earlier replies
Replying to @darryl_young @jerbob92
They pushed out some changes a little bit ago and I have been able to exchange the authorization code and get the user info now! I updated my post so maybe take a look through it again. developer.okta.com/blog/2019…

What the Heck is Sign In with Apple?

Sign In with Apple is based on OAuth 2.0 and OpenID Connect, and provides a privacy-friendly way for users to sign in to websites and apps

developer.okta.com
1
1
Hi, Aaron. Thanks for the link to your great article. Unfortunately, for me, I still can't get past the "invalid_grant" issue. I'm doing this for an Expo (React Native) app so things are slightly different in that I don't need redirect_url, etc. but generally it's the same. Hmm.
1
Why do you say you don't need a redirect_uri? That's probably the problem if you're not including it.
1
As I'm also using Expo, I followed the following to start with and there was no redirect_uri used. medium.com/appandflow/eli5-s… I tried with one and it didn't make a difference. Also, in Apple's documentation, it doesn't show redirect_uri as being required. developer.apple.com/document…

Generate and validate tokens | Apple Developer Documentation

Validate an authorization grant code delivered to your app to obtain tokens, or validate an existing refresh token.

developer.apple.com
1
Huh I missed that in their docs. My next guess is your client secret JWT isn't being generated properly. Try generating it with the Ruby code in my post, it's very picky.
1
Good idea. I'll give that a go. Based on the Apple docs, it requires the JWT to be created "using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm", which I'm doing with the `jsonwebtoken` library. developer.apple.com/document…
1
Make sure to include exactly the claims in their docs. I was finding some JWT libraries would add their own stuff into it or change things around slightly. Probably easiest to verify by base64 decoding the claims after you generate it.
1
Hey. Yeah, I also wondered that so I decoded the generated JWT and it looks like exactly what's required and shown at the bottom of this document. developer.apple.com/document…
3
Ok I was curious so I tested myself. I get the `invalid_grant` error unless I include the `redirect_uri` in the POST request with the authorization code.
1
Interesting. I’ll give it a go again in case I missed something. I’m not sure what the redirect_uri will be in my React Native, though. Thanks for the help, by the way. Appreciate it.
2
Replying to @darryl_young
Also you need to be exchanging the authorization code from a server somewhere, because you can't ship this app with the client secret built in.

Nov 6, 2019 · 5:32 PM UTC

1
Replying to @aaronpk
I have a GraphQL server (Prisma) and I'm sending the auth code there. Then, on that server, I'm trying to validate the auth code with Apple. Once it validates, I'd either be creating a user and sending a session token back or signing a user in by sending back a session token.
1
Cool, so that URL on the GraphQL server is the redirect_url, and that's what needs to be sent in that POST request.
1
more replies