fix: force AuthStyleInParams for Apple OAuth token exchange

appflowy · claude · appflowy · commit 1efeae17fb80 · 2026-04-24T22:15:18.000+08:00
Apple's /auth/token requires client_id and client_secret in the form
body (the client_secret is itself a JWT). go-oidc's Endpoint() leaves
AuthStyle as Unknown, which makes oauth2 probe AuthStyleInHeader first.
Apple rejects the Basic-auth attempt AND invalidates the authorization
code on that first call, so the subsequent AuthStyleInParams retry
fails with "invalid_grant".

Setting AuthStyleInParams on the endpoint skips the bad probe and goes
directly to the form-body mode Apple wants.

Also drop the long-standing oauth2.SetAuthURLParam("secret", ...) call:
Apple expects client_secret, not secret, and the oauth2 library now
adds the correct client_secret automatically when AuthStyleInParams is
set. The explicit client_id override is equally redundant.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/api/provider/apple.go b/internal/api/provider/apple.go
@@ -102,11 +102,18 @@ func NewAppleProvider(ctx context.Context, ext conf.OAuthProviderConfiguration,
 		return nil, err
 	}
 
+	// Apple's /auth/token requires client_id and client_secret in the form body
+	// (client_secret is itself a JWT). go-oidc's Endpoint() returns AuthStyleUnknown,
+	// which makes oauth2 probe AuthStyleInHeader first — Apple invalidates the code
+	// on that first attempt, so the InParams retry fails with "invalid_grant".
+	endpoint := oidcProvider.Endpoint()
+	endpoint.AuthStyle = oauth2.AuthStyleInParams
+
 	return &AppleProvider{
 		Config: &oauth2.Config{
 			ClientID:     ext.ClientID[0],
 			ClientSecret: ext.Secret,
-			Endpoint:     oidcProvider.Endpoint(),
+			Endpoint:     endpoint,
 			Scopes: []string{
 				"email",
 				"name",
@@ -119,12 +126,7 @@ func NewAppleProvider(ctx context.Context, ext conf.OAuthProviderConfiguration,
 
 // GetOAuthToken returns the apple provider access token
 func (p AppleProvider) GetOAuthToken(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
-	appleOpts := []oauth2.AuthCodeOption{
-		oauth2.SetAuthURLParam("client_id", p.ClientID),
-		oauth2.SetAuthURLParam("secret", p.ClientSecret),
-	}
-	appleOpts = append(appleOpts, opts...)
-	return p.Exchange(context.Background(), code, appleOpts...)
+	return p.Exchange(context.Background(), code, opts...)
 }
 
 func (p AppleProvider) RequiresPKCE() bool {
