I have a macOS app (bundle id: com.company.macOSApp1)
I have another macOS app (bundle id: com.company.macOSApp2)
I have an Apple ID
I have AppGroups enabled. macOSApp1 is the “main” app, macOSApp2 is an app-group member
WHAT DO I DO
I use “SignIn with Apple” on both platforms.
WHAT I EXPECT
Successful login on both platforms, the same Realm.currentUser after login on both platforms.
WHAT I GET
A weird error on macOSApp2.
Error: Error Domain=io.realm.app Code=5 "invalid id token: 'aud' must be a string containing the client_id" UserInfo={Error Code=5, Server Log URL=https://services.cloud.mongodb.com/groups/6076a58f1f0c0b349275ed61/apps/63467d90ca8441ddd2b23a6f/logs?co_id=65f97da7960934d66205cbc5, Error Name=AuthError, NSLocalizedDescription=invalid id token: 'aud' must be a string containing the client_id}
QUESTIONS
What’s going on here?
What does this error mean?
How do I do it “the right way”?
Previously, we used the authentication type Credentials.apple(idToken: String) to perform the login for the Atlas App Services. The AppleAuthenticationResult.identityToken returned during the Apple SignIn is used as the idToken.
This works as expected. BUT: It only works with the app whose Bundle ID has been stored in the Apple Authentication Provider on Atlas. Any app groups (with this Bundle ID as main app) configured on the Apple side will not work! Realm simply does not support this.
What we do now
Instead of using the Athentication type Credentials.apple(idToken: String), we now use Credentials.jwt(token: String). Here, too, we pass the AppleAuthenticationResult.identityToken returned during the Apple SignIn. The difference to apple(idToken: String) SignIn is that when configuring the JWT Auth Service on the Atlas side, it is possible to define several Bundle IDs, i.e. different apps.
This makes it possible to always get the same Realm.User back from different apps of the Apple ecosystem with the same Apple ID.