Failed execution for Auth.socialWebUISignInAPI with error: AuthError: Make sure that the amplify configuration passed to Auth plugin is valid

[ChurikiTenna]

Describe the bug

It is not a bug, I think I am doing something wrong.
I followed this steps to Sign in with Apple, but get this error:

Failed execution for Auth.socialWebUISignInAPI with error:
AuthError: Make sure that the amplify configuration passed to Auth plugin is valid

I have checked all the values are correct at least 3 times. What else do I need to check?

One concern, amplify update auth require key id before creating the actual key. how is it possible to get a Key id before creating them?

Steps To Reproduce

Steps to reproduce the behavior:
1. Create an App ID
2. Create a Service ID
3. Create a Key
4. Do this in terminal
% amplify update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.

You have configured resources that might depend on this Cognito resource.  Updating this Cognito resource could have unintended side effects.

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Apply default configuration with Social Provider (Feder
ation)
 What domain name prefix do you want to use? iris26e476d4-26e476d4
 Enter your redirect signin URI: iris://
? Do you want to add another redirect signin URI No
 Enter your redirect signout URI: iris://
? Do you want to add another redirect signout URI No
 Select the identity providers you want to configure for your user pool: Sign in
 with Apple
  
 You've opted to allow users to authenticate via Sign in with Apple. If you have
n't already, you'll need to go to https://developer.apple.com/account/#/welcome 
and configure Sign in with Apple. 
 
 Enter your Services ID for your OAuth flow:  com.zasso.iris
 Enter your Team ID for your OAuth flow:  86USSQ2K46
 Enter your Key ID for your OAuth flow:  4A772NX2MB
 Enter your Private Key for your OAuth flow (entire key without line breaks):  -
----BEGIN PRIVATE KEY-----MIG...EN-----END PRIVATE KEY-----
✅ Successfully updated AdminQueriese13453b3 function locally
✅ Successfully updated AdminQueries API locally
✅ Successfully updated auth resource iris1ef6f127 locally

✅ Some next steps:
"amplify push" will build all your local back...

✅ Successfully updated resource update locally

✅ Some next steps:
"amplify push" will build all your local back...

tenna@chuurikitennanoiMac Iris % amplify push       
⠧ Fetching updates to backend environment: dev from the cloud.⠋ Building resourc⠋ Building resource api/iris
⚠️  WARNING: your GraphQL API currently allows public create, read, update, and delete access to all models via an API Key. To configure PRODUCTION-READY authorization rules, review: https://docs.amplify.aws/cli/graphql/authorization-rules

⠴ Building resource api/iris✅ GraphQL schema compiled successfully.

Edit your schema at /Users/tenna/Desktop/Iris/amplify/backend/api/iris/schema.graphql or place .graphql files in a directory at /Users/tenna/Desktop/Iris/amplify/backend/api/iris/schema
✔ Successfully pulled backend environment dev from the cloud.

    Current Environment: dev
    
┌──────────┬──────────────────────┬───────────┬───────────────────┐
│ Category │ Resource name        │ Operation │ Provider plugin   │
├──────────┼──────────────────────┼───────────┼───────────────────┤
│ Auth     │ iris1ef6f127         │ Update    │ awscloudformation │
├──────────┼──────────────────────┼───────────┼───────────────────┤
│ Auth     │ userPoolGroups       │ No Change │ awscloudformation │
├──────────┼──────────────────────┼───────────┼───────────────────┤
│ Function │ AdminQueriese13453b3 │ No Change │ awscloudformation │
├──────────┼──────────────────────┼───────────┼───────────────────┤
│ Api      │ AdminQueries         │ No Change │ awscloudformation │
├──────────┼──────────────────────┼───────────┼───────────────────┤
│ Api      │ iris                 │ No Change │ awscloudformation │
└──────────┴──────────────────────┴───────────┴───────────────────┘
✔ Are you sure you want to continue? (Y/n) · yes

Deployment completed.
Deploying root stack Iris [ =================================------- ]
	amplify-iris-dev-bc369         AWS::CloudFormation::Stack     UPDATE_
	apiiris                        AWS::CloudFormation::Stack     UPDATE_
	authiris1ef6f127               AWS::CloudFormation::Stack     UPDATE_
	authuserPoolGroups             AWS::CloudFormation::Stack     UPDATE_
	functionAdminQueriese13453b3   AWS::CloudFormation::Stack     UPDATE_
	apiAdminQueries                AWS::CloudFormation::Stack     UPDATE_
Deployed auth iris1ef6f127 [ ======================================== 
	HostedUICustomResource         AWS::Lambda::Function          CREATE_
	HostedUIProvidersCustomResour… AWS::Lambda::Function          CREATE_
	HostedUICustomResourcePolicy   AWS::IAM::Policy               CREATE_
	HostedUIProvidersCustomResour… AWS::IAM::Policy               CREATE_
	HostedUICustomResourceLogPoli… AWS::IAM::Policy               CREATE_
	HostedUIProvidersCustomResour… AWS::IAM::Policy               CREATE_
Deployed auth userPoolGroups [ =======================================

Deployment state saved successfully.

GraphQL transformer version: 2
Hosted UI Endpoint: https://iris26e476...
Test Your Hosted UI Endpoint: https://iris26e4...

5. Update a Service ID (Add Domains starting with iris26..., Return URLs starting with https://iris26.../oauth2/idpresponse)

6. Add these to the info.plist file
<key>CFBundleURLTypes</key>
         <array>
             <dict>
                 <key>CFBundleURLSchemes</key>
                 <array>
                     <string>iris</string>
                 </array>
             </dict>
         </array>

7. Launch the app and tap the AppleSignInButton.

SignInWithAppleButton(.signUp)
                { request in
                    request.requestedScopes = [.fullName, .email]
                } onCompletion: { authResults in
                    switch authResults {
                    case .success(let authResults):
                        self.signInWithApple(authResults: authResults)
                    case .failure(let error):
                        print(error.localizedDescription)
                    }
                }
...
func signInWithApple(authResults: ASAuthorization) {
        print("signInWithApple")
        guard let appleIDCredential = authResults.credential as? ASAuthorizationAppleIDCredential else {
            print("Failed to get AppleID credentials")
            return
        }
        guard let identityTokenData = appleIDCredential.identityToken,
              let identityToken = String(data: identityTokenData, encoding: .utf8) else {
            print("Unable to fetch identity token")
            return
        }
        Task {
            if let fullName = appleIDCredential.fullName {
                //self.givenName = fullName.givenName ?? ""
                self.familyName = fullName.familyName ?? ""
            }
            self.email = appleIDCredential.email ?? ""
            
            var result = try await Amplify.Auth.signInWithWebUI(for: .apple, presentationAnchor: UIWindow())
            if result.isSignedIn {
                isSignedIn = result.isSignedIn
            }
        }
    }

8. Get the error.

Expected behavior

Be able to Sign in with Apple

Amplify Framework Version

2.39.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

latest

CLI version

12.12.6

Xcode version

Xcode 15.4 Build version 15F31d

Relevant log output

<details>
<summary>Log Messages</summary>


signInWithApple
Starting execution for Auth.socialWebUISignInAPI
Check if authstate configured
Auth state configured
Wait for a valid state
Start signIn flow
Sending cancel signIn
Wait for signIn to cancel
Failed execution for Auth.socialWebUISignInAPI with error:
AuthError: Make sure that the amplify configuration passed to Auth plugin is valid

```

Is this a regression?

Yes

Regression additional context

No response

Platforms

iOS

OS Version

iOS 17

Device

iPhone 11 & 15

Specific to simulators

No response

Additional context

No response

[vincetran]

Hi @ChurikiTenna,
Can you elaborate what you mean by

One concern, amplify update auth require key id before creating the actual key. how is it possible to get a Key id before creating them?

The key ID is created by Apple during the "Setup Your Auth Provider" step as found here which is the step before you call `amplify update auth``

Thanks for your detailed reproduction steps. Just wanted to clarify something since it wasn't explicitly called out, between steps 4 and 5 in your provided steps, did you provide Apple with the hosted UI endpoint URL that was generated in step 4? It's the last section in the Configure Auth Category section right before the Update Info.plist step.

[ChurikiTenna]

Hi @vincetran ! Thank you for your response.

The key seems to be created after amplify update auth.

The Setup Your Auth Provider step only include creating a App ID and Service ID.
Am I misunderstanding something?

And yes, I have provided hosted UI endpoint URL.

[ChurikiTenna]

@harsh62
Can same Service ID and App ID not exist? I get these errors.

1. When I try to create a Service ID that matches BundleId of the app

3. When I try to create a App ID that matches the Service ID

4. When I try to create a brand new App ID and Service ID with the same ID.
   App ID can be created.

Service ID with the same ID cannot be created.

Please correct me if I am wrong.

[harsh62]

Ahh .. May be I confused you a little. Let me clarify a few things..

1. When you are using WebUI (also called HostedUI), you don't need to create a specific Sign In With Apple button.. Native SIWA is not a supported feature in user pools. So you should just use the following.

               var result = try await Amplify.Auth.signInWithWebUI(for: .apple, presentationAnchor: UIWindow())
               if result.isSignedIn {
                   isSignedIn = result.isSignedIn
               }
   

2. Would you be able to share your amplifyconfiguration.json that gets created? (redacted all the sensitive information)

3. Make sure the services id matches the one that was created in the apple account.
   Enter your Services ID for your OAuth flow: com.zasso.iris

[ChurikiTenna]

@harsh62
Thank you for the guidance.

1. Simply calling below also did not work either.

Button(action: {
                    self.signInWithApple()
                }) {
                    HStack {
                        Image(systemName: "applelogo")
                        Text("Sign up with Apple")
                    }
                    .foregroundColor(Color.white)
                }

func signInWithApple() {
        Task {
            let result = try await Amplify.Auth.signInWithWebUI(for: .apple, presentationAnchor: UIWindow())
            if result.isSignedIn {
                isSignedIn = result.isSignedIn
            }
        }
    }

2. amplifyconfiguration.json

{
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "api": {
        "plugins": {
            "awsAPIPlugin": {
                "AdminQueries": {
                    "endpointType": "REST",
                    "endpoint": "https://xf3su34szd.execute-api.ap-northeast-1.amazonaws.com/dev",
                    "region": "ap-northeast-1",
                    "authorizationType": "AMAZON_COGNITO_USER_POOLS"
                },
                "iris": {
                    "endpointType": "GraphQL",
                    "endpoint": "https://zkwz3f5dbjdfbmo6utv7pznqc4.appsync-api.ap-northeast-1.amazonaws.com/graphql",
                    "region": "ap-northeast-1",
                    "authorizationType": "API_KEY",
                    "apiKey": "da2-t5u2zvusjzb7ppk3b3gi4uag5m"
                }
            }
        }
    },
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "UserAgent": "aws-amplify/cli",
                "Version": "0.1.0",
                "IdentityManager": {
                    "Default": {}
                },
                "CredentialsProvider": {
                    "CognitoIdentity": {
                        "Default": {
                            "PoolId": "ap-northeast-1:209d97d9-735f-4684-8478-dae397571882",
                            "Region": "ap-northeast-1"
                        }
                    }
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "ap-northeast-1_Ok5bjbMtU",
                        "AppClientId": "3mu8lgkjpe5a6uv2ncj0p0h0qb",
                        "Region": "ap-northeast-1"
                    }
                },
                "Auth": {
                    "Default": {
                        "OAuth": {
                            "WebDomain": "iris26e476d4-26e476d4-dev.auth.ap-northeast-1.amazoncognito.com",
                            "AppClientId": "3mu8lgkjpe5a6uv2ncj0p0h0qb",
                            "SignInRedirectURI": "iris://",
                            "SignOutRedirectURI": "iris://",
                            "Scopes": [
                                "phone",
                                "email",
                                "openid",
                                "profile",
                                "aws.cognito.signin.user.admin"
                            ]
                        },
                        "authenticationFlowType": "USER_SRP_AUTH",
                        "socialProviders": [
                            "APPLE"
                        ],
                        "usernameAttributes": [
                            "EMAIL"
                        ],
                        "signupAttributes": [
                            "EMAIL"
                        ],
                        "passwordProtectionSettings": {
                            "passwordPolicyMinLength": 8,
                            "passwordPolicyCharacters": []
                        },
                        "mfaConfiguration": "OFF",
                        "mfaTypes": [
                            "SMS"
                        ],
                        "verificationMechanisms": [
                            "EMAIL"
                        ]
                    }
                },
                "AppSync": {
                    "Default": {
                        "ApiUrl": "https://zkwz3f5dbjdfbmo6utv7pznqc4.appsync-api.ap-northeast-1.amazonaws.com/graphql",
                        "Region": "ap-northeast-1",
                        "AuthMode": "API_KEY",
                        "ApiKey": "da2-..<hidden>..ag5m",
                        "ClientDatabasePrefix": "iris_API_KEY"
                    }
                },
                "S3TransferUtility": {
                    "Default": {
                        "Bucket": "irisd63aeb703f8043f894dc4e9618adb29dbc369-dev",
                        "Region": "ap-northeast-1"
                    }
                }
            }
        }
    },
    "storage": {
        "plugins": {
            "awsS3StoragePlugin": {
                "bucket": "irisd63aeb703f8043f894dc4e9618adb29dbc369-dev",
                "region": "ap-northeast-1",
                "defaultAccessLevel": "guest"
            }
        }
    }
}

3. Checked.

I noticed I was trying implement Apple Sign in with Get 1 tutorial when I was supposed to use Gen 2...
I tried this Gen 2 documents, then got this error:
#FactoryInstall Unable to query results, error: 5

Log:

Start signIn flow
Wait for signIn to complete
AWSCognitoAuthPlugin/IntializeSignInFlow.swift Starting execution
AWSCognitoAuthPlugin/IntializeSignInFlow.swift Sending event SignInEvent.initiateHostedUISignIn
Checking next step for: notStarted
Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.signingIn" =         {
            "SignInState.notStarted" =             {
            };
        };
        "AuthorizationState.configured" =         {
        };
    };
}
Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.signingIn" =         {
            "SignInState.signingInWithHostedUI" =             {
                "HostedUISignInState.notStarted" =                 {
                };
            };
        };
        "AuthorizationState.configured" =         {
        };
    };
}
AWSCognitoAuthPlugin/InitializeHostedUISignIn.swift Starting execution
AWSCognitoAuthPlugin/LoadCredentialStore.swift Starting execution
Credential Store state change:

{
    "CredentialStoreState.loadingStoredCredentials" =     {
    };
}
Checking next step for: signingInWithHostedUI(AWSCognitoAuthPlugin.HostedUISignInState.notStarted)
AWSCognitoAuthPlugin/LoadCredentialStore.swift Retreiving credential deviceMetadata(username: "unknown")
[KeychainStore] Initialized keychain with service=com.amplify.awsCognitoAuthPlugin, attributes=KeychainStoreAttributes(itemClass: "genp", service: "com.amplify.awsCognitoAuthPlugin", accessGroup: nil), accessGroup=
[KeychainStore] Started retrieving `Data` from the store with key=authConfiguration
[KeychainStore] Successfully retrieved `Data` from the store with key=authConfiguration
[KeychainStore] Started setting `Data` for key=authConfiguration
[KeychainStore] Initialized fetching to decide whether update or add
[KeychainStore] Found existing item, updating
[KeychainStore] Successfully updated `Data` in keychain for key=authConfiguration
[KeychainStore] Started retrieving `Data` from the store with key=amplify.ap-northeast-1_17XFbRJCN.ap-northeast-1:e8991132-5a5d-433c-b243-37c81e87d8a1.unknown.deviceMetadata
[KeychainStore] No Keychain item found for key=amplify.ap-northeast-1_17XFbRJCN.ap-northeast-1:e8991132-5a5d-433c-b243-37c81e87d8a1.unknown.deviceMetadata
AWSCognitoAuthPlugin/LoadCredentialStore.swift Sending event CredentialStoreEvent.throwError
AWSCognitoAuthPlugin/IdleCredentialStore.swift Starting execution
AWSCognitoAuthPlugin/IdleCredentialStore.swift Sending event CredentialStoreEvent.moveToIdleState
AWSCognitoAuthPlugin/LoadCredentialStore.swift Starting execution
AWSCognitoAuthPlugin/LoadCredentialStore.swift Retreiving credential asfDeviceId(username: "unknown")
[KeychainStore] Initialized keychain with service=com.amplify.awsCognitoAuthPlugin, attributes=KeychainStoreAttributes(itemClass: "genp", service: "com.amplify.awsCognitoAuthPlugin", accessGroup: nil), accessGroup=
[KeychainStore] Started retrieving `Data` from the store with key=authConfiguration
[KeychainStore] Successfully retrieved `Data` from the store with key=authConfiguration
[KeychainStore] Started setting `Data` for key=authConfiguration
[KeychainStore] Initialized fetching to decide whether update or add
[KeychainStore] Found existing item, updating
[KeychainStore] Successfully updated `Data` in keychain for key=authConfiguration
[KeychainStore] Started retrieving `Data` from the store with key=amplify.ap-northeast-1_17XFbRJCN.ap-northeast-1:e8991132-5a5d-433c-b243-37c81e87d8a1.unknown.deviceASF
[KeychainStore] Successfully retrieved `Data` from the store with key=amplify.ap-northeast-1_17XFbRJCN.ap-northeast-1:e8991132-5a5d-433c-b243-37c81e87d8a1.unknown.deviceASF
AWSCognitoAuthPlugin/LoadCredentialStore.swift Sending event CredentialStoreEvent.completedOperation
AWSCognitoAuthPlugin/IdleCredentialStore.swift Starting execution
AWSCognitoAuthPlugin/IdleCredentialStore.swift Sending event CredentialStoreEvent.moveToIdleState
Credential Store state change:

{
    "CredentialStoreState.error" =     {
        errorType = "KeychainStoreError: Unable to find the keychain item";
    };
}
Credential Store state change:

{
    "CredentialStoreState.idle" =     {
    };
}
Credential Store state change:

{
    "CredentialStoreState.loadingStoredCredentials" =     {
    };
}
AWSCognitoAuthPlugin/InitializeHostedUISignIn.swift Sending event HostedUIEvent.showHostedUI
AWSCognitoAuthPlugin/ShowHostedUISignIn.swift Starting execution
AWSCognitoAuthPlugin/ShowHostedUISignIn.swift Showing url https://ac9321c9946bbe6e6977.auth.ap-northeast-1.amazoncognito.com/oauth2/authorize?response_type=code&code_challenge_method=S256&client_id=2f5kgl6aqur1bs5apintd8n0d6&state=662c86de-1460-4617-901a-9c8fa8b479ba&redirect_uri=iris://&scope=aws.cognito.signin.user.admin%20email%20openid%20phone%20profile&code_challenge=unmZ7i...wifSJ9&identity_provider=SignInWithApple
Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.signingIn" =         {
            "SignInState.signingInWithHostedUI" =             {
                "HostedUISignInState.showingUI" =                 {
                };
            };
        };
        "AuthorizationState.configured" =         {
        };
    };
}
Credential Store state change:

{
    "CredentialStoreState.success" =     {
        savedData = "AWSCognitoAuthPlugin.CredentialStoreData.asfDeviceId(\"E0746992-21D6-4720-80AF-831DDF53F2F9\", \"unknown\")";
    };
}
Credential Store state change:

{
    "CredentialStoreState.idle" =     {
    };
}
Checking next step for: signingInWithHostedUI(AWSCognitoAuthPlugin.HostedUISignInState.showingUI(AWSCognitoAuthPlugin.HostedUISigningInState(signInURL: https://ac9321c9946bbe6e6977.auth.ap-northeast-1.amazoncognito.com/oauth2/authorize?response_type=code&code_challenge_method=S256&client_id=2f5kgl6aqur1bs5apintd8n0d6&state=662c86de-1460-4617-901a-9c8fa8b479ba&redirect_uri=iris://&scope=aws.cognito.signin.user.admin%20email%20openid%20phone%20profile&code_challenge=unm...BzA", presentationAnchor: Optional(<UIWindow: 0x10b7bc700; frame = (0 0; 393 852); hidden = YES; gestureRecognizers = <NSArray: 0x30173d220>; backgroundColor = <UIDynamicSystemColor: 0x3002b3f40; name = _windowBackgroundColor>; layer = <UIWindowLayer: 0x30196afd0>>), options: AWSCognitoAuthPlugin.HostedUIOptions(scopes: ["phone", "email", "openid", "profile", "aws.cognito.signin.user.admin"], providerInfo: AWSCognitoAuthPlugin.HostedUIProviderInfo(authProvider: Optional(Amplify.AuthProvider.apple), idpIdentifier: nil), presentationAnchor: Optional(<UIWindow: 0x10b7bc700; frame = (0 0; 393 852); hidden = YES; gestureRecognizers = <NSArray: 0x30173d220>; backgroundColor = <UIDynamicSystemColor: 0x3002b3f40; name = _windowBackgroundColor>; layer = <UIWindowLayer: 0x30196afd0>>), preferPrivateSession: false))))
#FactoryInstall Unable to query results, error: 5

auth/resource.ts

export const auth = defineAuth({
  loginWith: {
    externalProviders: {
      signInWithApple: {
        clientId: secret('SIWA_CLIENT_ID'), -> Set a Bundle ID
        keyId: secret('SIWA_KEY_ID'), -> Set a Key ID
        privateKey: secret('SIWA_PRIVATE_KEY'), -> Set a private key stating with -----BEGIN PRIVATE KEY-----
        teamId: secret('SIWA_TEAM_ID'), -> Set an Apple Developer Team ID
        scopes: ['email']
      },
      callbackUrls: ["iris://"],
      logoutUrls: ["iris://"],
    },