Apple Federated IdP - Does native (vs web) also support exchanging "authorization code" for tokens?

0

We have a mobile application that uses Cognito for user authentication and authorization. We recently added the option to sign in via Apple as a Federated Identity. - When using the Cognito "/oauth2/authorize" endpoint, we receive an "authorization code" that we can successfully exchange at Cognito's "/oauth2/token" endpoint for tokens (i.e. access token, ID token, refresh token).

But, when we try to do a native Apple SignIn (on e.g. an iPhone), we run into some difficulties. Native SignIn works also just fine, and we receive the "authorization code" directly from Apple. - Unfortunately, we haven't achieved yet to exchange that code for Cognito tokens (i.e. access token, ID token, refresh token).

According to the AWS documentation for the Token Endpoint, for the "authorization_code" grant, the request needs to include also the "client_id" as well as the "redirect_uri". - For the native SignIn, I would assume that the latter is just an empty string, isn't it? - but what about the "client_id"? Is the "client_id" supposed to be the "Service ID" from our Apple Developer Account - or something else?

So, basically, my questions are:

  1. Is it possible to exchange the "authorization_code" for tokens when the code came from a native (vs web) Apple SignIn?
  2. Which values for "client_id" and "redirect_uri" am I supposed to use for that?

Many thanks in advance for every reply!

1 Answer
0

Hi,

Did you exactly follow the guidance of public documentation ?

See https://docs.aws.amazon.com/cognito/latest/developerguide/apple.html

Best,

Didier

profile pictureAWS
EXPERT
answered 3 days ago
  • Hi Didier. Thanks. - Yes, we did. Our Identity Pool is also configured as described in the documentation, you mentioned.

    The way described there works (also with native Apple SignIn), but then we would just get an ID token - but we are additionally interested in access token and refresh token. (Which we already get with the "Apple Web SignIn" approach, but not with the native one.)

    So, my initial question is more related to Cognito UserPools instead of just Identity Pools, I guess.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions