New Apple ID Sign In invalid grant issue

Question

So far I followed this post and it helped me so much, however, I now get a "invalid_grant". Following : https://developer.apple.com/documentation/signinwithapplerestapi/errorresponse I understand that I have an issue either because of the authorization grant or refresh token is invalid.

In despite of my searches and tries (and retries), I am still stuck and I don't know where does it come from. I used the app given at https://developer.apple.com/documentation/authenticationservices/adding_the_sign_in_with_apple_flow_to_your_app

Now that I get my token from the app above, I try to validate it from C# backend but I get a 400 response code invalid_grant.

The only difference I could notice from the post is that I don't have any [Verify] button (option) or [Download] button from the portal compared to the image below. I don't know if this is related but I am trying to provide as much details as I can:

Hopefully someone can help, thanks for any help :) feel free to ask for more details if required

Max

did you solve it? I am pretty much at exactly the same point you describe here. — vicatcu, Dec 09 '19 at 19:47
Nop.. It doesn't come from my end so.. I am waiting.. I don't really know what to do tbh.. — Emixam23, Dec 09 '19 at 19:48
Hitting the same issue .. did you findout what the problem was ? — Lomithrani, Mar 06 '20 at 17:46
2 things you should note (caused me a headache): (1) The token is valid only for 5 minutes. (2) once you used it once - next time you will get invalid_grant. Also i didn't used redirect_uri at all and not verified anything. — MTZ4, Apr 19 '20 at 07:58

score 3 · Accepted Answer · answered May 15 '20 at 12:34

3

I also had the same issue, I found the solution here:

https://forums.developer.apple.com/thread/118135

as explained in the link, when you are using the code you got from the app, you should use app id instead of service id.

answered May 15 '20 at 12:34

Akbay

46
3

score 1 · Answer 2 · answered Mar 08 '20 at 13:45

Could you share how you try to create the JWT? I ve tried a couple of stuff Im at this right know (which doesnt work either, Ill update if I find a real solution)

const string iss = "7#######G"; //  team ID 
            const string aud = "https://appleid.apple.com";
            const string sub = "com.######.weblogin"; // serviceid
            const string privateKey = "MIGTA#######"; // contents of .p8 file     

            var d = DateTime.UtcNow.AddDays(-5);

            var cngKey = CngKey.Import(
              Convert.FromBase64String(privateKey),
              CngKeyBlobFormat.Pkcs8PrivateBlob);


            var handler = new JwtSecurityTokenHandler();


            var securityKey = new ECDsaSecurityKey(new ECDsaCng(cngKey) { KeySize = 256 , HashAlgorithm = CngAlgorithm.ECDsaP256});


            securityKey.KeyId = "G#######W";
            var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.EcdsaSha256);

            return  handler.CreateEncodedJwt(iss, aud, new ClaimsIdentity(new List<Claim> { new Claim("sub", sub) }),d, expires: d.AddMonths(3),d, signingCredentials: signingCredentials);

Headers look like that in the jwt, from what Ive gathered there might be the "typ" header which is not present in many implentation, perhaps I shoud get rid of it :

{
  "alg": "ES256",
  "kid": "G#######W",
  "typ": "JWT"
}

body:

{
  "sub": "com.#####.weblogin",
  "nbf": 1583088895,
  "exp": 1591037695,
  "iat": 1583088895,
  "iss": "7######G",//teamid
  "aud": "https://appleid.apple.com"
}

New Apple ID Sign In invalid grant issue

2 Answers2