新的Apple登录不断抛出错误HTTP 400 Invalid_grant [英] New Apple Sign in keeps throwing Error HTTP 400 Invalid_grant

问题描述

根据苹果 doc 来针对Apple验证身份验证代码，我们需要发布到 http://appleid.apple.com/auth/token 具有以下参数:

According to apple doc to validate the auth code against Apple we need to POST to http://appleid.apple.com/auth/token with this parameters:

#!java

token = generateJWT(keyId, teamId, clientId, certificatePath);

HttpResponse<String> response = Unirest.post(authUrl)
     .header("Content-Type", "application/x-www-form-urlencoded")
     .field("client_id", clientId)
     .field("client_secret", token)
     .field("grant_type", "authorization_code")
     .field("code", authorizationCode)
     .asString();

其中:

• 授权码:是应用客户端提供的身份验证代码.

• authorization_code: Is the auth code provided by app client.

clientId :由Apple提供

令牌:是客户机密".一个JWT使用以下代码生成:

token: is Client Secret. A JWT generate with this code:

#!java

private static String generateJWT(String keyId, String teamId, String clientId, String certificatePath) throws Exception {
        if (pKey == null) {
            pKey = getPrivateKey(certificatePath);
        }

        return Jwts.builder()
                .setHeaderParam(JwsHeader.KEY_ID, keyId)
                .setIssuer(teamId)
                .setAudience("https://appleid.apple.com")
                .setSubject(clientId)
                .setExpiration(new Date(System.currentTimeMillis() + (1000 * 60 * 5)))
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .signWith(pKey, SignatureAlgorithm.ES256)
                .compact();
    }

private static PrivateKey getPrivateKey(String certificatePath) throws Exception {
        //read your key
        try (PEMParser pemParser = new PEMParser(new FileReader(certificatePath))) {
            final JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
            final PrivateKeyInfo object = (PrivateKeyInfo) pemParser.readObject();
            final PrivateKey pKey = converter.getPrivateKey(object);
            return pKey;
        }
    }

我们检查JWT是否包含apple所需的所有字段:

We check that, the JWT, contains all the fields needed by apple:

#!json

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "6876D87D6"
}
{
  "iat": 1578654031,
  "exp": 1578740431,
  "aud": "https://appleid.apple.com",
  "iss": "57675576576",
  "sub": "com.blahblah.client"
}

但这是问题所在.它总是使用此主体返回400 HTTP错误:

But this is the problem. It always return a 400 HTTP Error with this body:

#!json

{"error":"invalid_grant"}

从这里我们完全迷路了.我们不明白为什么代码不正确或为什么有invalid_grant错误.

From here we are completely lost. We do not understand why the code is not correct or why it has an invalid_grant error.

推荐答案

将带有错误authorizationCode的请求发送到 https://appleid.apple.com/auth/token .确保您获得的代码与下面的快速代码示例中的代码相同.

I was only able to get the invalid_grant error when sending requests with incorrect authorizationCode to https://appleid.apple.com/auth/token. Make sure you get the code the same way as in the swift code sample below.

我认为此错误与client_secret无关.当我将client_secret从有效值更改为空字符串或某些不正确的值时，我只会收到invalid_client错误.而当authorizationCode和 client_secret是错误的，我也收到invalid_client错误.

I think this error is not about the client_secret. When I change the client_secret from a valid value to an empty string or some incorrect value, I just get the invalid_client error. And when both the authorizationCode and the client_secret are wrong, I also get the invalid_client error.

这是请求所需要的:

1. app_id是应用程序的捆绑包标识符

2. client_secret是使用问题中显示的信息创建的jwt令牌，并使用从中下载的私钥进行签名 developer.apple.com也在此处查看我的答案

1. app_id is the bundle identifier for the app

2. client_secret is the jwt token you create using the information shown in the question and sign with your private key you download from developer.apple.com also see my answer here

grant_type只是字符串"authorization_code"

grant_type is just the string "authorization_code"

data = {
    'client_id': app_id,
    'client_secret': client_secret,
    'grant_type': grant_type,
    'code': authorizationCode,
}

headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
}

//python example request

response = requests.request(
    method='POST',
    url='https://appleid.apple.com/auth/token',
    data=data,
    headers=headers,
)

if response.status_code == 200:
    print("200")
else:
    print("error")
print(response.text)

以下快速代码可用于以正确的格式获取authorizationCode，identityToken和userIdentifier.

The following swift code can be used to get the authorizationCode, identityToken and userIdentifier on the correct format.

func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
    if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential {

         let userIdentifier = appleIDCredential.user
         print("userIdentifier: \(userIdentifier)")

         let authorizationCode = String(data: appleIDCredential.authorizationCode!, encoding: .utf8)!
         print("authorizationCode: \(authorizationCode)")

         let identityToken = String(data: appleIDCredential.identityToken!, encoding: .utf8)!
         print("identityToken: \(identityToken)")

    }
}

这篇关于新的Apple登录不断抛出错误HTTP 400 Invalid_grant的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！