github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-06-02 20:36:19 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

fix: sign In with Apple With ID Token not work (#966)

Browse Source
This commit is contained in:
Stephen Zhou
2024-12-20 21:27:43 +08:00
committed by GitHub
parent 5e84b35632
commit b4ff55d55a
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/content/docs/authentication/apple.mdx
View File

@@ -25,10 +25,14 @@ description: Apple provider setup and usage.
apple: { // [!code highlight]
clientId: process.env.APPLE_CLIENT_ID as string, // [!code highlight]
clientSecret: process.env.APPLE_CLIENT_SECRET as string, // [!code highlight]
// Optional
appBundleIdentifier: process.env.APPLE_APP_BUNDLE_IDENTIFIER as string, // [!code highlight]
}, // [!code highlight]
},
})
```
On native iOS, it doesn't use the service id but the app id (bundle id) as client id, so if using the service id as clientId in signIn.social() with idToken, it throws an error: JWTClaimValidationFailed: unexpected "aud" claim value. So you need to provide the appBundleIdentifier when you want to sign in with Apple using the ID Token.
</Step>
</Steps>

8
packages/better-auth/src/social-providers/apple.ts
View File

@@ -64,7 +64,9 @@ export interface AppleNonConformUser {
email: string;
}
export interface AppleOptions extends ProviderOptions<AppleProfile> {}
export interface AppleOptions extends ProviderOptions<AppleProfile> {
appBundleIdentifier?: string;
}
export const apple = (options: AppleOptions) => {
const tokenEndpoint = "https://appleid.apple.com/auth/token";
@@ -105,7 +107,7 @@ export const apple = (options: AppleOptions) => {
const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
algorithms: [jwtAlg],
issuer: "https://appleid.apple.com",
audience: options.clientId,
audience: options.appBundleIdentifier || options.clientId,
maxTokenAge: "1h",
});
["email_verified", "is_private_email"].forEach((field) => {
@@ -125,7 +127,7 @@ export const apple = (options: AppleOptions) => {
if (!token.idToken) {
return null;
}
const profile = decodeJwt(token.idToken)?.payload as AppleProfile | null;
const profile = decodeJwt<AppleProfile>(token.idToken);
if (!profile) {
return null;
}