auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Apple Sign-In Fails: OIDC Issuer Mismatch (appleid.apple.com vs account.apple.com)

Open ramtiin opened this issue 7 months ago • 24 comments

Bug report

  • [✔️] I confirm this is a bug with Supabase, not with my own application.
  • [✔️] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Apple Native Sign-In fails on iOS with Supabase Auth KMP when using compose-auth plugin.

The login flow breaks with the following error: oidc: issuer did not match the issuer returned by provider, expected "https://appleid.apple.com" got "https://account.apple.com"

This appears to be caused by a change on Apple’s side, where their ID token now uses https://account.apple.com as the issuer. However, Supabase still expects the old issuer value (https://appleid.apple.com), causing a mismatch.

To Reproduce

  1. Set up Apple Sign-In as described in the Supabase Apple Auth docs.
  2. Run the app on an iOS device and initiate Sign in with Apple.
  3. After redirect, the Supabase client attempts to exchange the token.
  4. The request fails with: oidc: issuer did not match the issuer returned by provider

Expected behavior

Apple Sign-In should succeed. Supabase should accept https://account.apple.com as a valid issuer, since Apple appears to have updated this value.

Screenshots

Client log:

Uncaught Kotlin exception: io.github.jan.supabase.auth.exception.AuthRestException: unexpected_failure (Unexpected failure, please check server logs for more information: unexpected_failure)
URL: https://********.supabase.co/auth/v1/token?grant_type=id_token&redirect_to=*****%3A%2F%2Foauth%2Fcallback
Headers: [Authorization=[Bearer ********], X-Client-Info=[supabase-kt/3.2.0-beta-2], Accept=[application/json], Accept-Charset=[UTF-8]]
Http Method: POST

Server Log:

{
  "event_message": "{\"component\":\"api\",\"error\":\"oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"grant_type\":\"id_token\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"path\":\"/token\",\"referer\":\"ai.****://oauth/callback\",\"remote_addr\":\"*******\",\"request_id\":\"94ddb857******\",\"time\":\"2025-06-11******\"}",
  "id": "61787f****e81f",
  "metadata": [
    {
      "host": "db-zbkhm******",
      "component": "api",
      "_SYSTEMD_CGROUP": null,
      "grant_type": "id_token",
      "request_id": "94dd******",
      "mail_from": null,
      "message": null,
      "_SOURCE_REALTIME_TIMESTAMP": null,
      "PRIORITY": null,
      "_AUDIT_LOGINUID": null,
      "panic": null,
      "metering": null,
      "UNIT": null,
      "event": null,
      "SYSLOG_FACILITY": null,
      "msg": "Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
      "mail_type": null,
      "EXECUTABLE": null,
      "user_id": null,
      "_CMDLINE": null,
      "action": null,
      "auth_event": [],
      "level": "error",
      "_PID": null,
      "path": "/token",
      "duration": null,
      "_COMM": null,
      "sso_provider_id": null,
      "header": null,
      "_MACHINE_ID": null,
      "login_method": null,
      "_STREAM_ID": null,
      "source_type": null,
      "_LINE_BREAK": null,
      "_EXE": null,
      "_AUDIT_SESSION": null,
      "_TRANSPORT": null,
      "x_forwarded_proto": null,
      "time": null,
      "mail_to": null,
      "_GID": null,
      "stack": null,
      "x_forwarded_host": null,
      "saml_entity_id": null,
      "status": null,
      "_UID": null,
      "valid_until": null,
      "method": "POST",
      "CODE_FILE": null,
      "remote_addr": "*******",
      "provider": null,
      "_SYSTEMD_UNIT": null,
      "issuer": null,
      "error": "oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
      "client_id": null,
      "MESSAGE_ID": null,
      "url": null,
      "referer": "ai.*****://oauth/callback",
      "_SYSTEMD_INVOCATION_ID": null,
      "CODE_FUNC": null,
      "_BOOT_ID": null,
      "INVOCATION_ID": null,
      "__MONOTONIC_TIMESTAMP": null,
      "timestamp": null,
      "__REALTIME_TIMESTAMP": null,
      "CODE_LINE": null,
      "_SYSTEMD_SLICE": null,
      "count": null,
      "instance_id": null,
      "args": [],
      "SYSLOG_IDENTIFIER": null,
      "metadata": [],
      "_CAP_EFFECTIVE": null,
      "factor_id": null,
      "_SELINUX_CONTEXT": null,
      "expires_in": null,
      "version": null,
      "project": null
    }
  ],
  "timestamp": 1749609379000000
}

System information

  • OS: IOS 16 & 18 (Similator)
  • Platform: Kotlin Multiplatform (KMP), iOS target
  • Version of supabase KMP Library: 3.2.0-beta-2

Additional context

This bug affects production login flows and seems to be caused by a recent Apple update. A temporary fix may involve allowing multiple acceptable issuer URLs in Supabase Auth configuration for Apple.

Please advise on a workaround or timeline for an official fix.

ramtiin avatar Jun 11 '25 02:06 ramtiin