Better Auth•5w ago

Sign in with Apple in web fails / error: 'invalid_client'

I'm facing issues with Sign in with Apple in my Better Auth setup: Current Status - ✅ Apple Sign In works in my Expo (native) app using ID token - ❌ Apple Sign In fails on web Configuration Details - Using Better Auth with Expo plugin - JWT payload for client secret looks correct:

  {
    "aud": "https://appleid.apple.com",
    "iss": "xxx",
    "iat": 1741190805,
    "exp": 1772294802,
    "sub": "de.xxx.web"
  }

  {
    "aud": "https://appleid.apple.com",
    "iss": "xxx",
    "iat": 1741190805,
    "exp": 1772294802,
    "sub": "de.xxx.web"
  }

- Web Service ID: de.xxx.web - App Bundle ID: de.xxx.app Error Messages Server logs show:

INFO [Better Auth]: If it's a valid URL, please add https://appleid.apple.com to trustedOrigins
ERROR [Better Auth]: Invalid origin: https://appleid.apple.com
ERROR [Better Auth]: { error: 'invalid_client', status: 400, statusText: 'Bad Request' }

INFO [Better Auth]: If it's a valid URL, please add https://appleid.apple.com to trustedOrigins
ERROR [Better Auth]: Invalid origin: https://appleid.apple.com
ERROR [Better Auth]: { error: 'invalid_client', status: 400, statusText: 'Bad Request' }

I've added https://appleid.apple.com to trustedOrigins as suggested (should not be needed?), but still experiencing web authentication issues. Any ideas what might be causing this discrepancy between native and web authentication?

10 Replies

zsmooth•4w ago

Did you ever track this down? I'm getting the same error.

luksch42OP•3w ago

@zsmooth no.. hard to believe that Apple as one of the iconic ux companies has this kind of auth credential garbage 🥸

zsmooth•3w ago

Adding it to trustedDomains worked for me. I think this is a better auth bug, not an apple bug

luksch42OP•3w ago

Thanks for sharing!

chumpo•3w ago

Im having the same issue, did you ever fix it? where is that option to set trustedDomains? nvm I figure it out, I had an invalid_code as in my apple secret wasn't generated with the proper signinid, setting up al this stuff in apple is a PITA tho Also had to follow this for CSRF https://gist.github.com/Maxiviper117/95a31750b74510bbb413d2e4ae20b4e8

felix•3w ago

hey, just stumbled across your post here. Im facing the same error and trying to solve this for hours. Whats the signinid? I just have the client_secret and client_id

chumpo•3w ago

Your client id would be what the identifier for the specific service id that you set up so enable sign in with a web service is inside apple developer account Your cloent secret you would have to generate it using a pem cert you can download from apple

vanceEl•2w ago

I'm using this bun script to generate the credentials bun run generate-apple-secret.ts --team <TEAM_ID> --key <KEY_ID> --client <CLIENT_ID> --private <PATH_TO_P8> and I also set the appBundleIdentifier. However, very frustratingly, login was working for me using the release version on testflight but apple review team couldn't login. Adding "https://appleid.apple.com" to the trustedOrigins solved the issue but wasn't obvious since I never observed the error directly.

generateSigninWithAp...

chumpo•2w ago

@here do we have to generate a new client_secret every time the jwt exp is met... I mean with my local development server Im getting invalid_client or invalid_code every hour has anyone here had that experience?

zsmooth•2w ago

i'm generating the client_secret on the server and caching it, and then automatically regenerating it every time it's a day away from expiring. i don't get the examples i see where people are generating the secret on the command line. makes no sense to me

Gaming

Programming

Sign in with Apple in web fails / error: 'invalid_client'

Did you find this page helpful?