supabase
Apple Sign-In Fails: OIDC Issuer Mismatch (appleid.apple.com vs account.apple.com)
Bug report
- [✔️] I confirm this is a bug with Supabase, not with my own application.
- [✔️] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
Apple Native Sign-In fails on iOS with Supabase Auth KMP when using compose-auth plugin.
The login flow breaks with the following error:
oidc: issuer did not match the issuer returned by provider, expected "https://appleid.apple.com" got "https://account.apple.com"
This appears to be caused by a change on Apple’s side, where their ID token now uses https://account.apple.com as the issuer. However, Supabase still expects the old issuer value (https://appleid.apple.com), causing a mismatch.
To Reproduce
- Set up Apple Sign-In as described in the Supabase Apple Auth docs.
- Run the app on an iOS device and initiate Sign in with Apple.
- After redirect, the Supabase client attempts to exchange the token.
- The request fails with:
oidc: issuer did not match the issuer returned by provider
Expected behavior
Apple Sign-In should succeed. Supabase should accept https://account.apple.com as a valid issuer, since Apple appears to have updated this value.
Screenshots
Client log:
Uncaught Kotlin exception: io.github.jan.supabase.auth.exception.AuthRestException: unexpected_failure (Unexpected failure, please check server logs for more information: unexpected_failure)
URL: https://********.supabase.co/auth/v1/token?grant_type=id_token&redirect_to=*****%3A%2F%2Foauth%2Fcallback
Headers: [Authorization=[Bearer ********], X-Client-Info=[supabase-kt/3.2.0-beta-2], Accept=[application/json], Accept-Charset=[UTF-8]]
Http Method: POST
Server Log:
{
"event_message": "{\"component\":\"api\",\"error\":\"oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"grant_type\":\"id_token\",\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \\\"https://appleid.apple.com\\\" got \\\"https://account.apple.com\\\"\",\"path\":\"/token\",\"referer\":\"ai.****://oauth/callback\",\"remote_addr\":\"*******\",\"request_id\":\"94ddb857******\",\"time\":\"2025-06-11******\"}",
"id": "61787f****e81f",
"metadata": [
{
"host": "db-zbkhm******",
"component": "api",
"_SYSTEMD_CGROUP": null,
"grant_type": "id_token",
"request_id": "94dd******",
"mail_from": null,
"message": null,
"_SOURCE_REALTIME_TIMESTAMP": null,
"PRIORITY": null,
"_AUDIT_LOGINUID": null,
"panic": null,
"metering": null,
"UNIT": null,
"event": null,
"SYSLOG_FACILITY": null,
"msg": "Unhandled server error: oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
"mail_type": null,
"EXECUTABLE": null,
"user_id": null,
"_CMDLINE": null,
"action": null,
"auth_event": [],
"level": "error",
"_PID": null,
"path": "/token",
"duration": null,
"_COMM": null,
"sso_provider_id": null,
"header": null,
"_MACHINE_ID": null,
"login_method": null,
"_STREAM_ID": null,
"source_type": null,
"_LINE_BREAK": null,
"_EXE": null,
"_AUDIT_SESSION": null,
"_TRANSPORT": null,
"x_forwarded_proto": null,
"time": null,
"mail_to": null,
"_GID": null,
"stack": null,
"x_forwarded_host": null,
"saml_entity_id": null,
"status": null,
"_UID": null,
"valid_until": null,
"method": "POST",
"CODE_FILE": null,
"remote_addr": "*******",
"provider": null,
"_SYSTEMD_UNIT": null,
"issuer": null,
"error": "oidc: issuer did not match the issuer returned by provider, expected \"https://appleid.apple.com\" got \"https://account.apple.com\"",
"client_id": null,
"MESSAGE_ID": null,
"url": null,
"referer": "ai.*****://oauth/callback",
"_SYSTEMD_INVOCATION_ID": null,
"CODE_FUNC": null,
"_BOOT_ID": null,
"INVOCATION_ID": null,
"__MONOTONIC_TIMESTAMP": null,
"timestamp": null,
"__REALTIME_TIMESTAMP": null,
"CODE_LINE": null,
"_SYSTEMD_SLICE": null,
"count": null,
"instance_id": null,
"args": [],
"SYSLOG_IDENTIFIER": null,
"metadata": [],
"_CAP_EFFECTIVE": null,
"factor_id": null,
"_SELINUX_CONTEXT": null,
"expires_in": null,
"version": null,
"project": null
}
],
"timestamp": 1749609379000000
}
System information
- OS: IOS 16 & 18 (Similator)
- Platform: Kotlin Multiplatform (KMP), iOS target
- Version of supabase KMP Library: 3.2.0-beta-2
Additional context
This bug affects production login flows and seems to be caused by a recent Apple update. A temporary fix may involve allowing multiple acceptable issuer URLs in Supabase Auth configuration for Apple.
Please advise on a workaround or timeline for an official fix.
Hi it seems like apple has updated their OIDC discovery endpoint to use account.apple.com as the issuer - this is evident from https://appleid.apple.com/.well-known/openid-configuration being redirected to https://account.apple.com/.well-known/openid-configuration
@aleksUIX @ramtiin we're working on a fix for this now - can you please open a ticket at https://supabase.help? this will help us with targeting the roll out to the affected projects quickly
I am the same way. Just got rejected due to Apple's review. The users were not affected, was this a good thing? 🤔
I am the same way. Just got rejected due to Apple's review. The users were not affected, was this a good thing? 🤔
It doesnt make a difference, this problem is occurring on live production apps.
I hope that this issue is going to be fixed soon. Signing in with apple is main component of our app.
I wonder if it's possible for supabase/auth to dynamically get the issuer from Apple? It would prevent a problem like this from occurring in the future.
the fix has been rolled out to most projects already with the exception of any new projects being created because that follows a different deployment process which we are working on
if you're still running into issues, please hang tight and reach out to us at https://supabase.help if you're still seeing it after some time
and yeah, there wasn't any warning from apple unfortunately :/ even their docs still say to use https://appleid.apple.com as the issuer https://developer.apple.com/documentation/signinwithapple/verifying-a-user
@f-bog At least in our app, the problem was we do fetch from Apple the new issuer, but the tokens Apple gave the users still say they are issued by the old domain.
@noamgeller1024 Yeah in our app we were getting the correct issuer from Apple. But I believe the issuer being used by signInWithIdToken was probably a static value. But I could be wrong--Just an assumption.
Also somebody should make a complaint to Apple. This kind of thing is silly coming from a Fortune 500 company
@noamgeller1024 we experienced (and are still experiencing) the same issue, JWTs are returned with an issuer of appleid.apple.com but appleid.apple.com/.well-known/openid-configuration returns account.apple.com
For now our workaround has been to override the issuer, but expecting that to break shortly.
Commenting here since at least from what I can see this seems to be the only discussion of the issue online.
Apple SignIn PopUp no longer appear, IOS Users get redirected to account.apple.com
I have generated another JWT Token with account.apple.com instead of appleid.apple.com and supabase shows me that my jwt is not generated correctly .
Experiencing the same issue @obeliskgroup, feels like bad UX we're not showing the PopUP - how did you fix it so the popup appears?
