Troubleshoot Sign in With Apple
Ensure that the correct configuration elements are in place, both in the Auth0 Management Dashboard and in the Apple Developer Settings Console. Common configuration problems include:
- Using the wrong identifier: Remember that Apple App IDs (also known as App Bundle Identifiers) need to be configured in Auth0's advanced application settings. Service IDs, which are used to configure web apps, need to be configured in connection settings. Switching these identifiers will result in failures.
- Missing return URLS for Web Apps: When using Sign In with Apple for web apps, the Auth0 callback endpoint must be added to the list of Return URLs in the Apple Developer Settings Console. When not using custom domains, this will take the format:
If your application successfully initiated the login flow with Auth0, the results will be reflected in the tenant logs. Native social exchanges will use the
fens event types to indicate success and failure (respectively), while web flows will use the standard
f event types. All tenant logs interacting with the Apple IdP will use the connection value of
Types of errors
The following errors may be returned from the Apple IdP. Auth0 will relay both status codes and error messages from Apple should a request fail.
||400||The request parameters were incomplete or incorrect|
||400||The authorization code or refresh token presented to the Apple IdP is not valid|
||400||Apple was unable to successfully authenticate the client with the provided credentials|
||500||Other server-side issue inhibiting its ability to issue tokens|
Many identity providers have their own unique idiosyncrasies, and Apple is no exception. When integrating, be mindful of a few of its particular choices in implementation.
- Users are Unique Per Apple Development Account: User identifiers in the Apple world are guaranteed to be both unique and persistent per Apple Development Account. If Apple user identifiers are sourced from more than one development account, know that the same user will be represented by different identifiers.
- Users can Choose Which Email to Share: When users have multiple email addresses, they may choose which one is shared. Additionally, in the case of re-authentication, users may not pick the same email address. This means that the User ID should be used exclusively as the identifier, and account linking operations should use care.