silentbob
Thanks for that great article. But I have two questions:
1) Am I mistaken or is the part with the id_token also containing the email-address new? I don’t recall reading this when I first read this article about two weeks ago.
2) Do you know, whether the email address is ALWAYS contained in the id_token or only the first time (as the userinfo seems to be sent to the redirecturi only once)? I’m not so much concerned about the name, because I will just add a dummy value and the user can change it later on, but I would very much love to receive the user’s email address from the id-token even on a retry if something failed on our backend server (for instance the POST to the redirect URI could not be handled)
程嘉晨
Hello, can I do this app login development in windows?
Mike B
Thanks for this detailed walk-through, it helped me understand quite a bit in how to get Sign In With Apple set up. However, I don’t see the email fields in the claim data. Has this been removed since you tested it?
Patrick Bußmann
I developed a solution without Ruby. Completely in PHP: https://gist.github.com/pat…
hoythan
I’m implementing ‘Sign in with Apple’. How do I use my own app icon on the “Sign in with Apple” consent page instead of displaying a placeholder gray logo?
Sergei Maslovskiy
Thanks a lot, especially for client_secret generation. It helps me with code in PHP
/**
* Generate ES256 encoded JWT token, used as client_secret for Auth by AppleId
* What the Heck is Sign In with Apple? | Okta Developer
* GitHub - lcobucci/jwt: A simple library to work with JSON Web Token and JSON Web Signature
* ES256 JWT Signing in PHP for Apple AppStoreConenct API Auth - Stack Overflow
*
* @return string
*/
private function generateClientSecret(): string
{
$applePrivateKeyFilePath = ‘’; //private key, downloaded from developers.apple.com
if (file_exists($applePrivateKeyFilePath)) {
$clientSecretPrepared = ‘file://’ . $applePrivateKeyFilePath;
}
$signer = new Sha256();
$privateKey = new Key($applePrivateKeyFilePath);
$time = time();
$token = (new Builder())->issuedBy($this->appleTeamId)// Configures the issuer (iss claim)
->withHeader(‘kid’, $this->appleKeyId)
->withHeader(‘type’, ‘JWT’)
->withHeader(‘alg’, ‘ES256’)
->issuedAt($time)
->expiresAt($time + $this->clientSecretExpiredTime)
->withClaim(‘aud’, ‘https://appleid.apple.com’)
->withClaim(‘sub’, $this->clientId)
->getToken($signer, $privateKey); // Retrieves the generated token
return (string) $token;
}
Sergei Maslovskiy
Thanks, but how can I get this user data, then Ios client returns only access_token (auth with AppleId on mobile device and then call backend with token)?
Gemma
I’m sorry I don’t understand your question. If you are using an iOS app to get the data you should be able to get it from the Apple library the first time only too (I am not an iOS dev so do not know the code for this). When you send the token to your own backend, you can exchange that token with Apple and the first time you do this after decoding the JWT token the ‘sub’ category will contain the email but if you have tried before for that user it won’t.
Sergei Maslovskiy
How to decode ‘id_token’ from apple, that contains useful payload? I have just private key with extension .p8 (downloaded from dev page).
Darryl Young
Hi, Max. Did you end up figuring out what caused “invalid_grant”? I’m implementing Sign in with Apple right now and that’s the response I’m getting when trying to validate the authorization token.
Apoorva Reed
Apple guidelines clearly says this is only mandatory if you are using other social sign-in. So if you are maintaining a bank application, its never advised to have social sign in. SO to summarize it, you really don’t need to implement apple sign in
SERIAL
Hey man! How do that? Can you help please!
xdrew
Hi!
Have you finally managed to find a workaround for this confusing apple sign in flow?
Martin Poirier Théorêt
No sorry never found a solution and I am not working for the company that needed that anymore.
They have a premium support contact and they were overwhelmed with issue at the time and they end up postponing the date of the mandatory requirement to implement Apple Sign In. I am still in contact with a the UX designer of the company (who’s a friend) and he never told me that they’ve released it. So I don’t know the current state of their (Apple) “api”.
aman singh
Host your page and check live…It will work then.
Yair Nevet
How do you plan to handle the refresh_token? any experience with that?
Lydane Fenelon
I wnat to know the same question , why the email does not apear in the claims please?
Eitan Behar
Given that Apple has no endpoint for UserInfo, is there a real purpose for the scope openid when using ‘Sign in with Apple’? I have tried passing scope=openid+name+email, and only scope=name+email and got the same results.
Curious Guy
I need to create a REST API for my iOs application with PHP for adding Apple Sign In.
I didn’t try the request_type=‘code’ step as I am getting the code from iPhone mobile. Since the $client_secret we need here is JWT and the code isn’t given here, I am following it from here: https://stackoverflow.com/q…. The JWT code is quite large. When I hit the URL "'https://appleid.apple.com/a… via Curl and params. I am getting following error. What could be the cause of this error and how to fix it? I am stuck on this point since yesterday. Any suggestions?
Is there any PHP plugin available that only need the respective keys and p8 file and provide the user name, email, etc from Apple? Please note, I don’t need ‘redirect_url’ for rest API. If I send just any URL, will I still get the response array correctly? I am getting this error:
stdClass Object
(
[error] => invalid_client
)
