Invalid ClientId
Closed this issue · 7 comments
First of all, thanks for working on this plugin and helping out everyone.
We are using the Jar Version: 1.7.1 with Keycloak: 22.0.1 to implement the Apple Login for our Webapp.
We've been working hard to fix an issue where we keep getting an "invalid client" message from the Apple IDP. We've gone through all the closed issues about this problem and tried all the suggested fixes, but no luck so far.
To try to figure out what's going wrong, we added some extra logging to the "public SimpleHttp generateTokenRequest" method.(
Here's where we're at:
The first step with the IDP, the "Login" part, works just like it's supposed to. That makes us think the client ID and redirect URI are good.
The problem starts at the fourth step when the post request with the AuthCode, Secret, and Identifier happens. That's when we get the "invalid client" message. We're pretty sure we set up the TeamId right, so we're starting to think the issue might be with the p8 key content we're using.
We've tried a bunch of different things, including sticking to the original content of the p8 key, adjusting it etc. but nothing seems to work. It feels like we're missing something important.
-----BEGIN PRIVATE KEY-----\n
MIGTXXXj\n
Yof4XXXM\n
qyVkXXXv\n
wXXXi\n
-----END PRIVATE KEY-----
adjusted it to:
-----BEGIN PRIVATE KEY-----\n
MIGTXXXj\n
Yof4XXXM\n
qyVkXXXv\n
wXXXi\n
-----END PRIVATE KEY-----
or to
-----BEGIN PRIVATE KEY-----MIGTAXXXi-----END PRIVATE KEY-----
etc.
We cant get it to work..
We would be blessed to get some help.
best regards..
Hi @fryderyklist,
thx for raising this issue.
Seems like you did quite some investigation before creating this issue. Keep it up, that's a good thing 😀
I don't want to undermine your investigation, but let us start from the beginning and check it step by step.
invalid_client is probably the most generic and frustrating error you can get from Apple.
Let's start with the configuration in your Apple Developer Account. I assume you already know this guide?
You need to configure
- App ID (com.example.app)
- Service ID (com.example.app.service)
- Key (related to your App ID)
After these steps you should have all necessary information (Service ID, Team ID, Key ID, private Key)
Hello @klausbetz,
first of al,lthanks for responding so fast :)
We appreciate your help a lot. Therefore, we want to show you our Apple Developer account configuration as detailed as possible to minimize your time input. We hope you can flawlessly see all necessary steps in the following screenshots:
Here is how we set up our configuration in the Apple developer account:
- First, we selected our primary App-ID and checked the necessary services. In your Keycloak plugin, we used the Team-ID displayed here.
- Next, we created a Service-ID for "Sign in with Apple,". We used the identifier as the client-ID for Keycloak.
- For configuration of the service-id, we used the previously created primary App-ID, and then we added our domains and the given redirect URL from Keycloak.
4 and 5. Lastly, we created the Apple Login Key, added the Key to the primary App-ID, and downloaded the p8 file. The Service-ID shown in the last screenshot is also the correct one. We copied the key identifier as well as the p8 code to Keycloak.
Basically we went step by step like described in the guide you mentioned.
Thanks for helping us out investigating our issue.
Best regards.
Thank you for all the screenshots. Looks good to me, so far.
I think we reached the point, where further debugging is necessary to understand what's happening.
I'll prepare something for you. I will let you know
That sounds great! Thank you so much in advance, we are really at our wits end here :(
Ok. Let's go
We'll do some testing using https://webhook.site and Chrome (Safari can bug around when dealing with Apple-ID Urls).
I created a wiki page for this.
Please check it out and let me know, if the troubleshooting guide is helpful.
In case you get a successful response from Apple there's a bug in the extension, which I don't yet know to fix 😅
@fryderyklist Did you manage to resolve your issue?
Closing, due to inactivity