https://www.ory.sh/ logo
Join Slack
Powered by
Hi there! We are self-hosting `kratos` and earlier...
# ory-selfhosting
p
Hi there! We are self-hosting 
kratos
and earlier today noticed that Sign-in With Apple via REST stopped working because Apple changed their issuer 
iss
claim from 
<https://appleid.apple.com>
as specified in their official docs (ref) to a new value 
<https://account.apple.com>
now issues validations are failing. Dear Ory, are you aware of this issue and what would be a recommended way to address it ASAP? This is not specific to Kratos generally and other people relying on the issuer check are also noticing it: • https://status.supabase.com/https://www.reddit.com/r/webdev/comments/1l8klnc/sign_in_with_apple_issues/
A type of error emitted by `kratos`:
Copy code
{
  "id": "REDACTED",
  "error": {
    "code": 500,
    "message": "An internal server error occurred, please contact the system administrator",
    "reason": "Unable to initialize OpenID Connect Provider: oidc: issuer did not match the issuer returned by provider, expected \"<https://appleid.apple.com>\" got \"<https://account.apple.com>\"",
    "status": "Internal Server Error"
  },
  "created_at": "2025-06-11T06:29:01.063176Z",
  "updated_at": "2025-06-11T06:29:01.063176Z"
}
e
Thanks for the report. I will get the team to take a look!
Do you have a link to the apple docs stating this?
p
e
Sorry, whats odd is they still reference appleid here rather than account. Looks like a big messup on their part. We have a patch that will be pushed to Ory Network soon. I will followup on when that gets pushed to Kratos OSS.
p
Thanks a lot! Yes, there was no open communication from Apple's side on that. I believe it may be related to their annual WWDC conference which is ongoing this week.
We are closely monitoring in case they rollback their change.
f
I am also facing this case and looking for updates for it. The ticket in github was closed without any change or comment even
e
It was patched on our end, but this is a mess on Apples side still. We have not pushed the change to the OSS repo yet as Apple has changed things yet again (for instance, OIDC discovery uses the account.apple.com, but now the token has the issuer of appleid.apple.com again). its a mess.
p
JFYI it looks like Apple stopped redirecting to account.apple.com here: https://appleid.apple.com/.well-known/openid-configuration. Now both OpenID configurations are available with different issuer values. The 2nd one here: https://account.apple.com/.well-known/openid-configuration (as it was in the morning when appleid.apple.com started to redirect to account.apple.com)
3 Views
Open in Slack
PreviousNext
Powered by