The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&redirect_uri=' + backEndURL + '&response_type=id_token%20code&response_mode=form_post&scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to *** with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Summary: Need help with Certificates, Identifiers and Profiles settings to allow two apps to use Sign in with Apple. Background: We have a web application (React, static JavaScript) that allows users to sign in with Apple, Google or Microsoft via OAuth/OIDC. We are developing a mobile application using React Native and Expo. Both the web application and the mobile application use the same backend (Django). For the mobile application, we added Google and Microsoft sign in via the same web-based OAuth/OIDC flow. For Sign in with Apple, we are using the expo-apple-authentication package to get the required native sign in experience. We have two active app identifiers: org.terraso.terraso; web app; primary Apple ID org.terraso.test.Terraso-LandPKS; mobile apple; Group with an existing primary App ID (selected (1), the web app) We have one services identifier: org.terraso.app; primary ID is web app (app identifier 1) above; URLs have been configured We have one app group: group.org.terraso (seems unused) On our backend app, we have code: https://github.com/techmatters/terraso-backend/blob/abc655e83eaca849e2bc24389946cc4f0bcd9d48/terraso_backend/apps/auth/providers.py#L84 and APPLE_CLIENT_ID is set to org.terraso.app (which matches the services identifier above In my local development environment, I have tried a few different combinations of IDs attempting to get this to work using the iOS simulator: (i) backend client id: org.terraso.app mobile app bundle Id: org.terraso.test.Terraso-LandPKS result: error: jwt.exceptions.InvalidAudienceError: Audience doesn't match (ii) backend: org.terraso.app mobile app: org.terraso.app result: clicking "Sign In" in Apple ID dialog is a no-op (no errors from client or server) (iii) backend: org.terraso.test.Terraso-LandPKS mobile app: org.terraso.test.Terraso-LandPKS result: works (but I can't use that in production, because the client ID is wrong) How can I configure Sign in with Apple to allow both the web app, the mobile app (and possible additional mobile apps) to work with the same backend? Do I need to us app groups? When do you use app groups vs "group with an existing primary apple id"?

Question about "Sign in with Apple". Can 2 apps from 2 different developer accounts (hence, 2 different team ID) share authentications? In other words, can I get consistent user ID from 2 different app under 2 different developer account? Is there a way to configure that from developer portal? Thanks Bill

The sign in with Apple prereqs state that: you must have an existing app in the App Store that uses Sign in with Apple If you want to support sign in with apple on a website but do not need an iOS app specifically for that website is possible to have a "dummy" app that isn't released to the app store but will serve to support sign in with Apple?

We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}

Hello, I have created a Swift app which has Apple Sign In integrated with it. We now want to add Apple Sign In to a web app but can't seem to find enough documentation on how to do this. We have followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and have ended up with a script like so: <head> <meta name="appleid-signin-client-id" content="colourworker.SPAD"> <meta name="appleid-signin-scope" content="name email"> <meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html"> <meta name="appleid-signin-state" content="init"> <meta name="appleid-signin-nonce" content="NONCE"> <meta name="appleid-signin-use-popup" content="true"> </head> <body> <h1>Sign in with Apple</h1> <div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div> <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> </head> </html> But have we populated the client-id, state, and NONCE correctly? When clicking on the Sign In with Apple button we get the error in this screenshot: I look forward to hearing from someone. Kind regards, Miguel

I just raised the iOS version to 17, but the login with face id doesn't appear in the react native webview. The login with face id doesn't appear, and the website loads. If the user is on iOS 16 in the same app, the login with face id appears. Is there something I'm missing?

Hello, I have integrated Sign In with Apple into my Swift App. Now I'd like to add Sign In with Apple into my website. I followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and resulted in an html page: <html> <head> <meta name="appleid-signin-client-id" content="colourworker.SPAD"> <meta name="appleid-signin-scope" content="name email"> <meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html"> <meta name="appleid-signin-state" content="init"> <meta name="appleid-signin-nonce" content="NONCE"> <meta name="appleid-signin-use-popup" content="true"> </head> <body> <h1>Sign in with Apple</h1> <div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div> <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> </head> </html> I have added https://colourworker.com/apps/photofolia/applesignedin.html to the list of Return URLs at https://developer.apple.com/account/resources/identifiers/serviceId/edit/ZSM7Q3SMVH. But when clicking on the Sign In With Apple button I get the following error: "invalid_request Invalid client id or web redirect url." Any ideas of what I'm doing wrong?

I have implemented a Sign up with Apple button with usePopup=true. When I click the button I get the popup window. After authenticating I click the final "Continue" button and nothing happens. Well technically there is a request to https://appleid.apple.com/appleauth/auth/oauth/authorize. Clicking "Continue" more than once results in the error "Your request could not be completed because of an error. Please try again later." Where do I go from here?

I cannot receive full name from Apple sign in and the app review fails. What I receive from the call is the following: { "familyName": null, "identityToken": "XXXXX", "givenName": null, "authorizationCode": "XXXXX", "user": "XXXXX", "email": null } while decoding the identityToken, I get: { iss: 'https://appleid.apple.com', aud: 'popularise.app', exp: 1697700330, iat: 1697613930, sub: 'XXXXX', nonce: 'nonce', c_hash: 'XXXX', email: 'XXXXXX', email_verified: 'true', auth_time: 1697613930, nonce_supported: true } As you can see, I have no information about given or family name. Body I am sending via api rest: { clientId: 'popularise.app', scopes: 'email name', redirectURI: '', state: '12345', nonce: 'nonce', } My tools: I am using nestJS and node (v16).

I am working on a financial application that falls under Indian jurisdiction, which has specific regulations prohibiting the use of relay or proxy emails for sign-up processes. Given that the "Hide My Email" feature in "Sign in with Apple" provides a relay email, I'm trying to understand how I can remain compliant with these regulations while offering "Sign in with Apple" as a sign-up option. My proposed flow: Allow users to use "Sign in with Apple" for authentication. Check if the user has opted for the "Hide My Email" feature. If they have, show an error message explaining the regulatory restriction and prompt them to either: a) Use "Sign in with Apple" without the "Hide My Email" option OR b) Use our standard "Sign up with Email and Password" flow. I would like to understand if such an approach is acceptable according to Apple's guidelines. Would there be any issues or recommendations from Apple's side on implementing this flow? Thank you for your assistance and guidance!

Hi everyone, we are developing Ionic mobile app with .NET server part, now we are trying to implement apple authorization, it works properly with web(user can authorize and server receives callback), but it is not working with mobile, we can authorize and get response on client side with token and code, but it not initiate callback to server, we found a difference in apple endpoint that we call for web and for mobile(in query parameters for mobile- response_mode = web_message and for web- response_mode = form_post), we can't change url for mobile app, because we are using SignInWithApple from @capacitor-community/apple-sign-in, does anyone have experience with this problem? Thanks in advance.

Basically title. The UI for the developer console just changed and I need to add a return url for my application, but I can't find the place to do so any longer. Please advise, thanks.

I'm using apple login in my web app and passing the redirect URI to apple URL. It's working fine on all browsers except Safari. On Safari instead of opening the URL in a new tab it's showing the finger touch enabled login popup. Which is causing the issue and my redirect URI is not getting passed and I'm not able to receive the code and other details from apple. Can anyone please help me resolve this issue. Angular Code: const openNewWindow = window.open( 'https://appleid.apple.com/auth/authorize?response_type=code&response_mode=form_post&scope=name%20email&state=W4cL2JgRJq&client_id=CLIENT_ID&redirect_uri='+ this.AppleURL',"_blank" ); try { openNewWindow.opener = window; window.addEventListener('message', event => { this.signInWithApple(JSON.parse(event.data)); });window.addEventListener('message', event => { this.signInWithApple(JSON.parse(event.data)); }); } catch (error) { console.log("error",error); } Redirect URI js code:

When I clicked the continue button in the page "https://appleid.apple.com/auth/authorize?client_id=XXXXXXX&amp;redirect_uri=XXXXXX&amp;response_type=code%20id_token&amp;state=asdjhkjhhhs&amp;scope=email&amp;response_mode=web_message&amp;frame_id=XXXXX&amp;m=12&amp;v=1.5.4", I got the error " Your request could not be completed because of an error. Please try again later." the page send a post request Request URL: https://appleid.apple.com/appleauth/auth/oauth/authorize Request Method: POST. Status Code: **403 ** what should I do with that?

I have Sign In With Apple working on my website and on my production stage app, but the returned userId's are different. What are possible reasons this is happening?

On every attempt of login and logout, I receive email and user name from apple as long as I have not revoked it. But if I revoke, and then try to login again. In that case, I don't get email/name. If I delete my apple account from device, and re login from settings. In that case, I get only user name on first login attempt in app. On subsequent logins, I get nothing. What could be possibly wrong with my flow? My login code is as import { appleAuth } from '@invertase/react-native-apple-authentication'; import auth from '@react-native-firebase/auth'; const appleAuthRequestResponse = await appleAuth.performRequest({ requestedOperation: appleAuth.Operation.LOGIN, requestedScopes: [appleAuth.Scope.EMAIL, appleAuth.Scope.FULL_NAME], }); // Ensure Apple returned a user identityToken if (!appleAuthRequestResponse.identityToken) { Alert.alert('Error', 'Apple Sign-In failed - no identify token returned'); return; } // Create a Firebase credential from the response const { identityToken, nonce } = appleAuthRequestResponse; const appleCredential = auth.AppleAuthProvider.credential(identityToken, nonce); // Sign the user in with the credential const res = await auth().signInWithCredential(appleCredential); console.log(res.user.email) // returns email The revoke code is as follows import { appleAuth } from '@invertase/react-native-apple-authentication'; import { getAppleAuthorizationToken } from '../firebase/cloudFunctions'; const authTokenJWT = await getAppleAuthorizationToken(); // call to get JWT appleAuthRequestResponse = await appleAuth.performRequest({ requestedOperation: appleAuth.Operation.LOGIN, requestedScopes: [appleAuth.Scope.EMAIL, appleAuth.Scope.FULL_NAME], }); const { authorizationCode } = appleAuthRequestResponse; const config = { headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, }; const authTokenBody = { client_id: PACKAGE_NAME, client_secret: authTokenJWT.data.jwt, code: authorizationCode, grant_type: 'authorization_code', }; const generateAuthTokenUrl = 'https://appleid.apple.com/auth/token'; const res1 = await axios.post(generateAuthTokenUrl, authTokenBody, config); const revokeTokenBody = { client_id: PACKAGE_NAME, client_secret: authTokenJWT.data.jwt, token: res1.data.refresh_token, token_type_hint: 'refresh_token', }; const revokeAuthTokenUrl = 'https://appleid.apple.com/auth/revoke'; const res2 = await axios.post(revokeAuthTokenUrl, revokeTokenBody, config); // res2 is empty with status 200.

Hi guys, I have been using a services id for my apps and websites to use Sign in with Apple feature over 3 months. All of a sudden the website urls and return urls I newly add to the services id don't work. I am getting "invalid_request Invalid web redirect url." errrors. I have checked the urls carefully, (https), I also added many new ones but none of them worked. In order to test it I also removed some of the current return urls from my websites to see if it will stop working but no, the ones I removed still work which kind of confirms my theory that it does not update the list, it is bugged. Quite weirdly, the new native apps I submitted to the store also does not work, it gives the error "Sign-up Not Completed" Does any one have any idea? Such a weird problem all of a sudden

We have changed return URLs for one Service ID, but the change is not propagated. The old return URL still works and we get "Invalid web redirect URL". We even tried deleting Service ID with old return URLs and created new Service ID with new redirect URLs. But the only one that works is the one that we deleted.

I double checked and my redirect url is the same in service id. It looks like the domains I add has no effect. I have another service id that works with apple sign in. I deleted the return url on it and it still works. Is there a delay or something. Can someone help me with this please? I am about to lose my mind