Sign in with Apple - PHP

token.php

<?php
# composer require web-token/jwt-framework

require_once 'vendor/autoload.php';

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\KeyManagement\JWKFactory;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\JWSBuilder;
use Jose\Component\Signature\Serializer\CompactSerializer;

/** Your team identifier: https://developer.apple.com/account/#/membership/ (Team ID) */
$teamId = '1A234BFK46';
/** The client id of your service: https://developer.apple.com/account/resources/identifiers/list/serviceId */
$clientId = 'org.example.service';
/** Code from request: https://appleid.apple.com/auth/authorize?response_type=code&client_id={$clientId}&scope=email%20name&response_mode=form_post&redirect_uri={$redirectUri} */
$code = 'ab1c23456fb104dbfa034e0e66bc58370.0.nrwxq.yQMut7nanacO82i7OvNoBg';
/** The ID of the key file: https://developer.apple.com/account/resources/authkeys/list (Key ID) */
$keyFileId = '1ABC6523AA';
/** The path of the file which you downloaded from https://developer.apple.com/account/resources/authkeys/list */
$keyFileName = 'AuthKey_1ABC6523AA.p8';
/** The redirect uri of your service which you used in the $code request */
$redirectUri = 'https://example.org';

$algorithmManager = new AlgorithmManager([new ES256()]);

$jwsBuilder = new JWSBuilder($algorithmManager);
$jws = $jwsBuilder
	->create()
	->withPayload(json_encode([
		'iat' => time(),
		'exp' => time() + 3600,
		'iss' => $teamId,
		'aud' => 'https://appleid.apple.com',
		'sub' => $clientId
	]))
	->addSignature(JWKFactory::createFromKeyFile($keyFileName), [
		'alg' => 'ES256',
		'kid' => $keyFileId
	])
	->build();

$serializer = new CompactSerializer();
$token = $serializer->serialize($jws, 0);

$data = [
	'client_id' => $clientId,
	'client_secret' => $token,
	'code' => $code,
	'grant_type' => 'authorization_code',
	'redirect_uri' => $redirectUri
];

$ch = curl_init();
curl_setopt_array ($ch, [
	CURLOPT_URL => 'https://appleid.apple.com/auth/token',
	CURLOPT_POSTFIELDS => http_build_query($data),
	CURLOPT_RETURNTRANSFER => true
]);
$response = curl_exec($ch);
curl_close ($ch);

var_export(json_decode($response, true));
/**
 * array (
 *   'access_token' => 'ab12cd3ef45db4f86a7d32cbbf7703a45.0.abcde.Ab01C3_D4elgkHOMcFuXpg',
 *   'token_type' => 'Bearer',
 *   'expires_in' => 3600,
 *   'refresh_token' => 'abcdef12345678bb9bbbefba3e36118a2.0.mrwxq.Vo5t5ogmUXFERuNtiMbrvg',
 *   'id_token' => 'RS256 Encoded Hash',
 * )
 */

Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?

Thank you very much !!!

Patrick, I need your help. How do I decrypt the information in the id_token that the apple server returns?

https://github.com/gradus0/appleAuth

You saved my life! I am implementing the same using Guzzle and all I needed was to use your curl method instead.

Be careful because of this invalid_client error could be misleading (as always Apple's error messages)

$postParams = array(
    'code' => ...,
    'client_id' => ...,
    'client_secret' => ...,
    'grant_type' => 'authorization_code',
    'redirect_uri' => ...,
);

$curl = curl_init('https://appleid.apple.com/auth/token');

// never pass params as just array for apple without stringifying via http_build_query()
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postParams));

When you will use just curl_setopt($curl, CURLOPT_POSTFIELDS, $postParams); it is valid POST request but another type than Apple expects but lazy apple developers are not able to provide error that this type of POST request is unsupported.