Troubleshooting the configuration from Apple

Common issues

• Error response from apple: status=400, body={"error":"invalid_client"}: consult the steps below (Verify the configuration manually) to find out whether the configuration within your Apple Developer portal is valid. You likely need to repeat steps 1-3 of this guide.
  • Make sure that the values (Service ID, Team ID, Key ID, p8 Key) from your Apple Developer account match the values in Keycloak.
• Invalid redirect_uri: Check the URLs in your Service ID in the Apple Developer portal. These need to match your Keycloak realm.
• Confusing Bundle ID and Service ID: The ID that started the auth-flow should be used throughout the whole login flow, otherwise you will receive invalid_client errors from Apple.
  This is mostly relevant when testing the configuration manually using this guide.
  When the authorization_code/id_token was requested using the Bundle ID of your iOS/macOS app, then you have to use the Bundle ID as Service ID (to generate the client_secret).
  On the other hand, not requesting authorization_code/id_token on your own and therefore not performing a token_exchange, Keycloak does the job for you and uses the Service ID.
• Cookie not found. Please make sure cookies are enabled in your browser.: There might be an issue with the general Keycloak configuration. Look at this issue

Verify the configuration manually

The verification is done by making the so-called OAuth Authorization-Code flow manually.
At first you try to get an authorization_code from Apple using your Apple-ID credentials.
Then you exchange the authorzation_code for real tokens.

Prerequisites

• Postman
• Chrome (or any other browser than Safari, as it handles Sign-in-with-Apple differently)
• Ruby
• https://webhook.site

Phase 1 - Authorization Code

1. Open https://webhook.site in order to get your Webhook URL, which we will use as Redirect-URL
2. Add the Webhook URL as Return-URL to your SIWA-Service in your Apple Developer Account
3. Prepare the authorization URL
   • https://appleid.apple.com/auth/authorize?client_id=<Service ID>&redirect_uri=<redirect uri e.g. https://webhook.site/...>&response_mode=form_post&response_type=code id_token&scope=name email
4. Open the URL in Chrome
5. A Login Form from Apple should appear

If you see the Apple Login Form ...

• ... the Service ID exists
• and the Redirect URL is configured correctly for the Service

Phase 2 - Exchange the authorization_code for Apple access_token and refresh_token

1. Prepare the client_secret for the next request
   • https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple#how-sign-in-with-apple-works-hint-it-uses-oauth-and-oidc
   • gem install jwt
   • Create client_secret.rb

require 'jwt'

key_file = 'path/to/AuthKey_XYZ.p8'
team_id = ''
client_id = ''
key_id = ''

ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file

headers = {
  'kid' => key_id
}

claims = {
	'iss' => team_id,
	'iat' => Time.now.to_i,
	'exp' => Time.now.to_i + 86400*180,
	'aud' => 'https://appleid.apple.com',
	'sub' => client_id,
}

token = JWT.encode claims, ecdsa_key, 'ES256', headers

puts token

• Execute ruby client_secret.rb to retrive your client_secret

2. Send the Token-Request using Postman to POST https://appleid.apple.com/auth/token
   • x-www-form-urlencoded body
   • Set following attributes
     • client_secret
     • client_id: your Service ID
     • code: authorization_code from the previous phase in the webhook UI
     • grant_type: authorization_code
     • redirect_uri: your webhook URL
3. You should retrieve your token pair from Apple

If Phase 2 doesn't work, it is likely that your Team ID, Key ID or P8-Key are invalid.
Verify the generated client_secret using jwt.io and verify whether your Key ID, Team ID and Service ID match.