Client error: POST https://appleid.apple.com/auth/token resulted in a 400 Bad Request response: {"error":"invalid_client"}

[dhivya-picco]

I have configured all the configuration for apple signin. It is redirect to apple site to get username and password. after that in callback, it is showing like this

[haid45]

I am getting the same issue, did you have any luck resolving this?

[rohail-office]

Yes I am getting this same issue ,
before a month its working fine on my site

[iamaz007]

It is because, your client_secret token is expired, you need to generate a new token and replace it with old one, it will be fixed then.
you can add max 6 months expire time of JWT token, after 6 months you have to generate new one.
https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

[rohail-office]

@iamaz007 I create new app and new client secret and update the existing configuration but its giving the same error

[iamaz007]

@iamaz007 I create new app and new client secret and update the existing configuration but its giving the same error

you don't need to create new app in apple, just generate a new client_secret, make sure you have selected right algorithm it is "ES256" for apple JWT in code, after implementing new client_secret, clear your Laravel cache, to do this, simply go to boostrap/cache and delete all files from there except .gitIgnore

[rohail-office]

Thanks I will try this

[rohail-office]

@iamaz007
Unfortunately I am facing this same issue after removing the Laravel cache and deleting all files except .gitignore form boostrap/cache folder .

This is how , I am creating my client secret

require 'jwt'

key_file = 'key.txt'
team_id = 'XYZ'
client_id = 'XYZ'
key_id = 'XYZ'

ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file

headers = {
'kid' => key_id
}

claims = {
'iss' => team_id,
'iat' => Time.now.to_i,
'exp' => Time.now.to_i + 86400*180,
'aud' => 'https://appleid.apple.com',
'sub' => client_id,
}

token = JWT.encode claims, ecdsa_key, 'ES256', headers
puts token

[alexfraundorf-com]

I am also getting this error:
GuzzleHttp\Exception\ClientException
Client error: POST https://appleid.apple.com/auth/token resulted in a 400 Bad Request response: {"error":"invalid_client"}

I recreated my JWT token to make sure it was not expired and I made sure the ES256 algorithm was being used.

Has anyone with this issue found a solution?

Thank you in advance!

Update: I tried validating my JWT token at https://jwt.io/ and it came up as an invalid signature. I'm not sure if this is what was causing the invalid_client error or not, but I was not able to resolve it.
I ended up switching to use the library at https://github.com/patrickbussmann/oauth2-apple
It takes care of generating the token, so all you have to do is fill in the config values from your Apple account and it works.
Good luck all.

[karser]

I ended up generating the client secret using lcobucci/jwt

<?php
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Signer\Key\InMemory;

$now = new \DateTimeImmutable();

$jwtConfig = Configuration::forSymmetricSigner(
    new Sha256(),
    InMemory::file(__DIR__ . '/AuthKey.pem')
);

$token = $jwtConfig->builder()
    ->issuedBy('XXXXXXXX')
    ->issuedAt($now)
    ->expiresAt($now->modify('+1 hour'))
    ->permittedFor('https://appleid.apple.com')
    ->relatedTo('com.example.service-id')
    ->withHeader('kid', 'XXXXXXXX')
    ->getToken($jwtConfig->signer(), $jwtConfig->signingKey());

echo $token->toString();

more info is here

[KaviiChathuranga]

@iamaz007 I create new app and new client secret and update the existing configuration but its giving the same error

you don't need to create new app in apple, just generate a new client_secret, make sure you have selected right algorithm it is "ES256" for apple JWT in code, after implementing new client_secret, clear your Laravel cache, to do this, simply go to boostrap/cache and delete all files from there except .gitIgnore

Plz, how to generate new client secret ?

[origooo]

Plz, how to generate new client secret ?

I have the following implementation in node, but I guess you can rewrite it pretty easy. It renews the token every second minute, and the token is valid according to www.jwt.io.

let appleClientSecretToken
const privateKey = fs.readFileSync(KEY_FILE)

const createAppleClientSecretToken = () => {
  try {
    jwt.verify(appleClientSecretToken, privateKey)
  } catch (error) {
    if (
      error.constructor === JsonWebTokenError ||
      error.constructor === TokenExpiredError
    ) {
      console.info("Renewing/creating Apple client_secret JWT token")

      appleClientSecretToken = jwt.sign(
        {
          iss: TEAM_ID,
          iat: Math.floor(Date.now() / 1000),
          exp: Math.floor(Date.now() / 1000) + 120,
          aud: "https://appleid.apple.com",
          sub: SERVICE_ID,
        },
        privateKey,
        {
          algorithm: "ES256",
          header: {
            alg: "ES256",
            kid: KEY_ID,
          },
        }
      )
    }
  }

  return appleClientSecretToken
}

Hope that can help a bit!

[alexiovay]

This library is so messy. I wasted days to make it work. I have the same issue, regenerated the key and everything but it's about how the return object is handled in this library. Author also doesn't seem to be active anymore, such a shame.

[mikebronner]

This library is so messy. I wasted days to make it work. I have the same issue, regenerated the key and everything but it's about how the return object is handled in this library. Author also doesn't seem to be active anymore, such a shame.

True, there also has been some confusion as to this library being the one used in the socialite providers collection, which it is not. There is also a good chance that Apple's API has changes since this library was first created.

As to the state of this library and my activity, I have not been using it myself in projects since I quit freelancing, so any help in form of PRs is greatly appreciated.

[davidsalazar]

regenerating the secret key worked for me. Strange how apple limits it to 6 months.