Convex Auth Apple
got github and google working in dev in prod. make sure using at least @convex-dev/auth@0.0.39
Now trying to get Apple working. It's super confusing, but with the help of this article https://medium.com/identity-beyond-borders/how-to-configure-sign-in-with-apple-77c61e336003, I believe I know have the right AUTH_APPLE_ID (client_id) and AUTH_APPLE_SECRET (client_secret)
Now I get the following error
invalid_request
invalid client scope
71 Replies
This is what I got as well. Unfortunately to my understanding that's a generic error message that can happen for any number of reasons.
is there a way to log exactly the call to Apple
does convex auth send any query params, or payload?
You can see all the arguments in the Network tab, since the communication is done via a server redirect.
Your convex backend replies with
Location header, which your browser uses to redirect.
In case of RN I'm not sure how to see the Network logs actually for the in-app browser.you get the same error on the web.
Is it a problem related to
Website URLs
Provide your web domain and return URLs that will support Sign in with Apple. Your website must support TLS 1.2 or higher. All Return URLs must be registered with the https:// protocol included in the URI string. After registering new website URLs, confirm the list you’d like to add to this Services ID and click Done. To complete the process, click Continue, then click Save.
I notice that Clerk uses a callback url that uses my domain, while Convex uses its own url
Yeah, but presumably you can register the Convex backend URL as well?
Otherwise we might need to figure out a way to proxy the OAuth flow through your hosting server - or you could drive the OAuth flow from the in-app browser and at the end exchange the credentials.
for github and google it doesn't seem to matter at all from RN
Has anyone got Apple log in working with convex auth?
I added these but, but still error
this comment seems possible
The scope query parameter supports the following values for Sign in with Apple:
name
email
https://forums.developer.apple.com/forums/thread/690097
@Michal Srb is scope being sent with the first call to Apple
@Michal Srb Has anyone got Apple log in working with convex auth?https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors?changes=_7
invalid_scope | The requested scope is invalid. | Make sure the request is correct, and that the provided scope is supported, etc.
Apple Developer Documentation
TN3107: Resolving Sign in with Apple response errors | Apple Develo...
Diagnose errors received by the Sign in with Apple client, or its server infrastructure, by identifying the underlying causes of common error codes and explore their potential solutions.
I think it might be set to
openid profile email , I'll checkis there a way to override that?
Or just to see a log statement to confirm
@Michal Srb does the apple oauth with convex auth work for anyone?
GitHub
next-auth/packages/core/src/providers/apple.ts at 536db6e99e09cb673...
Authentication for the Web. Contribute to nextauthjs/next-auth development by creating an account on GitHub.
'): OAuthConfig<P> {
return {
id: "apple",
name: "Apple",
type: "oidc",
issuer: "https://appleid.apple.com",
authorization: {
params: { scope: "name email", response_mode: "form_post" },
},'
I haven't personally heard of anyone using Apple yet, or done it myself (yet). So please report back with your experience if you get it working
No luck so far and I can’t figure out how to see exactly what the call to Apple is. I currently only have this in react native and I don’t see the call in the networking tab of the Java script console
I’m pretty sure Apple is rejecting that first call
To debug whether it's a bug with Auth.js or Convex Auth, you could make a dummy project using our Auth.js adapter (or the Apple provider with any Auth.js project): https://stack.convex.dev/nextauth
Stack
Convex with Auth.js (NextAuth)
Learn how to use Auth.js with your Next.js server and Convex backend to build a full-featured authentication system.
thank fucking god i didnt try apple auth
i was so close to
lol
I’d like to first just log what the call to Apple is but I’m unsure how to
@burnstony#1975 sorry, I'm working on something else, if you want to debug yourself you can:
1. Edit
node_modules/@convex-dev/auth/dist/server/implementation.js
2. On line 360 add console.log("Sent to apple", redirect);
3. Deploy (have npx convex dev running)
4. Observe the logs on your Convex dashboard
This will show you the URL that's used to open the Apple OAuth page (the URL params are all the arguments provided to Apple).Awesome
Jul 24, 09:31:54
H
GET /api/auth/signin/apple
log
'Sent to apple' 'https://appleid.apple.com/auth/authorize?response_type=code&client_id=com.everwhz.service&redirect_uri=https%3A%2F%2Fdoting-bee-40.convex.site%2Fapi%2Fauth%2Fcallback%2Fapple&nonce=kSpty8sYh1nmhBoLnyBd8V3IGgCrbSPxhNRK-t05dSo&scope=openid+profile+email'That's wrong. @burnstony#1975 can you try again with
@convex-dev/auth@0.0.40. I'm hoping it fixes the scope.looks the same
'redirect:' 'https://appleid.apple.com/auth/authorize?response_type=code&client_id=com.everwhz.service&redirect_uri=https%3A%2F%2Fdoting-bee-40.convex.site%2Fapi%2Fauth%2Fcallback%2Fapple&nonce=WO33kz9cshIByHMKdevt67uKYiiBbFb5RalFeJwd42I&scope=openid+profile+email'
@Michal Srb what should the scope be
I can manually replace it just to test
The URL should have
scope=name+email&response_mode=form_post'redirect:' 'https://appleid.apple.com/auth/authorize?response_type=code&client_id=com.everwhz.service&redirect_uri=https%3A%2F%2Fdoting-bee-40.convex.site%2Fapi%2Fauth%2Fcallback%2Fapple&nonce=G6e2Pve-Lma-gea6CvhP6RezOhO0UhHHx93aIn2twMk&scope=name+email&response_mode=form_post'
should I remove response_type
Is the URL failing still? Does it work when you remove
response_type?still failing
same without response type
'redirect:' 'https://appleid.apple.com/auth/authorize?client_id=com.everwhz.service&redirect_uri=https%3A%2F%2Fdoting-bee-40.convex.site%2Fapi%2Fauth%2Fcallback%2Fapple&nonce=SXJvxWINIw0VV4GzIQoXzTov1sTQmBBq0Bs06c5ulQM&scope=name+email&response_mode=form_post'
actually thats a new error
Ok,
response_type has to be response_type=code+id_token
Then I get a new error, invalid redirect URL
But that presumably is fixable in your apple configsame
let me look
the apple configs are way confusing
Way way
progress
now it does the whole log in, but than I get this error
No matching routes found
also same thing in PROD
Awesome! What did you change to fix the redirect URL?
I had done it before, but you have to hit continue a few times than save or it doesn't save it
Ok so now the error is that your backend isn't handling https://doting-bee-40.convex.site/api/auth/callback/apple
Do you get any logs on your dashboard?
(I just tried it in my browser against your backend)
Jul 24, 11:08:40
H
GET /api/auth/callback/apple
error
[Error: pkce cookie is missing.]
It's weird that it's returning 404 though
if you try again I'll send all the logs
thats what I thought
I obviously don't have the cookie set since I'm starting from the Apple URL
import { convexAuth } from "@convex-dev/auth/server";
import Google from "@auth/core/providers/google";
import GitHub from "@auth/core/providers/github";
import Apple from "@auth/core/providers/apple";
export const { auth, signIn, signOut, store } = convexAuth({
providers: [Google, GitHub, Apple],
callbacks: {
async redirect({ redirectTo }) {
console.log('redirectTo:', redirectTo)
return redirectTo;
},
},
});
Can you try:
1. Upgrade to
@convex-dev/auth@0.0.41 (now the scope should be actually fixed)
2. Change auth.ts to have:
where do I put that
Argument of type '{ authorization: { params: { scope: string; response_mode: string; response_type: string; }; }; }' is not assignable to parameter of type 'Omit<OAuthUserConfig<any>, "clientSecret"> & { clientSecret: string; }'.
Property 'clientSecret' is missing in type '{ authorization: { params: { scope: string; response_mode: string; response_type: string; }; }; }' but required in type '{ clientSecret: string; }'.ts(2345)
apple.d.ts(140, 5): 'clientSecret' is declared here.
clientSecret is required
import Google from "@auth/core/providers/google";
import GitHub from "@auth/core/providers/github";
import Apple from "@auth/core/providers/apple";
export const { auth, signIn, signOut, store } = convexAuth({
providers: [Google, GitHub,
Apple({
authorization: {
params: { scope: "name email", response_mode: "form_post", response_type: "code id_token" }
},
clientSecret: ""
})
],
callbacks: {
async redirect({ redirectTo }) {
console.log('redirectTo:', redirectTo)
return redirectTo;
},
},
});
that will compile at leastYou can ignore that type error, or set
clientSecret: process.env.AUTH_APPLE_SECRETsame error
404? And where do you see the pkce cookie is missing error (can you screenshot)
(and are you starting the whole flow, not just from the Apple URL)
I think I only got the pkce error when you tried
Ok. So which error are you getting now?
did you just try something
The later ones are me hitting your backend haha
can you try with apple
Do you have something else in your
http.ts file besides the setup code?import { httpRouter } from "convex/server";
import { auth } from "./auth";
const http = httpRouter();
auth.addHttpRoutes(http);
export default http;
Baffling
And I cannot repro on my backend
Oh, why are they POSTing
One sec
good eye
@Michal Srb any thoughts
@convex-dev/auth@0.0.42exciting, are these new versions just for me?
They're for everyone, but I'm making these fixes thanks to you! 😇
(dm'd you on Discord as well)
the response from
const result = await openAuthSessionAsync(redirect!.toString(), redirectTo);
is lacking the code from apple
apple returned {"error": null, "type": "success", "url": "exp://192.168.1.153:8081"}
google returned {"error": null, "type": "success", "url": "exp://192.168.1.153:8081/?code=21516484"}
Ok, got it to work.
Use
@convex-dev/auth@0.0.43
And configure Apple like this:
I'll open a PR with Auth.js to fix the provider config so this config isn't needed in the future.Would appreciate a heart/thumbs up on the PR to Auth.js: https://github.com/nextauthjs/next-auth/pull/11453
GitHub
Update Apple provider config by xixixao · Pull Request #11453 · nex...
☕️ Reasoning
Sing In with Apple is currently broken, but these changes bring it closer to working (and make it work in Convex Auth).
Don't require clientSecret when options are provided. This ...
thank you so much it works now @Michal Srb