Sign in with Apple - PHP

token.php

<?php
# composer require web-token/jwt-framework

require_once 'vendor/autoload.php';

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\KeyManagement\JWKFactory;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\JWSBuilder;
use Jose\Component\Signature\Serializer\CompactSerializer;

/** Your team identifier: https://developer.apple.com/account/#/membership/ (Team ID) */
$teamId = '1A234BFK46';
/** The client id of your service: https://developer.apple.com/account/resources/identifiers/list/serviceId */
$clientId = 'org.example.service';
/** Code from request: https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */
$code = 'ab1c23456fb104dbfa034e0e66bc58370.0.nrwxq.yQMut7nanacO82i7OvNoBg';
/** The ID of the key file: https://developer.apple.com/account/resources/authkeys/list (Key ID) */
$keyFileId = '1ABC6523AA';
/** The path of the file which you downloaded from https://developer.apple.com/account/resources/authkeys/list */
$keyFileName = 'AuthKey_1ABC6523AA.p8';
/** The redirect uri of your service which you used in the $code request */
$redirectUri = 'https://example.org';

$algorithmManager = new AlgorithmManager([new ES256()]);

$jwsBuilder = new JWSBuilder($algorithmManager);
$jws = $jwsBuilder
	->create()
	->withPayload(json_encode([
		'iat' => time(),
		'exp' => time() + 3600,
		'iss' => $teamId,
		'aud' => 'https://appleid.apple.com',
		'sub' => $clientId
	]))
	->addSignature(JWKFactory::createFromKeyFile($keyFileName), [
		'alg' => 'ES256',
		'kid' => $keyFileId
	])
	->build();

$serializer = new CompactSerializer();
$token = $serializer->serialize($jws, 0);

$data = [
	'client_id' => $clientId,
	'client_secret' => $token,
	'code' => $code,
	'grant_type' => 'authorization_code',
	'redirect_uri' => $redirectUri
];

$ch = curl_init();
curl_setopt_array ($ch, [
	CURLOPT_URL => 'https://appleid.apple.com/auth/token',
	CURLOPT_POSTFIELDS => http_build_query($data),
	CURLOPT_RETURNTRANSFER => true
]);
$response = curl_exec($ch);
curl_close ($ch);

var_export(json_decode($response, true));
/**
 * array (
 *   'access_token' => 'ab12cd3ef45db4f86a7d32cbbf7703a45.0.abcde.Ab01C3_D4elgkHOMcFuXpg',
 *   'token_type' => 'Bearer',
 *   'expires_in' => 3600,
 *   'refresh_token' => 'abcdef12345678bb9bbbefba3e36118a2.0.mrwxq.Vo5t5ogmUXFERuNtiMbrvg',
 *   'id_token' => 'RS256 Encoded Hash',
 * )
 */

@patrickbussmann You sample code works fine for me. Thank you. You just saved my day.

The token's expiration time, in Unix epoch time; tokens that expire more than 20 minutes in the future are not valid (Ex: 1528408800)

Hi Patrick,

We need to generate the code in php language from the below request.

/** Code from request: https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */

Can you please help on this??

@aaron2310: Use https://github.com/patrickbussmann/oauth2-apple
And then easily fill out your place holders.
-> {clientId}, {redirectUri}

Or what is your question here?

@EltechAdmin do you still need help? 😊

@aaron2310: Use https://github.com/patrickbussmann/oauth2-apple
And then easily fill out your place holders.
-> {clientId}, {redirectUri}

Or what is your question here?

@EltechAdmin do you still need help? blush

Thanks for the instant response.!!

I need the code which you generated $code = 'ab1c23456fb104dbfa034e0e66bc58370.0.nrwxq.yQMut7nanacO82i7OvNoBg';

I am able to craete the request from this URL https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */

It redirects to the apple sign in page and shows two factor sign in and so on.. But our purpose is to generate the code as like above

Could you please help.. (In php) Hope the link you will help to get the code..Am i right??

Ah yes @aaron2310:
You have the URL. When you open it then you are on the apple sign in page.
Now you sign in with Apple.
Then you'll be redirected to {$redirectUri} with query parameters (or POST body) "code". (and on first sign in first name, last name, email and this things)

So when you'll be redirected to your $redirectUri let your browser console with network tab open. Then you can check your POST Body and/or query parameters easily.

👍

Thanks a lot!! will get back if any clarifications

Heyy it works. we changed the request_method from form_state to query. It works.
Is there any other way without using the jwt-framework?? just to know

It works but pay attention, the code provided by the client is valid only for a short time, so dont keep testing with the same code for a long time because it will say invalid_grant

Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?

Thank you very much !!!

Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?

https://github.com/gradus0/appleAuth

You saved my life! I am implementing the same using Guzzle and all I needed was to use your curl method instead.

Be careful because of this invalid_client error could be misleading (as always Apple's error messages)

$postParams = array(
    'code' => ...,
    'client_id' => ...,
    'client_secret' => ...,
    'grant_type' => 'authorization_code',
    'redirect_uri' => ...,
);

$curl = curl_init('https://appleid.apple.com/auth/token');

// never pass params as just array for apple without stringifying via http_build_query()
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postParams));

When you will use just curl_setopt($curl, CURLOPT_POSTFIELDS, $postParams); it is valid POST request but another type than Apple expects but lazy apple developers are not able to provide error that this type of POST request is unsupported.