Issues with Apple Sign-In Integration: "invalid_client" Error

Hello Bubble Community,

I’m experiencing issues with integrating Apple Sign-In using the API Connector in Bubble. I’ve followed the standard setup but keep encountering an “invalid_client” error after being redirected back from Apple’s authentication page. Here are the details of my setup:

  1. API Connector Configuration:

    • API Name: Apple Sign-In
    • App ID: Service ID
    • Dev. App ID: Service ID
    • Scope: email
    • Token Name: access_token
    • Use a generic redirect URL: (checked)
    • Login dialog redirect: https://appleid.apple.com/auth/authorize?response_mode=form_post&locale=en_EN
    • Access token endpoint: https://appleid.apple.com/auth/token
    • User profile endpoint: https://appleid.apple.com/auth/keys
    • User ID key path: id
    • User email key path: email
    • App Secret: (JWT token generated correctly and verified)
  2. Steps Followed:

    • Initiated the login process via a button in the workflow.
    • Redirected to Apple’s authentication page successfully.
    • After signing in with Apple ID, redirected back to my site.
    • Encountered the “invalid_client” error.

Error Message:

API Connector error: the Oauth2 API Apple Sign-In is not configured properly - Received error from api The service this service just returned an error (HTTP 400). Please consult their documentation to ensure your call is setup properly. Raw error:
{"error":"invalid_client"}

Additional Info:

  • JWT Token: Generated using the correct private key, team ID, client ID, and key ID. The token is verified to be correct.
  • Redirect URI: Confirmed to match the one registered in Apple Developer Console.
  • Apple Developer Configuration: Primary App ID and Service ID are correctly set up with the necessary domains and return URLs.

Could someone help identify what might be going wrong or suggest any additional troubleshooting steps?

Thank you!

https://appleid.apple.com/auth/keys doesn’t return a profile endpoint that have id and email as a valid path. What I understand from documentation is that when you fetch the access token, you will get an id_token that is a JWT that contain user info. If this is the case and no endpoint is available to fetch user ID and email, you will need to configure this manually.

Thanks for your suggestion, but the issue still exists.

Did you move to manual auth process? You will also need a plugin/tool to decode the JWT after authorize and code exchange.
There’s also some paid plugins that exist for that.

Thank you for helping with the setup for Apple ID authorization.

After successfully authorizing on the Apple side, I am redirected to the URL https://service.resetly.io/api/1.1/oauth_redirect, which I have checked in the API Connector. However, I cannot extract the id_token parameter from this URL for decoding through the JWT Decoder plugin.

When I am redirected back to the authorization page, there are no parameters in the URL. I am trying to use the JWT Decoder plugin to decode the token, but I can’t find the id_token in the URL.

My Current Workflow

  1. An event is set up to trigger when the “Sign in with Apple” button is clicked.
  2. An action is added to “Signup/login with API - Apple Sign-In” (which calls the API I configured in the API Connector).

Can you advise on how to properly configure the workflow to handle the URL redirect (https://service.resetly.io/api/1.1/oauth_redirect) or suggest another way to extract and decode the id_token?

Thank you in advance for any assistance!

What I said is that you CANT use oAuth2 user-agent flow Bubbe API auth option. You need to process manually. Check existing plugin demo (the one from ZQ) to understand how they work.
However, from your side, you may need to read: [Showcase] Manual OAuth2 Token Integration to understand how to configure the two first step (authorize url and exchange code for token)
You will need to use a tool to decode the JWT token returned in token endpoint to know the user info
After, continue to follow this guide about how to store access token and refresh it when needed

Thank you, all clear

1 Like