Apple oauth testing with postman error
# support-questions
f
Apple oauth testing with postman error
Hello again, sorry to bother you. I'm not sure I can understand how the apple oauth flow works. I'm testing on postman and so far there is only one way I can make it work: 1. GET request to
/auth/authorisationurl?thirdPartyId=apple
, it returns the link appending
redirect_uri=https://evt-api-dev.revod.cloud/auth/callback/apple
. 2. I click on the URL and insert my apple id credentials. 3. It correctly redirects me to the uri shown above, performing a POST request (I'm aware apple redirects with POST). 4. That URL seems to be this one https://app.swaggerhub.com/apis/supertokens/FDI/1.13.0#/ThirdPartyPasswordless%20Recipe/thirdPartyPasswordlessCallbackApple. First question: what does this URL do?
Copy code
html
<!-- response I get from a POST to the above URL -->
<html>

<head>
    <script>
        window.location.replace("http://localhost:8000/auth/callback/apple?state=undefined&code=mycodehere");
    </script>
</head>

</html>
It looks like I'm always redirected to localhost, but what is this exactly? Is it trying to mask the POST request to a GET request on the webclient which is handling it? Then why it doesn't have the webclient URL instead of localhost? 5. I'm on postman so I ignore every redirect, what I do is take the
code
and use it in the following request: https://prnt.sc/Jhc4_VxgO8ZT. Everything works flawlessly, it generates the session and I'm logged in.
Here is case B: 1. GET request to
/auth/authorisationurl?thirdPartyId=apple&redirect_uri=https://evt-api-dev.revod.cloud/redirect
, it returns the link appending the redirect_uri I provided (I allowed this overriding the apis). NOTE: I need to change the URL because I need to redirect the user to a final destination whose protocol is not http, it's a native phone app one. 2. I click on the URL and insert my apple id credentials. 3. It correctly redirects me to the uri shown above:
https://evt-api-dev.revod.cloud/redirect
4. I ignore the redirect because I'm not handling it, so I perform a POST request to `/auth/signinup`: https://prnt.sc/L5JBKD_kC6Yb 5. Again, as @nkshah2 has seen yesterday, 400 error: https://prnt.sc/RZjHCS5B11Gy. Second question, look at the image, where is he taking that URL it expects the redirect on? https://prnt.sc/0hfKB_aUQ3B_ even like this it doesn't work.
r
The html returned essentially simulates other OAuth flows (for example from google) where they redirect the user to the frontend app with the auth code. That page then calls the /signinup api with that code and logs the user in. The reason it is localhost is probably cause that’s the websiteDomain you set on your backend?
I don’t think I clearly understood the second case
n
@FrAgOrDiE If I understand correctly, in the second case you used
https://evt-api-dev.revod.cloud/redirect
as the redirect uri when trying to login with Apple But when you call
/signinup
you are using a different URL in the request params
That seems like the case because Apple complains about a redirect uri mismatch (which is true because you are using two different URLs)
When calling
/signinup
you should be using the same redirect uri you are using in step 1
f
Ok thank you, however which is the api override that can dynamically change that URL?
r
AppleRedirectHandlerPOST
If you override it, you will have to send the whole response yourself since the originalImplemetion sends the response to the client
But that should be simple enough to do. You can copy the code from the SDK
f
Thank you, I've been able to implement this.
Where am I missing to insert the url
https://evt-api-dev.revod.cloud/redirect
?
r
@nkshah2
f
n
I think the screenshot order got messed up in your previous messages, can you walk through case B once from scratch and post all the screenshots
There you go, it's very simple actually
n
And does Apple return a redirect uri mismatch for that one too?
f
yes! It returns this https://prnt.sc/RZjHCS5B11Gy
I'm trying that again to double check
n
Please post the request config for that as well
I have no idea of what is setting that callback_uri https://prnt.sc/edcWCIwhc0yE
n
strange, give me a bit
@FrAgOrDiE So yeah that flow will not be possible if you use the built in Apple provider. You could use a custom third party provider to solve this problem though (You can refer to the code here:https://github.com/supertokens/supertokens-node/blob/9.2/lib/ts/recipe/thirdparty/providers/apple.ts for setting the values) The SDK always uses that URL as the redirect uri for the built in apple provider
f
ohhhh that makes sense
so,
n
This page explains how to add custom providers: https://supertokens.com/docs/thirdpartypasswordless/common-customizations/signup-form/custom-providers You can use the Github link I sent when setting the values. You can then use the redirect uri you are using in your auth flow and it will work fine
f
Ok I'm getting it, sorry can you point me out the place where I'm supposed to override the
redirect_uri
? Is it the function
getRedirectURI
? https://github.com/supertokens/supertokens-node/blob/9.2/lib/ts/recipe/thirdparty/providers/apple.ts#L140
n
getRedirectURI
correct
f
I might have came up with a better alternative in order to redirect the user to
custom-protocol://callback/apple
. I will make the user insert an additional parameter in this request: https://prnt.sc/hSbsaCEl1lgj So, overriding
appleRedirectHandlerPOST
I read that parameter from the express request and I replace the html script url with that one. What do you think about this approach?
Looks clean to me because I don't even have to pass that variable through handlers via userContext
n
This conversation probably belongs on Github, mind opening an issue about this on the supertokens-node repository? We can move this forward from there (discussions about API specs usually involve more thought and Github is a better forum for that sort of discussion)
f
Sure thing! I'm going to do so later on today
n
Awesome, thanks!
4 Views