The getAuthorizationToken function expects a redirectUri. If it's not supplied, it throws an error with the message redirectUri is empty.

While passing the redirectUri is required when doing sign in through the web, it doesn't exist when the authentication happens natively through an iOS app. For this reason, this field should be optional.

https://developer.apple.com/forums/thread/121760

Use response_mode = form_post when requesting name or email scope

export const getAuthorizationUrl = (options: any = {}) => {
if (!options.clientID) {
throw Error('clientID is empty');
}
if (!options.redirectUri) {
throw Error('redirectUri is empty');
}
return ENDPOINT_URL + '/auth/authorize?' + qs.stringify({
response_mode: 'form_post',
response_type: 'code',
state: options.state || 'state',
client_id: options.clientID,
redirect_uri: options.redirectUri,
scope: options.scope,
});
};

Hi, do you plan to add a public-key cache feature?

See in https://stackoverflow.com/questions/57043571/can-i-store-apples-public-key-for-verifying-token-signature

Follow example and perform the following

   const clientSecret = appleSignin.getClientSecret({
        clientID: "com.xxx.client", // identifier of Apple Service ID.
        teamId: "xxxxxx", // Apple Developer Team ID.
        privateKeyPath: __dirname + "/authkey.p8", // path to private key associated with your client ID.
        keyIdentifier: "xxx" // identifier of the private key.
    });

    const options = {
        grant_type: 'authorization_code',
        clientID: "com.xxx.client", // identifier of Apple Service ID.
        redirectUri: "http://xxx.my/redirect", // use the same value which you passed to authorisation URL.
        clientSecret: clientSecret
    };

    appleSignin.getAuthorizationToken(accessToken, options).then(tokenResponse => {
        console.log(tokenResponse);
    }).catch(error => {
        console.log(error);
    });

accessToken is the getting from ios apps apple sign in

I see issues that doesnt closed and some PRs that doesnt merged.

Is this library dead?

I got an error for request to verify authorization code as below:

"error": "invalid_client"

this error is because of client_secret value.

can you please help to figure out this issue?

Thanks

In order to deploy an app to Heroku or other PaaS, an app must be implemented using the twelve-factor methodology, which among other things, says that we shouldn't store credentials or sensitive information in our code repositories (III. Config). Instead, this kind of information should be stored in environment variables.

Currently, there's no way to read the private key content from an environment variable and pass it directly to node-apple-signin. Although we could copy the environment variable to a file during the app startup and pass the path to it, a better solution would be to pass the string directly.

Passing a string directly also avoids unnecessary disk reads, which are currently synchronous (fs.readFileSync is used) and can block the event loop.

Just a heads up to anyone using this library, as mentioned here: https://forums.developer.apple.com/thread/129047

Apple recently added multiple public keys instead of the single public key that has been available since Apple Sign In was launched (see: https://appleid.apple.com/auth/keys)

To avoid getting invalid signature errors every time a token is signed using a different key to the first returned from the URL above (which what this library currently uses) the following changes are needed:

const verifyIdToken = async (idToken, clientID) => {
const decodedToken = jwt.decode(identityToken, { complete: true });
const applePublicKey = await getAppleIDPublicKey(decodedToken.header.kid);

const jwtClaims = jwt.verify(idToken, applePublicKey, { algorithms: 'RS256' });
...

getAppleIDPublicKey then needs to use the kid (keyIdentifier) parameter to return the correct key from the list of keys returned from https://appleid.apple.com/auth/keys and everything should work 100% again 🥳