Apple Sign-In Fails: OIDC Issuer Mismatch (appleid.apple.com vs account.apple.com) #2051
Description
Bug report
- [✔️] I confirm this is a bug with Supabase, not with my own application.
- [✔️] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
Apple Native Sign-In fails on iOS with Supabase Auth KMP when using compose-auth plugin.
The login flow breaks with the following error:
oidc: issuer did not match the issuer returned by provider, expected "https://appleid.apple.com" got "https://account.apple.com"
This appears to be caused by a change on Apple’s side, where their ID token now uses https://account.apple.com as the issuer. However, Supabase still expects the old issuer value (https://appleid.apple.com), causing a mismatch.
To Reproduce
- Set up Apple Sign-In as described in the Supabase Apple Auth docs.
- Run the app on an iOS device and initiate Sign in with Apple.
- After redirect, the Supabase client attempts to exchange the token.
- The request fails with:
oidc: issuer did not match the issuer returned by provider
Expected behavior
Apple Sign-In should succeed. Supabase should accept https://account.apple.com as a valid issuer, since Apple appears to have updated this value.
Screenshots
Client log:
Uncaught Kotlin exception: io.github.jan.supabase.auth.exception.AuthRestException: unexpected_failure (Unexpected failure, please check server logs for more information: unexpected_failure)
URL: https://********.supabase.co/auth/v1/token?grant_type=id_token&redirect_to=*****%3A%2F%2Foauth%2Fcallback
Headers: [Authorization=[Bearer ********], X-Client-Info=[supabase-kt/3.2.0-beta-2], Accept=[application/json], Accept-Charset=[UTF-8]]
Http Method: POST
Server Log:
{
"event_message": "{\"component\":\"api\",\"error\":\"oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"grant_type\":\"id_token\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"path\":\"/token\",\"referer\":\"ai.****://oauth/callback\",\"remote_addr\":\"*******\",\"request_id\":\"94ddb857******\",\"time\":\"2025-06-11******\"}",
"id": "61787f****e81f",
"metadata": [
{
"host": "db-zbkhm******",
"component": "api",
"_SYSTEMD_CGROUP": null,
"grant_type": "id_token",
"request_id": "94dd******",
"mail_from": null,
"message": null,
"_SOURCE_REALTIME_TIMESTAMP": null,
"PRIORITY": null,
"_AUDIT_LOGINUID": null,
"panic": null,
"metering": null,
"UNIT": null,
"event": null,
"SYSLOG_FACILITY": null,
"msg": "Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
"mail_type": null,
"EXECUTABLE": null,
"user_id": null,
"_CMDLINE": null,
"action": null,
"auth_event": [],
"level": "error",
"_PID": null,
"path": "/token",
"duration": null,
"_COMM": null,
"sso_provider_id": null,
"header": null,
"_MACHINE_ID": null,
"login_method": null,
"_STREAM_ID": null,
"source_type": null,
"_LINE_BREAK": null,
"_EXE": null,
"_AUDIT_SESSION": null,
"_TRANSPORT": null,
"x_forwarded_proto": null,
"time": null,
"mail_to": null,
"_GID": null,
"stack": null,
"x_forwarded_host": null,
"saml_entity_id": null,
"status": null,
"_UID": null,
"valid_until": null,
"method": "POST",
"CODE_FILE": null,
"remote_addr": "*******",
"provider": null,
"_SYSTEMD_UNIT": null,
"issuer": null,
"error": "oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
"client_id": null,
"MESSAGE_ID": null,
"url": null,
"referer": "ai.*****://oauth/callback",
"_SYSTEMD_INVOCATION_ID": null,
"CODE_FUNC": null,
"_BOOT_ID": null,
"INVOCATION_ID": null,
"__MONOTONIC_TIMESTAMP": null,
"timestamp": null,
"__REALTIME_TIMESTAMP": null,
"CODE_LINE": null,
"_SYSTEMD_SLICE": null,
"count": null,
"instance_id": null,
"args": [],
"SYSLOG_IDENTIFIER": null,
"metadata": [],
"_CAP_EFFECTIVE": null,
"factor_id": null,
"_SELINUX_CONTEXT": null,
"expires_in": null,
"version": null,
"project": null
}
],
"timestamp": 1749609379000000
}
System information
- OS: IOS 16 & 18 (Similator)
- Platform: Kotlin Multiplatform (KMP), iOS target
- Version of supabase KMP Library: 3.2.0-beta-2
Additional context
This bug affects production login flows and seems to be caused by a recent Apple update. A temporary fix may involve allowing multiple acceptable issuer URLs in Supabase Auth configuration for Apple.
Please advise on a workaround or timeline for an official fix.