Does Sign In with Apple JS provide functionality to prevent creating a new account if one doesn't already exist for a given Apple ID? For context, we have Sign In with Apple set up in our iOS app. Some subset of our users have access to a web app. We want to let users in this group log in to the web app if they used Sign In with Apple to create their account. This web app is for existing users only. We want to avoid a situation where someone stumbles across this web app and attempts to create an account. However, I've been unable to find documentation or example code that meets this goal. Is it possible to achieve this? Thanks for reading.

Hi I am trying to make my web app to use 'Sign in with apple' I did following preocedure but I keep getting 'invalid client error' Could you help me please? created AppId and check Sign in with Apple created ServiceId linked AppId with ServiceId as a primary App Id created sub domain, domain and redirect url created Key and check Sign in with Apple linked Key with AppId I wrote some example code from pages below https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple Could you please tell me what I did wrong? I have been wasting my time for a couple of days. Please help me. Thank you.

Hello, We've stumbled upon the issue with "Sign in with Apple" functionality today. It worked absolutely fine for quite a long time on our dev instances, but today as we've deployed it to production - it stopped working both on dev and prod. The issue is that idToken doesn't have email field for all the requests except 1 specific email for some unknown reason. Because of this - we cannot identify the user in our database. We've tried to test with multiple Apple accounts, including the ones we've already used, the ones that were never used for this app and even the absolutely new accounts with no luck (except 1 specific account). What we do: Redirect user to authorization page like this: https://appleid.apple.com/auth/authorize?client_id={SERVICE_ID}&redirect_uri={REDIRECT_URI}&response_type=code After authorization user is redirected to the redirect_uri where we get state and code. On the server-side of web app we create client_secret signed JWT (as required by documentation) and send POST https://appleid.apple.com/auth/token request with the following data: { code, client_id: result.Item.clientId, client_secret, grant_type: "authorization_code", } In response we get JSON with "access_token", "token_type", "expires_in", "refresh_token" and "id_token" We parse "id_token" to get email. Code we use to parse: const idToken = JSON.parse(body).id_token || ""; const [, infoPart] = idToken.split("."); const buff = Buffer.from(infoPart, "base64"); const text = buff.toString("ascii"); const json = JSON.parse(text); if (json.hasOwnProperty("email")) { endUserEmail = json.email; } The issue is that for all accounts we've tested except 1 - there's no "email" field. We've also tried to use AWS Cognito to verify if this is the issue with our implementation. They specify scope=email%20name&response_mode=form_post in their request. Unfortunately, the result is the same - Cognito returns an error saying that there's no email. Is it some kind of misconfiguration on our side? What should we do to allow users to sign in with Apple ID? Thank you, Dmitrii Khizhniakov Web developer Graebert GmbH https://graebert.com

Initially, our application provided the user with SIWA without requesting an email address. A bit later, the user authorization flow was changed and the email area for authorization request was added. However, the updated areas are not reflected in further responses, whether it is a native iOS or a web client. Both give the same result without email in JWT claims until the user manually cancels the authorization of the application from his Apple ID. Is there another way of getting email from already authorized user except revoking an access to our app?

In the App Store guidelines it is stated as mandatory to provide sign in with apple. Is the app allowed to block users who register with "hide my email" and not allowing them to create an account? https://developer.apple.com/app-store/review/guidelines/#sign-in-with-apple

I am investigating Sign in with Apple in detail and its relation with OpenID Connect. In line with this, it is known if Sign In with Apple supports the OpenID spec Logout endpoint? (https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f) (https://openid.net/specs/openid-connect-frontchannel-1_0.html) Thanks, Dan

The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

We are not able to retrieve name and, address and ethnicity after using Sign in with Apple. We are able to get email only. May I know where can we get resource to retrieve these information? Please advise.

I cannot get apple sign in to post to my redirectURI if I set usePopup: true. When I set it to false I am however able to get it to work with no problems. I am not doing any of this on localhost and everything is HTTPS so I don't think that is the issue. Here is the error I message I get in the safari console (does not show up on firefox or chrome) when I successfully sign in to apple and press continue: Unable to post message to https://my-staging-site.soundstripe.com. Recipient has origin https://ea88-2601-1c2-780-c240-e9ee-17e4-e1c4-7cbd.ngrok.io. index.js:29 And here is my implementation AppleID.auth.init({ clientId: "com.soundstripe.web", scope: "name email", redirectURI: "https://my-staging-site.com/auth/apple", nonce: String(Date.now()), usePopup: true, }) const appleAuth = async () => { const response = await window.AppleID.auth.signIn() return response }