GMT Decode the [id_token].
1/21/2021 12:15:58 PM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
1/21/2021 12:15:58 PM GMT Assert the [aud] claim is equal to [ru.macaroon.login-with-apple].
1/21/2021 12:15:58 PM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c98f13298914940aeb56d177a62254320.0.mrtuw.pqCD8_66uaZdK8DLSoboZQ].
1/21/2021 12:15:58 PM GMT Generate the [client_secret] used to call the configured Token endpoint.
1/21/2021 12:15:58 PM GMT Call the configured Token endpoint [https://appleid.apple.com/auth/token] with the the following [client_secret] value: --JWT_LIKE_TOKEN_SKIPPED--
1/21/2021 12:15:58 PM GMT Endpoint returned status code [400]
1/21/2021 12:15:58 PM GMT The response was not successful, see the error event log.

dan

What does the error event log say? Have you turned on idp debugging? Does this occur with only one apple id, or with all of them?

Have you ensured that your client secret and client id don't have extra whitespace on either side?

Have you looked at the other apple id posts in the forum?

This one looks like it has some useful info: https://fusionauth.io/community/forum/post/1286

trevorr

I'm having the same issue. My event log with IdP debug enabled looks like @progressman showed:

Apple IdP Response Debug Log

5/2/2021 12:06:17 AM GMT Validate the provided [id_token] value [ey...]
5/2/2021 12:06:17 AM GMT Decode the [id_token].
5/2/2021 12:06:17 AM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
5/2/2021 12:06:17 AM GMT Assert the [aud] claim is equal to [com.fittfinder.app].
5/2/2021 12:06:17 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [cb...].
5/2/2021 12:06:17 AM GMT Generate the [client_secret] used to call the configured Token endpoint.
5/2/2021 12:06:17 AM GMT Call the configured Token endpoint [https://appleid.apple.com/auth/token] with the the following [client_secret] value:
ey...
5/2/2021 12:06:18 AM GMT Endpoint returned status code [400]
5/2/2021 12:06:18 AM GMT The response was not successful, see the error event log.

Request to the [https://appleid.apple.com/auth/token] endpoint failed. Status code [400].

Error response is 
{
  "error" : "invalid_client"
}

I tried with 2 different Apple IDs (my developer account and an unrelated one). No leading/trailing whitespace on my Services ID or Team ID. Using Default Apple Reconcile lambda. I've only seen this specific error mentioned in this post and this issue: https://github.com/FusionAuth/fusionauth-issues/issues/885

Screen Shot 2021-05-01 at 7.13.27 PM.png

robotdan

Can you post the error event log that is indicated by the debug event log?

robotdan

@trevorr said in Not able to Login with Apple ID:

"error" : "invalid_client"

The Apple login can be difficult to debug. Have you tried any of the solutions suggested by other threads online?

https://developer.apple.com/forums/thread/124521
https://developer.apple.com/documentation/sign_in_with_apple/errorresponse

trevorr

Posting here in addition to GitHub: The issue for me was that the signing key didn't have the right Apple-provided key identifier, which goes in the kid field of the client_secret JWT header. Recreating the private key with that identifier fixed the issue.