Apple has changed OIDC issuer without notice

[TerraNibble]

Provider type

Apple

Environment

❯ bun pm ls --all | grep next
REDACTED
├── @chakra-ui/next-js@2.2.0
├── @next/bundle-analyzer@13.5.6
├── @next/env@14.2.25
├── @next/eslint-plugin-next@13.4.19
├── @next/swc-darwin-arm64@14.2.25
├── @next/swc-darwin-x64@14.2.25
├── @next/swc-linux-arm64-gnu@14.2.25
├── @next/swc-linux-arm64-musl@14.2.25
├── @next/swc-linux-x64-gnu@14.2.25
├── @next/swc-linux-x64-musl@14.2.25
├── @next/swc-win32-arm64-msvc@14.2.25
├── @next/swc-win32-ia32-msvc@14.2.25
├── @next/swc-win32-x64-msvc@14.2.25
├── @polka/url@1.0.0-next.25
├── @sentry/nextjs@7.119.0
├── cookies-next@4.2.1
├── eslint-config-next@13.4.19
│   ├── resolve@2.0.0-next.5
├── next@14.2.25
├── next-auth@4.24.11

Reproduction URL

https://github.com/TerraNibble/next-auth-example

Describe the issue

Apple seems to have changed their expected OIDC issuer without any notice.

Observing the following error:

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error unexpected iss value, expected https://account.apple.com/, got: https://appleid.apple.com/ {
error: i: unexpected iss value, expected https://account.apple.com/, got: https://appleid.apple.com/
at Y.validateJWT (/var/task/apps/.../.next/server/chunks/3092.js:34:8997)
at Y.validateIdToken (/var/task/apps/.../.next/server/chunks/3092.js:34:6766)
at Y.callback (/var/task/apps/.../.next/server/chunks/3092.js:34:3008)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async l (/var/task/apps/.../.next/server/chunks/3092.js:1:119414)
at async Object.c (/var/task/apps/.../.next/server/chunks/3092.js:25:783)
at async _ (/var/task/apps/.../.next/server/chunks/3092.js:1:103189)
at async a (/var/task/apps/.../.next/server/chunks/3092.js:25:19776)
at async e.length.t (/var/task/apps/.../.next/server/chunks/3092.js:25:21265)
at async /var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38411 {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'apple',
message: 'unexpected iss value, expected https://account.apple.com/, got: https://appleid.apple.com/'
}

How to reproduce

Setup an Apple provider sign in with the default expected setup. Attempt login.

Expected behavior

Successful Apple OIDC login.

[AntFrasier]

We’re encountering the exact same issue using next-auth@5.0.0-beta.25 with the Apple provider.

• The discovery document (https://appleid.apple.com/.well-known/openid-configuration) now returns:
  "issuer": "https://account.apple.com"
• But the id_token returned still contains:
  "iss": "https://appleid.apple.com"

We tried forcing issuer: "https://account.apple.com" and wellKnown: "https://acount.apple.com/.well-known/openid-configuration" in the provider config.

While that bypasses the discovery mismatch, the callback still fails due to the iss claim not matching the expected issuer (account.apple.com) during token validation.

Looking forward to any guidance or a way to handle this case.

[Kolahzary]

We have the same problem, tried to change the audience but it did not fix anything, waiting for a solution or a hacky way to fix it temporarily.

[Kolahzary]

We tried the following pnpm patch on next-auth but it did NOT work (replacing every appleid.apple.com with account.apple.com):

diff --git a/providers/apple.d.ts b/providers/apple.d.ts
index f14a75bb11a87195fc5164fc0a2e1f3543670fc7..721972f3a28af318f35cf3e06054c56490202df2 100644
--- a/providers/apple.d.ts
+++ b/providers/apple.d.ts
@@ -7,9 +7,9 @@ import { OAuthConfig, OAuthUserConfig } from ".";
 export interface AppleProfile extends Record<string, any> {
     /**
      * The issuer registered claim identifies the principal that issued the identity token.
-     * Since Apple generates the token, the value is `https://appleid.apple.com`.
+     * Since Apple generates the token, the value is `https://account.apple.com`.
      */
-    iss: "https://appleid.apple.com";
+    iss: "https://account.apple.com";
     /**
      * The audience registered claim identifies the recipient for which the identity token is intended.
      * Since the token is meant for your application, the value is the `client_id` from your developer account.
diff --git a/providers/apple.js b/providers/apple.js
index abedf429776db4326fa0b9da6351e011387f7a91..296030b4fcfb93a72462205e42b8a2ce85acf814 100644
--- a/providers/apple.js
+++ b/providers/apple.js
@@ -9,7 +9,7 @@ function Apple(options) {
     id: "apple",
     name: "Apple",
     type: "oauth",
-    wellKnown: "https://appleid.apple.com/.well-known/openid-configuration",
+    wellKnown: "https://account.apple.com/.well-known/openid-configuration",
     authorization: {
       params: {
         scope: "name email",
diff --git a/src/providers/apple.ts b/src/providers/apple.ts
index 21991f06ae3e06a9f740e033b0da00bb8b863083..e8fa2d2bfca84e2bbbfe1fea702a90bea9f2efa5 100644
--- a/src/providers/apple.ts
+++ b/src/providers/apple.ts
@@ -8,9 +8,9 @@ import { OAuthConfig, OAuthUserConfig } from "."
 export interface AppleProfile extends Record<string, any> {
   /**
    * The issuer registered claim identifies the principal that issued the identity token.
-   * Since Apple generates the token, the value is `https://appleid.apple.com`.
+   * Since Apple generates the token, the value is `https://account.apple.com`.
    */
-  iss: "https://appleid.apple.com"
+  iss: "https://account.apple.com"
   /**
    * The audience registered claim identifies the recipient for which the identity token is intended.
    * Since the token is meant for your application, the value is the `client_id` from your developer account.
@@ -103,7 +103,7 @@ export default function Apple<P extends AppleProfile>(
     id: "apple",
     name: "Apple",
     type: "oauth",
-    wellKnown: "https://appleid.apple.com/.well-known/openid-configuration",
+    wellKnown: "https://account.apple.com/.well-known/openid-configuration",
     authorization: {
       params: { scope: "name email", response_mode: "form_post" },
     },

However, it changed the error to a new one:

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error invalid_client {
  error: OPError: invalid_client

Stil trying random methods to see if it is solvable. we have tons of users with just login-with-apple and without any alternative login methods blocked in login. anybody has an idea about this issue?

[TerraNibble]

@Kolahzary - I am in a very similar position and have been experimenting with no luck. I have a production application with a LOT of Apple based users.

[TerraNibble]

Reference to changes for Supabase.
supabase/supabase#36319
supabase/auth#2051

[Kolahzary]

@TerraNibble
Apparently it started working again, try rolling back any changes that you have made and try again to see if it works with the previous setup.

• Apple Sign-In Fails: OIDC Issuer Mismatch (appleid.apple.com vs account.apple.com) supabase/auth#2051 (comment)

[TerraNibble]

Good shout!

https://appleid.apple.com/.well-known/openid-configuration has been reverted to "issuer": "https://appleid.apple.com".