Our app got rejected with below reason Your app offers Sign in with Apple as a login option but does not follow the design and user experience requirements for Sign in with Apple. Specifically: Your app requires users to provide their name and/or email address after using Sign in with Apple. This information is already provided by the Authentication Services framework. These requirements provide the consistent experience users expect when using Sign In with Apple to authenticate or login to an account. We have an option to login to our app with Apple sign in The user must have a valid account with a valid email id, that created from the web and the user must complete all onboarding program In the app once the user sign-in using Apple login, we will check for the email ID is hidden or not, if it is hidden we cant log in because we must have a valid email id. So we show a modal with " We can't log you in because your email is hidden. Please select "Share My Email" to continue or use the regular email login option" If user shares an email, then will check for account exists for that email or not,if yes, it will allow to log-in to the app How can I sort out this problem?

News link: https://developer.apple.com/news/?id=12m75xbj If your app offers Sign in with Apple, you’ll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account. I'm not good English. I'm confused about the above sentence Do I have to use REST API unconditionally or can I just delete to the account data?

In response to inquiries from users, we have confirmed the following phenomenon. If you select "Private email address" in the flow of new user registration with Apple ID, you will not receive the verification code email when performing two-factor authentication. ■User impact If you use your Apple ID to link an external account without making your email address public, you will not receive the authentication code during two-factor authentication and will not be able to proceed. The date and time of the impact is currently unknown. ◎Impact 1: New registration If you select "Private email address" in the flow of registering a new user with Apple ID, the verification code will not be received during two-factor authentication and registration will not be completed. ◎Impact 2: Login of existing account When two-factor authentication is required for an existing account registered with Apple ID set to "Private email address," the verification code is not received and the user cannot log in. →If you have not registered a login method other than Apple ID for the relevant account, there is no other way to log in. ■About workarounds ・I thought that I could avoid this issue by canceling the private setting of my Apple ID, but I was unable to do so. →There is currently no workaround found for existing users who are experiencing this issue. ・However, the scope of influence is limited. ■Cause investigation status Premise: For an Apple ID whose email address is not made public, the two-factor authentication authentication code email follows the following route. ①CDC/GIGYA miraiz-persol.jp (SendGrid) Apple's email server (relay server to hide the user's real email address) User mailbox →Since '1' are working, the problem seems to have occurred after the connection from ② or ③. (At this stage, we cannot determine who is at fault: the user, MIRAIZ, or Apple. We are currently investigating.) ◎Hypothesis ・Is there something wrong with Apple's mail server? ・Is it not delivered because the user's mailbox is full? ■Questions, research, and responses we would like to receive Please check the following two points and reply. 1st point As shown in the attached image, there seems to be no problem with the SPF settings. Is it possible to check to see if any errors have occurred with Apple's mail server? 2nd point Are there any cases where you still can't receive emails even if you deactivate your Apple ID? I would like to know if there are any patterns in which emails are not being delivered in terms of past inquiries or overall specifications

We have 2 developers: Developer A created a Bundle ID and configured Sign in with Apple, but didn't create a corresponding App. This Bundle ID is only used for login on our official website. Developer B created a Bundle ID, configured Sign in with Apple, and has a corresponding App. The issue we're encountering is that because these two Bundle IDs are under different teams, when using the same Apple ID to log into these two applications, different accounts are generated. (We've tested that when creating Service IDs under the same team, logging in with Bundle IDs under the same team generates the same account.) Since Developer A's Bundle ID doesn't have a created app, it cannot be transferred to Developer B. Therefore, we'd like to know if there's any way to make the accounts generated from logging in with the same Apple ID be identical across these two teams?

Hello We would like to proceed with the transfer of ownership of the launched app based on the Cafe24 platform.(Web App) Last month, I inquired about how to transfer the Apple account login function together when transferring ownership and received a related manual. When I asked and inquired about help from several developers regarding that part, they all received different answers. Please review the answers below, and I would really appreciate it if you could guide me on how to proceed. Developer 1: Cafe24-based launch apps require a separate transfer of the login function. It does not affect if you do not delete the existing member data in the database, and you only need to activate the login function to the new developer account. Developer 2: Checking and analyzing existing servers and data - Transfer user data to Apple using Apple's Legacy User Identifier - Synchronize user data - Test and modify It has to proceed to the above four steps, and synchronization work is also required to maintain all of the existing user's data because all of the user's identification values change when the login function is transferred. Developer 3: It appears to be a task that needs to be stored in the server database by migrating from the user identifier created in the existing developer account to the user identifier to be used in the new developer account, which is not what the app is supposed to do, and it is recommended to find other experts. Thank you.

Hello Apple Developer Community, We are experiencing an issue with email delivery when users sign in using "Sign in with Apple" on our platform. We need assistance in understanding and resolving this problem. Issue Description: When users choose to hide their email during the "Sign in with Apple" process, Apple provides a private relay email address (e.g., xxxx@***). These private relay email addresses are successfully received and stored in our system via the OIDC protocol implemented on Keycloak. Verification emails are sent from our configured email address to the private relay email addresses. However, users do not receive these emails, and we suspect they are not being forwarded to the user’s actual email address. Steps Taken: Sender Address Configuration: We have verified that our email is properly set up and authorized to send emails. DNS Records: Our DNS records (SPF, DKIM, and DMARC) are configured to comply with email authentication standards. Whitelisting Sender Address: We attempted to whitelist the sender address as per recommendations but have not seen any improvement. Questions: Are there additional DNS configurations or records required for the Apple private relay to forward emails properly? Is there a process to validate our sender address with Apple to ensure email forwarding works? Are there specific guidelines or restrictions for sending emails to privaterelay.appleid.com addresses that we should follow? Is there a way to verify if Apple’s private relay email service is functioning correctly for our domain? Relevant Information: We use Keycloak to implement the OIDC protocol and store the private relay email address during the "Sign in with Apple" process. Our verification emails are sent from our email address. We have referred to the Apple documentation and community posts but could not find a clear resolution. Any guidance or recommendations from the community would be greatly appreciated. Thank you in advance for your support!

I have tried everything to get the user field returned with Sign in flow and it never does, not for new users, not even if i create a new app! Working with Apple is so frustrating and you have to pay for it!! Referencing this page, I am using scope=name email. I have tried using + and %20 as the spacer and neither makes a difference. I have also tried setting response_type = code and code id_token (again with + and %20 as the spacer) which also doesn't make a difference. Always the id_token is returned and always the email, but never the user. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms#3332115 AUTHORIZE REQUEST https://appleid.apple.com/auth/authorize? { "response_type": "code", "client_id": "com.example.service", "scope": "name email", "state": "77264297-813c-4738-83ef-f1b77daea04c", "redirect_uri": "https://example.com/auth/apple/callback", "code_challenge_method": "S256", "code_challenge": "2SJCneEpjKcN.....xIIHnpqcvjK_Y0s", "access_type": "offline", "nonce": "1734523662", "response_mode": "form_post" } TOKEN REQUEST https://appleid.apple.com/auth/token? { "grant_type": "authorization_code", "code": "c870aaec987a14.....dqakaGP4Yn1nH3dnPgww", "client_id": "com.hikesync.service", "client_secret": "eyJhbGciOiJFUzI....3izij6dojYfdV6JMdbQPx3sOA", "redirect_uri": "https://hikesync.com/auth/apple/callback", "code_verifier": "38hHUC....mYuE0zfYVNTycg" } RESPONSE { "access_token": "a2b70e12d38b446....4hA7-RLNj0ifU5Q", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "rb4ed9be2b4024......w5RWjVFUQ", "id_token": "eyJraWQiOiJyQlJmV.......0Df0ihEJiA" } JWT { "iss": "https://appleid.apple.com", "aud": "SERVICE_ID", "exp": 1734606699, "iat": 1734520299, "sub": "000000.f7f7c0ac.....db9fad7e19.1111", "nonce": "NONCE", "at_hash": "NAfjmciTi2NtmPYIMAgjig", "email": "abc123@privaterelay.appleid.com", "email_verified": true, "is_private_email": true, "auth_time": 1734520297, "nonce_supported": true }

Hello Developers, I have ran into a problem while sending mail to apple private relay email. We have built a mobile application where user can sign up through apple and they can sign up using hide-my-email feature. Which provides private relay address for us. Now we want to communicate with them using private relay mail address. The technology we are using to send emails are amazon SES, have done SPF, DMIK, DMARC and added domains in apple identity services for mail communication, passed an SPF check as well. But still mail is not getting delivered what am i doing wrong or apple doesn't support third party apps for sending emails to private relay? Is there any other way to achieve this please let me know Using the same body as attached in image is working fine for rest emails.

https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens/ As shown in the documentation, when I tested via curl, I received a response with status 200, but when I logged in to account.apple.com with the linked account, it shows that it is still connected. I would like to know if there is any additional way to verify that the revoke api is working properly.

Hello, We recently transferred our iOS app from an individual developer account to a corporate account. By following this guide (link), we successfully obtained the transfer identifiers for all our current users and have stored the data fetched from Apple. Now that the transfer has been completed for about 10 hours, we're attempting to remap the old identifiers to the new ones using this guide (link). Unfortunately, all our requests are returning an 'invalid_request' error. I've noticed others have faced the same problem, but I haven't found a solution yet. Can anyone help me resolve this issue?

We are developing a captive portal for a community Wi-Fi service that will be deployed to thousands of locations around the world. The service is a paid service that sells Wi-Fi connectivity by data volume rather than time. We want to enable our customers to Sign in with Apple without giving them full internet access until they have made a purchase. This requires us to whitelist domains and URLs to make this work. Where can I find a complete list of domains that are required for Sign in with Apple to function correctly? It’s not possible for us to whitelist *.apple.com because that results in significant (free) background network traffic during the sign in process. So far we have whitelisted: account.apple.com appleid.apple.com appleid.apple-cdn.com idmsa.apple.com gsa.apple.com mzstatic.com Our customers are still having issues with Sign in with Apple while interacting with our captive portal in the iOS pseudo browser. How can we debug this because we cannot use the Safari developer tools with the pseudo browser. Are there any logs when doing this on a Mac that we can check in the Console? If we kick the user out to Safari then they are able to complete the Sign in with Apple process, but that is not the user experience we want.

hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)

hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)

Hello community, In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service. We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists. We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration. Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.

I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal

Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.

We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client. We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token. In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation. However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request. The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters: response_mode: query scope: email openid profile nonce: ... state: ... response_type: code Then we get the authentication code and get an id_token like this: { "iss":"https://appleid.apple.com", "aud":"{aud}", "exp":1705584621, "iat":1705498221, "sub":"{sub}", "nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq", "at_hash":"3kLcPBlwZP6aj_mscww5zA", "authentication_time":1705498218, "nonce_supported":true } Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773

Problem Situation User membership withdrawal request → revoke API call It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID. Re-request user Apple login → Email is returned as null Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired. Releated Issues https://forums.developer.apple.com/forums/thread/707181

Hello. On my game I have Apple Sing In option that is required to keep user high score, show name in game, and for other app functionality. Game is made on Unity. Now when I'm trying to port the game to Vision Pro, Im getting error that Authentication is not supported on this platform. It may be the plugin issue that I'm using(not sure yet). But I also didn't find any documentation for native code ( so I could make plugin that unity game could use). Question: does VisionOS support Apple Sing In in the applications? if yes please give me some resources. if no - is there any plans to add that functionality? Thanks.

We are implementing Sign Up with Apple ID and facing the following issue: Email is returned only on the first response. All subsequent responses for this user do not return email. But our system is email-driven. So, if user first signs up on our TST environment then we will not be able to Sign up this user on UAT and Prod without an email in response. Could anyone please advise how to approach this problem.