ERROR -- omniauth: (apple) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: {"error":"invalid_request"}

[wonderffle]

I keep running into the following error in my OmniauthCallbacksController which inherits from Devise::OmniauthCallbacksController. On the front end, I am using the auth-code flow to authenticate users with their Apple ID and then I pass the code and the redirect_uri as body parameters to this devise endpoint. However, I am getting the following error:

ERROR -- omniauth: (apple) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: {"error":"invalid_request"}

This method works fine with google oauth2, but it's failing for me with Apple.

Perhaps I am missing some configuration or other step, however, I can authenticate with the auth code using the apple_id gem.

Here are some details of my configuration below:

rails version: 7.0.6
devise version: 4.9.2
omniauth-apple version: 1.3.0

devise.rb
`
config.omniauth :google_oauth2, OMNIAUTH_GOOGLE_CLIENT_ID, OMNIAUTH_GOOGLE_CLIENT_SECRET, scope: 'email,profile', provider_ignores_state: true

config.omniauth :apple, OMNIAUTH_APPLE_CLIENT_ID, '', {
scope: 'email name',
team_id: OMNIAUTH_APPLE_TEAM_ID,
key_id: OMNIAUTH_APPLE_KEY_ID,
pem: OMNIAUTH_APPLE_PRIVATE_KEY,
provider_ignores_state: true,
authorized_client_ids: [ OMNIAUTH_APPLE_CLIENT_ID ],
redirect_uri: 'https://lvh.me/login'
}
`

routes.rb
devise_for :users, controllers: { sessions: 'sessions', registrations: 'registrations', omniauth_callbacks: 'users/omniauth_callbacks' }, defaults: { format: :json }

user.rb
devise :database_authenticatable, :confirmable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :jwt_authenticatable, :omniauthable, jwt_revocation_strategy: JwtBlacklist, omniauth_providers: [:apple, :google_oauth2]

[wonderffle]

After enabling additional logging on the OAuth2 gem, I found that the request to https://appleid.apple.com/auth/token does not include the code param in the request body. The code param was actually passed, but it was null. I was able to bypass omniauth and send a direct request to the apple auth token endpoint including the code param and got back the JWT to decode to get the auth info. When I sent the request a subsequent time without the code param, I got the same error message as above.

INFO -- request: POST https://appleid.apple.com/auth/token
2023-11-07 11:54:23.878003 D [49453:puma srv tp 005] Rails -- (apple) Callback phase initiated.
I, [2023-11-07T11:54:23.881212 #49453] INFO -- request: User-Agent: "Faraday v2.7.4"
Content-Type: "application/x-www-form-urlencoded"
Traceparent: "00-4ppd0xdr93c3195e22f1dbdd788b29f2-248371a21ff04849-01"
Tracestate: "es=s:1.0"
Elastic-Apm-Traceparent: "00-4ccf0fdd93c2795e22f1dbdd777b29f2-265371a21fa04849-01"
I, [2023-11-07T11:54:23.883525 #49453] INFO -- request: {"client_id"=>"com.client.id",
"client_secret"=>"secret",
"grant_type"=>"authorization_code",
"code"=>nil,
"redirect_uri"=>"https://lvh.me"}

[edemagbenyo]

@wonderffle were you able to resolve the above error?

[wJoenn]

I just opened a PR to update the documentation for Hybrid application(Rails API and JS client) which I think answers your question, would you mind having a look and telling whether that helps you or not ?
#120

Basically the issue I had which sounds quite similar to yours is that I was sending my data the request's body

fetch('https://my.api.domain/users/auth/apple/callback', {
  data: JSON.stringify({ code }),
  headers: { 'Content-Type': 'application/json' },
  method: 'POST'
})

but what I discovered is that omniauth-apple never reads the request.body, only the request.params which meant that my params was always an empty object no matter what I included in my request's body.

Instead what I had to do was send the data as query params and that fixed the invalid_request error for me

fetch(`https://my.api.domain/users/auth/apple/callback?code=${code}`, {
  headers: { 'Content-Type': 'application/json' },
  method: 'POST'
})