Social Sign In with Apple as Provider

[vafokroy]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

If you configure Apple as a social sign-in provider in Ory Network, you will receive a fixed domain as redirect_uri that looks something like this:

https://<KRATOS_DOMAIN>/self-service/methods/oidc/callback/apple-a12b-cDe

If you have now configured everything correctly, you will land at Apple, can log in there and will be redirected back to the specified redirect_uri.

Here you will receive a CSRF-Violation error!

According to the documentation, this is probably due to the generated provider ID:
“The provider ID for the web browser flow must be apple. This makes sure that the resulting callback URL will be exempt from CSRF middleware, as Apple uses a POST form request that does not include the CSRF cookie.”

The part of the redirect_uri “apple-a12b-cDe” is also used as the provider ID in the HTML form.

A hard overwrite of the provider ID in the HTML form only triggers a 404 error from Kratos.

Reproducing the bug

1. Configure Apple as Social Sign In Provider
2. Test "Sign in with Apple".
3. Encounter described bug.

Relevant log output

Relevant configuration

Version

Ory Network and Custom UI with @ory/[email protected]

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response

[jonas-jonas]

Thanks for the report. You can manually change the provider ID to apple via the CLI.