[ExternalAuthenticationException]AppleIdToken

akash · 4 Jul 2022, 05:58

FusionAuth version - 1.31.0
Platform - docker

Step 1 : Generate Authorization code
I have successfully retrieved the authorization code from apple using the following endpoint,

https://appleid.apple.com/auth/authorize?client_id=<my-client-id>&response_type=code&redirect_uri=<my-redirect-url>

Step 2: Generate Tokens
I have successfully generated an id token using code generated from Generate Authorization code from step 1 using the following request,

POST-https://appleid.apple.com/auth/token

Content-Type: application/x-www-form-urlencodedclient_id:<my-client-id>

client_secret:<my-client-secret>
code:<code from-step-1>
grant_type:authorization_code
redirect_uri:<my-redirect-url>

Step 3: Setup Apple Identity provider in FusionAuth

I have successfully imported the apple private key into Fusionauth Elliptic private key
I have successfully created an identity provider for apple using service id, team id, and imported Elliptic private key.

Step 4: Complete Apple Login in FusionAuth
I requested Fusionauth using the following request :

POST /api/identity-provider/login

Request body
{
    "applicationId": "<my-application-id>",
    "data": {
        "code": "<code-generated-in-step-1>",
        "id_token": "<id-token-generated-in-step-2>",
        "redirect_uri": "<my-redirect-url>"
    },
  "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"
}

I got the following error response with 401:

{
    "generalErrors": [
        {
            "code": "[ExternalAuthenticationException]AppleIdToken",
            "message": "The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request."
        }
    ]
}

Can you please guide me on this issue?

joshua · 11 Apr 2022, 21:19

@akash,

Can you share the output of your event logs (System > Event Log) with debug enabled on the Apple IdP?

Thanks,
Josh

akash · 12 Apr 2022, 06:26

@joshua,

Following is the event log,
Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

4/12/2022 06:17:57 AM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NDk4MzA2NTUsImlhdCI6MTY0OTc0NDI1NSwic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiSEd3a0FvdlVsRkJyck1wbXJZb3JndyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjQ5NzQ0MjQxLCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.F742sVkpmI1SAMigPN8Nq4IpLdRm20xgkRfHSiEX0JQVfQDrntkuWdIJUAYgGWgvawBeL9VtfgMKSfPUsAQUDGu7DOdWTNXQjBRiywUmeXcPTmcWahbbI2KmKuqMuP03QOgGUtUx_uWXuKfHF4MKxAUeq2bh8cKdX7lIzNad2_AkGRK5q41-rtk85fl8NuIGghlBHvhPrqZyr0-VWJjo8Ty5jUB-DQTAd081-PbLjGrx-OcQ6gwTflCbcxnPaaQvDirs96LS16fDqSvDlCVNbdJEGBn7EdPchKhSaf740XP6vO40Yu8E4qdEMzp0hWb-BOaA08hiiFYToC_uiKr7uQ]
4/12/2022 06:17:57 AM GMT Decode the [id_token].
4/12/2022 06:17:57 AM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
4/12/2022 06:17:57 AM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
4/12/2022 06:17:57 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [cfbd3ee542bc646c780e40519aa1258c5.0.rxqv.jSymeElqCsLv6_lJxq1vqg].
4/12/2022 06:17:57 AM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [18lo6UM0UdBPwl7OHzLljg].

Thanks,
Akash

joshua · 14 Apr 2022, 22:11

@akash

This suggests to me that you are not using a hybrid grant when initially requesting the code and id token from Apple.

In your authorize request, before you get a token, you must request to get a code, and id_token (hybrid grant) together.

I hope this helps.

Thanks,
Josh

akash · 18 Apr 2022, 09:45

@joshua,
I Have tried using hybrid grand flow and generated authorization code using the following endpoint,

https://appleid.apple.com/auth/authorize?response_type=code%20id_token&client_id=<my-client-id>&redirect_uri=<my-redirect-url>&response_mode=form_post&scope=name%20email

And followed the steps, I mentioned in the first post but still got the same following 401 error response,

{
    "generalErrors": [
        {
            "code": "[ExternalAuthenticationException]AppleIdToken",
            "message": "The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request."
        }
    ]
}

And I have noticed that the same error is also shown in debug log,

Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

4/18/2022 09:36:50 AM GMT Validate the provided [id_token] value [eyJraWQiOiJZdXlYb1kiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTAzNjAxNTQsImlhdCI6MTY1MDI3Mzc1NCwic3ViIjoiMDAxOTM2LjExZDhmMDRlZTcxNTRjNTBhNzNlNzY0YTZiYjgxYTc4LjEyNTQiLCJhdF9oYXNoIjoiTkJqdzFiVFJCRElJd3VHZnNrQVRRdyIsImF1dGhfdGltZSI6MTY1MDI3MzczOCwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.vv2Gm8cIqaxS-hA7x7ArUJSIViv8ciWTJ78szoDUbInOwCY1jGPKCGIVQGeuAktOKBUfhhVWyyFIu26-y6Ue9lIu1n4r0UC41ZX9kjHLpk1xMP3Zf6M3IQoj7aOYRWOohc9FBmrikoARmGKEIYSMZakgniPRrLn_SvrCyTs4yG049YaClo_TUyO9kypAWaPG7PD9WMTXj28_4cOo36E5rxhzKu-1F6u9YTIw_YdoTPiKkN2Z6gcnta0PwYAwEiB61cQCQuFTD-pFPtHbyVrDxn72Jk-e2pqqo5xY1xaSZ10tG6fOPOlaltMt8Q0r4rxKnc_Qucr2lbppaGFDGoAhWg]
4/18/2022 09:36:50 AM GMT Decode the [id_token].
4/18/2022 09:36:50 AM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
4/18/2022 09:36:50 AM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
4/18/2022 09:36:50 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c667757d99b164e63b63e7c3eaa3e211d.0.rrztw.Erf15Va-FL9xxQTjq0rg3w].

Thanks,
Akash

joshua · 7 Jul 2022, 12:51

@akash

You can see that you are getting a new error now(?)

4/18/2022 09:36:50 AM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [c667757d99b164e63b63e7c3eaa3e211d.0.rrztw.Erf15Va-FL9xxQTjq0rg3w].

Before

4/12/2022 06:17:57 AM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [18lo6UM0UdBPwl7OHzLljg].

Did you change how you are accessing the endpoint or maybe did the logs cut off?

Thanks,
Joshh

akash · 7 Jul 2022, 12:51

@joshua

I have inserted the code and id_token in the API call as you mentioned and
My logs had been cut off, The following are the complete logs,

Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

7/7/2022 12:18:37 PM GMT Validate the provided [id_token] value [eyJraWQiOiJmaDZCczhDIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJldm9sdXRpb25jYXJzLmRlbW8iLCJleHAiOjE2NTcyODI1NzcsImlhdCI6MTY1NzE5NjE3Nywic3ViIjoiMDAwNzA1LjQ5YTA5ZjYyNTMyNjRhMDNhYTQ5N2ExYTlhYzI3MDY5LjE0MTciLCJhdF9oYXNoIjoiWTRsTVlESkRITHdteldpc3FzbTY2ZyIsImVtYWlsIjoiZ2FuZXNobW9vcnRoeTU5OTlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOiJ0cnVlIiwiYXV0aF90aW1lIjoxNjU3MTk2MTU5LCJub25jZV9zdXBwb3J0ZWQiOnRydWV9.aK7dDZdZSue6gCpmba0YL8PVX2qkbru-4DE0NNNBKBKnqN2uFmwgbcjYRqb-jj4UIKCibDcUSsd4mbD9wRHK4o8rH8M_ZCBdgJ8cIr1sx8JTQ7M1BOSyap7GsxWzPdR_stCJn7xWBeUulRtpWdemj-H3_6DwMQak0E4IG2ZxAdTwmTz464FGynmbmXQaKBqqLJP5WXFagLHZNFZeCd9Tr458B3__KGcPni912IwHLl1Yhhn-oqLm7RU5Ck5iTPZfvW2oZwljtdilCONVzXHsyHnL0hPZcvzrlxWXxXhljpg_VeuS-M53amL2JgAQRjloFARBqfRWW3zt5qdRYVYl1w]
7/7/2022 12:18:37 PM GMT Decode the [id_token].
7/7/2022 12:18:37 PM GMT Assert the [iss] claim is equal to [https://appleid.apple.com].
7/7/2022 12:18:37 PM GMT Assert the [aud] claim is equal to [com.revolutioncars.demo].
7/7/2022 12:18:37 PM GMT Calculate the [c_hash] to ensure the integrity of the provided [code] value [].
7/7/2022 12:18:37 PM GMT The [id_token] integrity check failed. Expected a [c_hash] of [null] and found [47DEQpj8HBSa-_TImW-5JA].