FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Using native apple sign in

    Scheduled Pinned Locked Moved Solved
    Q&A
    4
    6
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tashi
      last edited by

      [https://fusionauth.io/community/forum/topic/808/using-native-controls-for-apple-login]

      We are using native controls for apple sign in and trying to use the identity provider login api but running into an issue with a message

      The id_token returned from Apple is invalid or cannot be verified. Unable to complete this login request.

      We have gone through the "Apple Identity Provider" documentation and followed all the steps on the apple developer settings as well as on the fusionauth.

      The access token is generated from the native app so we don't have code and redirect properties and we are setting those values to empty strings since thosre are required to call the api unlike facebook and google native login.

      Api call
      POST api/identity-provider/login

      Body

      {
    "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997",
    "data": {
        "code": "",
        "redirect_uri": "",
        "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY2ODIwNDU0MywiaWF0IjoxNjY4MTE4MTQzLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6ImdkZjNHN3BHaHFWZW9TVzNYYlBvSHciLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NjgxMTgxNDMsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.e5e_MZ1mER7hqRPy-ZylNTidu8Gr6d7HrXpDgu8sbj5idXqYr4YvO6_wEAzfAlTfBsi7lwZI9szo239bvn0m3u5Rwe4dGd6DKgX226Z5vmTctUGCDY0oW2-2zYWXZfb4MLMSrKPd7Kg_Xup-5gE-uHiAuyiBdm07HatNCWyQgMW_hoLZJHMZxtzgtyn79P0yfpZ-4ho2pwRUJAFHwZq66w4QOqAmn4CmRJw3G2Vuf3WPITr4LE3k5eyZURQLPs48qAaiL96L9Vhvx4IKRERrYVFqZEacNihhX3S0yiWtMVc0QASuC9E87pqqMyUa6JjINrXUrQ_QlVR2Umckum90Pg"
    },
    "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"
}

      Log error:

      Apple IdP Response Debug Log [13d2a5db-7ef9-4d62-b909-0df58612e775]

11/10/2022 11:32:06 PM Z Validate the provided [id_token] value [eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY2ODIwNDU0MywiaWF0IjoxNjY4MTE4MTQzLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6ImdkZjNHN3BHaHFWZW9TVzNYYlBvSHciLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NjgxMTgxNDMsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.e5e_MZ1mER7hqRPy-ZylNTidu8Gr6d7HrXpDgu8sbj5idXqYr4YvO6_wEAzfAlTfBsi7lwZI9szo239bvn0m3u5Rwe4dGd6DKgX226Z5vmTctUGCDY0oW2-2zYWXZfb4MLMSrKPd7Kg_Xup-5gE-uHiAuyiBdm07HatNCWyQgMW_hoLZJHMZxtzgtyn79P0yfpZ-4ho2pwRUJAFHwZq66w4QOqAmn4CmRJw3G2Vuf3WPITr4LE3k5eyZURQLPs48qAaiL96L9Vhvx4IKRERrYVFqZEacNihhX3S0yiWtMVc0QASuC9E87pqqMyUa6JjINrXUrQ_QlVR2Umckum90Pg]
11/10/2022 11:32:06 PM Z Decode the [id_token].
11/10/2022 11:32:06 PM Z Assert the [iss] claim is equal to [https://appleid.apple.com].
11/10/2022 11:32:06 PM Z Assert the [aud] claim is equal to [com.urbansitter.mobile.local].
11/10/2022 11:32:06 PM Z Calculate the [c_hash] to ensure the integrity of the provided [code] value [gdf3G7pGhqVeoSW3XbPoHw].
11/10/2022 11:32:06 PM Z The [id_token] integrity check failed. Expected a [c_hash] of [gdf3G7pGhqVeoSW3XbPoHw] and found [K9t2pCrAVLpt1gRBI6i3wQ].
      joshuaJ 1 Reply Last reply Reply Quote 1
      • joshuaJ
        joshua @tashi
        last edited by

        @tashi This failure is related to how you are asking FusionAuth to complete the login.

        For apple, you must complete a hybrid grant.

        At a high level, here is how you will use the FusionAuth IdP Login API with Apple when you are not using our hosted login pages.

        1. Begin the Authorization Code grant with Apple using a hybrid grant response_type=code id_token.
        2. Collect the two tokens code and id_token sent to you by Apple on the redirect URL specified by the redirect_uri query parameter.
        3. Send these two values to the FusionAuth IdP Login API. Do not complete the Authorization Code exchange with Apple using the Token endpoint.

        Please also note that Apple has a separate configuration for Web and Mobile-based authentication. There are a few open issues that may be worth reviewing as well and could be influencing the behavior you are seeing

        • https://github.com/FusionAuth/fusionauth-issues/issues/778
        • https://github.com/FusionAuth/fusionauth-issues/issues/1248

        Josh

        1 Reply Last reply Reply Quote 1
        • danD
          dan
          last edited by

          We've updated the apple provider doc to be more clear: https://fusionauth.io/docs/v1/tech/apis/identity-providers/apple#complete-the-apple-login

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 2
          • T
            tashi
            last edited by

            [SUCCESS]

            We found that apple native sign has a way to get the authorization code using their sdk.
            ASAuthorizationAppleIDCredential::authorizationCode
            We are using that property to pass in the place of code for the api call to api/identity-provider/login.

            API: [POST] - api/identity-provider/login

            {
    "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997",
    "data": {
        "code": "c4cb505812c5343798fa8478cf9c64fa9.0.srzss.wUaW_U9LTn24TjiKdaPKMQ",
        "redirect_uri": "",
        "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY3MDM1MjkzMCwiaWF0IjoxNjcwMjY2NTMwLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6IjJTY1R6YUZySmxKYVU3c2ppNGtiWEEiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NzAyNjY1MzAsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.aVRm7_i1Cn7gyy6NxspZRNta6LaI6knitgGkgIsNkzskxbHXJfMUQbbTE9sYL9xUDpfi-si7sGPRdlvnKCOqtXUKcE0hiHsCOgOQykP1mLrd27qaYiwa__vd9EdWgPYPnujulaI14L1lfvT79Ss_mxOeJiwpsXoy3VI4vRpI7LNHU_QguSD2xFV9ZX-WwOJCzfqFl7dMPOnISYgu1sVjO2couokzlwZEkv96yBQqRByOeeQ0jOVvURJ_FpLuQ2jj0xs5U2S-vvkDStVWuiSiKQIiwons-aHdXAjB__3ASfQamntl1AHCMZWTSaSlh5C1zxSZdH4NQhd-eR4m_wZej"
    },
    "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"

            RESULT:

            {
    "refreshToken": "tRbop7_4hhKsdp2XVBLuJwvVWlf030cd2-AzJGQSnY8xLI6THtbVhQ",
    "refreshTokenId": "28b74a97-4286-4259-bc46-c8857f59fe73",
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUxMmQxMzQzYSJ9.eyJhdWQiOiJiYzMwNTZhYi1lZGI1LTQyYTItYWY0NS1iNGY4MTY2ODk5OTciLCJleHAiOjE2NzAyNjY2MjYsImlhdCI6MTY3MDI2NjU2NiwiaXNzIjoidXJiYW5zaXR0ZXIubmV0Iiwic3ViIjoiZTRhZTcxZWQtYzEzNy00YmUxLTg2ZDEtMjQ0MTYwNjY3YzBlIiwianRpIjoiZTY3M2U2YmEtODc2Yi00YjY2LTljYjEtNDdjZGVlMzZjNzM3IiwiYXV0aGVudGljYXRpb25UeXBlIjoiQVBQTEUiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFzaGktYmh1dGlhIiwiYXBwbGljYXRpb25JZCI6ImJjMzA1NmFiLWVkYjUtNDJhMi1hZjQ1LWI0ZjgxNjY4OTk5NyIsInJvbGVzIjpbXSwic2lkIjoiMjhiNzRhOTctNDI4Ni00MjU5LWJjNDYtYzg4NTdmNTlmZTczIiwiYXV0aF90aW1lIjoxNjcwMjY2NTY2LCJ0aWQiOiJmMmM0OTQ3Ni1hNzdhLThmZDItZDQxZC0wMjA2ODA3NjNlZDQiLCJkYXRhIjp7ImlkIjoiMTExMTM5NiIsInJvbGVzIjpbIjUiXX0sImN1c3RvbSI6ImN1c3RvbSJ9.BCGm0b1GHTPKuQRi0VrhqxPX6kGOB-rwkkkuYn3gkm",
    "tokenExpirationInstant": 1670266626871,
    "user": {
        "active": true,
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "data": {
            "id": "1111396",
            "roles": [
                "5"
            ]
        },
        "email": "janesmith11223344@gmail.com",
        "fullName": "null null",
        "id": "e4ae71ed-c137-4be1-86d1-244160667c0e",
        "imageUrl": "https://assets-local.urbansitter.net/assets/img/us-default-avatar-320.png",
        "insertInstant": 1669939131457,
        "lastLoginInstant": 1670266566856,
        "lastUpdateInstant": 1670266566856,
        "memberships": [],
        "passwordChangeRequired": false,
        "passwordLastUpdateInstant": 1669939131538,
        "preferredLanguages": [],
        "registrations": [
            {
                "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997",
                "data": {},
                "id": "c1ed7f48-f29c-483b-a3a4-381c834327a4",
                "insertInstant": 1669939131544,
                "lastLoginInstant": 1670266566856,
                "lastUpdateInstant": 1670266566860,
                "preferredLanguages": [],
                "roles": [],
                "tokens": {},
                "username": "jane-smith",
                "usernameStatus": "ACTIVE",
                "verified": true
            }
        ],
        "tenantId": "f2c49476-a77a-8fd2-d41d-020680763ed4",
        "twoFactor": {
            "methods": [],
            "recoveryCodes": []
        },
        "uniqueUsername": "jane-smith",
        "username": "jane-smith",
        "usernameStatus": "ACTIVE",
        "verified": true
    }
}

            Thanks for all the help.

            danD K 2 Replies Last reply Reply Quote 2
            • danD
              dan @tashi
              last edited by

              @tashi That's great!

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 0
              • T tashi has marked this topic as solved on
              • K
                kenna178015crook @tashi
                last edited by

                @tashi said in Using native apple sign in:

                [SUCCESS]

                We found that apple native sign has a way to get the authorization code using their sdk. mcdvoice
                ASAuthorizationAppleIDCredential::authorizationCode
                We are using that property to pass in the place of code for the api call to api/identity-provider/login.

                API: [POST] - api/identity-provider/login

                {
    "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997",
    "data": {
        "code": "c4cb505812c5343798fa8478cf9c64fa9.0.srzss.wUaW_U9LTn24TjiKdaPKMQ",
        "redirect_uri": "",
        "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnVyYmFuc2l0dGVyLm1vYmlsZS5sb2NhbCIsImV4cCI6MTY3MDM1MjkzMCwiaWF0IjoxNjcwMjY2NTMwLCJzdWIiOiIwMDE5MjIuYTNkMDZlNjZlMzk5NGM3ZjlmOTE2OTI3NDk4MWYyZTYuMjE0MCIsImNfaGFzaCI6IjJTY1R6YUZySmxKYVU3c2ppNGtiWEEiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJhdXRoX3RpbWUiOjE2NzAyNjY1MzAsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.aVRm7_i1Cn7gyy6NxspZRNta6LaI6knitgGkgIsNkzskxbHXJfMUQbbTE9sYL9xUDpfi-si7sGPRdlvnKCOqtXUKcE0hiHsCOgOQykP1mLrd27qaYiwa__vd9EdWgPYPnujulaI14L1lfvT79Ss_mxOeJiwpsXoy3VI4vRpI7LNHU_QguSD2xFV9ZX-WwOJCzfqFl7dMPOnISYgu1sVjO2couokzlwZEkv96yBQqRByOeeQ0jOVvURJ_FpLuQ2jj0xs5U2S-vvkDStVWuiSiKQIiwons-aHdXAjB__3ASfQamntl1AHCMZWTSaSlh5C1zxSZdH4NQhd-eR4m_wZej"
    },
    "identityProviderId": "13d2a5db-7ef9-4d62-b909-0df58612e775"

                RESULT:

                {
    "refreshToken": "tRbop7_4hhKsdp2XVBLuJwvVWlf030cd2-AzJGQSnY8xLI6THtbVhQ",
    "refreshTokenId": "28b74a97-4286-4259-bc46-c8857f59fe73",
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUxMmQxMzQzYSJ9.eyJhdWQiOiJiYzMwNTZhYi1lZGI1LTQyYTItYWY0NS1iNGY4MTY2ODk5OTciLCJleHAiOjE2NzAyNjY2MjYsImlhdCI6MTY3MDI2NjU2NiwiaXNzIjoidXJiYW5zaXR0ZXIubmV0Iiwic3ViIjoiZTRhZTcxZWQtYzEzNy00YmUxLTg2ZDEtMjQ0MTYwNjY3YzBlIiwianRpIjoiZTY3M2U2YmEtODc2Yi00YjY2LTljYjEtNDdjZGVlMzZjNzM3IiwiYXV0aGVudGljYXRpb25UeXBlIjoiQVBQTEUiLCJlbWFpbCI6InRhc2hpLmFicml0aUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGFzaGktYmh1dGlhIiwiYXBwbGljYXRpb25JZCI6ImJjMzA1NmFiLWVkYjUtNDJhMi1hZjQ1LWI0ZjgxNjY4OTk5NyIsInJvbGVzIjpbXSwic2lkIjoiMjhiNzRhOTctNDI4Ni00MjU5LWJjNDYtYzg4NTdmNTlmZTczIiwiYXV0aF90aW1lIjoxNjcwMjY2NTY2LCJ0aWQiOiJmMmM0OTQ3Ni1hNzdhLThmZDItZDQxZC0wMjA2ODA3NjNlZDQiLCJkYXRhIjp7ImlkIjoiMTExMTM5NiIsInJvbGVzIjpbIjUiXX0sImN1c3RvbSI6ImN1c3RvbSJ9.BCGm0b1GHTPKuQRi0VrhqxPX6kGOB-rwkkkuYn3gkm",
    "tokenExpirationInstant": 1670266626871,
    "user": {
        "active": true,
        "connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
        "data": {
            "id": "1111396",
            "roles": [
                "5"
            ]
        },
        "email": "janesmith11223344@gmail.com",
        "fullName": "null null",
        "id": "e4ae71ed-c137-4be1-86d1-244160667c0e",
        "imageUrl": "https://assets-local.urbansitter.net/assets/img/us-default-avatar-320.png",
        "insertInstant": 1669939131457,
        "lastLoginInstant": 1670266566856,
        "lastUpdateInstant": 1670266566856,
        "memberships": [],
        "passwordChangeRequired": false,
        "passwordLastUpdateInstant": 1669939131538,
        "preferredLanguages": [],
        "registrations": [
            {
                "applicationId": "bc3056ab-edb5-42a2-af45-b4f816689997",
                "data": {},
                "id": "c1ed7f48-f29c-483b-a3a4-381c834327a4",
                "insertInstant": 1669939131544,
                "lastLoginInstant": 1670266566856,
                "lastUpdateInstant": 1670266566860,
                "preferredLanguages": [],
                "roles": [],
                "tokens": {},
                "username": "jane-smith",
                "usernameStatus": "ACTIVE",
                "verified": true
            }
        ],
        "tenantId": "f2c49476-a77a-8fd2-d41d-020680763ed4",
        "twoFactor": {
            "methods": [],
            "recoveryCodes": []
        },
        "uniqueUsername": "jane-smith",
        "username": "jane-smith",
        "usernameStatus": "ACTIVE",
        "verified": true
    }
}

                Thanks for all the help.

                Very helpful and informative. Thank for sharing this post.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post