我们通过进入更多 > 解决了这个问题.配置并添加我们的域，确保 SPF 对勾是绿色的(如果不是绿色，请快速谷歌以了解如何为您的配置修复它).在此之后，我们不再收到 invalid_client 错误.
让我们偶然发现的事情是它似乎并不重要，因为它说它是用于电子邮件 - 我们略读它以为我们可以稍后再回来.

At this point I might be missing something really obvious in the configuration panel for apple, but after spending a day on this with several other people and reverting back to vanilla node (no third party dependencies).

We had 2 app identifiers in our account with Sign in with Apple and Push Notifications checked. I added at some point a service identifier to one of them and whitelisted a redirect URI. Everything went fine locally.

I got to production, and I kept getting wrong redirect uri for the exact same config, although the uri was whitelisted. I thought it might be because there's 2 uris, so I deleted the one that worked in the hopes that the one in production will start working.

None of them work anymore.

I have added a new set of app id + service id + secret key to use for the whole flow and I never get passed the "invalid_client" during the very first redirect to apple.

Code:

    const url = new URL("https://appleid.apple.com/auth/authorize");

    url.searchParams.append("state", "fdbd287b1f");
    url.searchParams.append("response_type", "code");
    url.searchParams.append("scope", "name email");
    url.searchParams.append("response_mode", "form_post");
    url.searchParams.append(
      "redirect_uri",
      "https://raiseitupdev.com/auth/apple/redirect",
    );
    url.searchParams.append("client_id", "com.myname.auth");

    return res.redirect(url.toString());

We got this resolved by going into the More > Configure and adding our domain, making sure the SPF tick is green (if its not green, do a quick google to find out how to fix it for your config). After this, we stopped getting invalid_client errors.
The thing that made us stumble on this was it didn't appear important on account of it saying it was for the emails - we skimmed over it thinking we could come back to it later..