The type of the email_verified (standard) claim is STRING. According to the specification [1] it should be BOOLEAN. Current Example Returned by Apple: "email_verified": "true" OpenID Standard Should Ve: "email_verified": true [1]openid.net/specs/openid-connect-core-1_0.html#StandardClaims

We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client. We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token. In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation. However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request. The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters: response_mode: query scope: email openid profile nonce: ... state: ... response_type: code Then we get the authentication code and get an id_token like this: { "iss":"https://appleid.apple.com", "aud":"{aud}", "exp":1705584621, "iat":1705498221, "sub":"{sub}", "nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq", "at_hash":"3kLcPBlwZP6aj_mscww5zA", "authentication_time":1705498218, "nonce_supported":true } Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773

The sign in with Apple prereqs state that: you must have an existing app in the App Store that uses Sign in with Apple If you want to support sign in with apple on a website but do not need an iOS app specifically for that website is possible to have a "dummy" app that isn't released to the app store but will serve to support sign in with Apple?

i heard that i need to provide an alternative option to create account in my app if i use any third party social platform to create account which is facebook in my case. so i removed the facebook login option and added only apple sign in. now my doubt is, should i provide another option for the player? or is it alright with only apple sign in

Hello! I have never distributed an apple app before. Right now, I am trying to distribute a macOS app. I created a provisioning profile of type "Developer ID Application" and it has the following capabilities enabled. Now, when I download the profile and use it for my app, xcode gives me the following error: Lmk what I need to do since I am super unfamiliar with this process.

Hello, we implemented Apple Sign-In in our website long ago, and it worked well. Recently we have found a strange behaviour. The first time we make the request to the /auth/token endpoint we get an invalid_client error. Our client id is com.spicysparks.service.id If we make a request another time with exactly the same data it works fine. We noticed we get this error only when we try a newly generated client secret for the first time.

We are trying to integrate "Sign in with Apple" and are facing an issue where all users who chose to use Apple's private relay with the hide my email feature are unable to receive any mail sent by us. We have added our domain, mail from domain & email address to https://developer.apple.com/account/resources/services/configure and also verified the SPF. We also have DKIM setup. We use SES as our email provider and have added its SPF as recommended aswell. I have attached a sample delivery log from SES below. {"notificationType":"Delivery","mail":{"timestamp":"2024-01-17T10:20:07.592Z","source":"\"Redacted\" <admin@redacted>","sourceArn":"arn:aws:ses:ap-south-1:redacted:identity/redacted","sourceIp":"34.redacted","callerIdentity":"redacted-ses","sendingAccountId":"redacted","messageId":"redacted","destination":["redacted@privaterelay.appleid.com"]},"delivery":{"timestamp":"2024-01-17T10:20:12.385Z","processingTimeMillis":4793,"recipients":["redacted@privaterelay.appleid.com"],"smtpResponse":"250 2.0.0 Ok: queued as redacted","remoteMtaIp":"redacted","reportingMTA":"redacted.smtp-out.ap-south-1.amazonses.com"}}

We are Integrating SSO with Apple with our application Coordle, but facing the issue. When user click on "SignUp with Apple" button, at that time the facing error is "Your request could not be completed due to an error. Please try again later" Can you help us on this ? I have attached a ss.

I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error. OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway). Any idea whats been done wrong? Code below, replacing sensitive data. Startup.cs .AddOpenIdConnect("apple", async options => { options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration options.ClientId = "com.rackemapp.applelogin"; // Service ID options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support options.ResponseMode = "form_post"; // form post due to prevent PII in the URL options.UsePkce = false; // apple does not currently support PKCE (April 2021) options.DisableTelemetry = true; options.Scope.Clear(); // apple does not support the profile scope options.Scope.Add("openid"); options.Scope.Add("email"); options.Scope.Add("name"); options.Events.OnAuthorizationCodeReceived = context => { context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken(); return Task.CompletedTask; }; }); Apple Token Generator public static class AppleTokenGenerator { public static string CreateNewToken() { const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal const string aud = "https://appleid.apple.com"; const string sub = "com.rackemapp.applelogin"; // same as client_id var now = DateTime.UtcNow; // contents of your .p8 file const string privateKey = "[MyKey]"; var ecdsa = ECDsa.Create(); ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); var handler = new JsonWebTokenHandler(); return handler.CreateToken(new SecurityTokenDescriptor { Issuer = iss, Audience = aud, Claims = new Dictionary<string, object> { { "sub", sub } }, Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256) }); } } Also attached, images of my keys and setp in developer portal

I'm having a problem with Apple recognizing my redirect url as valid. when making requests for user sign in through firebase. I used this tutorial to create a serviceID and private key, which I then setup on my end with firebase. Steps taken Create serviceID Tied to primary app ID that is configured for sign in with Apple Added domains for firebase hosted site Added return url provided by firebase Create private key Associated to the same primary app ID as the service ID Downloaded the key and placed it's content in firebase Added the team ID and key ID Setup client to use new OAuthProvider with redirects to Apple signin Is there a tool for validating redirect urls or location with logs to help me debug which part of my redirect Url is incorrect? Thanks

After signup via Apple Signup method in my Flutter app, it retrieves only First Name and Last Name, this was done by separating the full name given by the Apple signup divided into two, and populated it among the First Name and Last Name text boxes. In the same screen there is a date selector to select the birthday and 3 buttons to choose gender between Male, Female and Other. When I submitting to this app for AppStore it was rejected several time. This is the last message given by App Store Review - Hello, Thank you for your efforts to follow our guidelines. When registering with Sign in with Apple, your app still asks for First name, Last name, Birthday and Gender. First name and last name fields can be auto populated. Please note that birthday and gender fields are not directly related to the core functionality of the app. If you need more help, please kindly refer to App Store Connect Developer Help. Guideline 4.0 - Design Your app still requires users to provide their name, birthday and gender after using Sign in with Apple. This information is already provided by the Authentication Services framework. Next Steps Please revise the Sign in with Apple experience in your app to address the issues we identified above. What is the solution for this? If this is accepted when full name is displaying after signup in a seperate screen and birthday and gender in a seperate screens? Please guide me through this to be accepted my app by App Store Review. Thanks

Migrate existing Sign in with Apple user identifiers and private email relay addresses by exchanging transfer identifiers from one developer team to another with the user migration info endpoint. View Technote TN3519 >

Will I be able to communicate, with users that opted to Sign In with Apple to my app, using the private email relay service, after I remove app from App Store?

I use apple sign on web using the URL https://appleid.apple.com/auth/authorize?response_type=code%20id_token&amp;client_id=com.outblaze.mindfuloceanmeta-siwa&amp;redirect_uri=https://api.mindful-ocean.org/mindfulapi/appleauth&amp;cancel_uri=https://www.yahoo.com&amp;state=5f510c9e6b&amp;scope=name email&amp;response_mode=form_post when it comes to this stage and press "cancel", it redirect me to an invalid url. Where can i configure the URL for the cancel button?

Hello, I'm trying to migrate Apple Signed in users from one account to another during a migration. I followed every step in this documentation https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret, and my save algo works for the old account but when I try to get the team identifier for the new account I'm getting this error Response Code 400 {"error":"invalid_client"} Generated JWT token for reference: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkpRWlY1VENUTTcifQ.eyJpc3MiOiI3MzVBSzlGVVYzIiwiaWF0IjoxNzA0NDU2MTc5LCJzdWIiOiJjb20ud2lsZGxpZmVzdHVkaW9zLmFma3NvY2NlciIsImV4cCI6MTcwNDQ1NjIwOSwiYXVkIjoiaHR0cHM6Ly9hcHBsZWlkLmFwcGxlLmNvbSJ9.iv3YPtOzcJxby2Zj-gCXkJEUmoh66DJ096Z3FlfjL2-u3dgVPZtcClhLnuUDPxOARUktYbH2XCJfM9wsusid0Q {'typ': 'JWT', 'alg': 'ES256', 'kid': 'JQZV5TCTM7'} {'iss': '735AK9FUV3', 'iat': 1704456179, 'sub': 'com.wildlifestudios.afksoccer', 'exp': 1704456209, 'aud': 'https://appleid.apple.com'}

I am an SDK developer and would like to know about code signing requirements that developers must support by Spring 2024.Please answer the following questions. １． According to various websites, I understand that code signing is mandatory for SDKs that fall under the Privacy-Impacting SDKs category and must be supported. Is that correct? ２． If we submit an application to the Store that incorporates an SDK that requires code signing but has not been code signed, we will receive an email stating that the application will be subject to rejection from the fall of 2023. Is that correct?

Hello, I have implemented "Sign in with Apple" in my app. After the user sign in the user have to fill some personal details like first name and last name, birthday etc. Unfortunately I didn't know that the first and last name has to be taken over from the users apple account, which the app reviewer told me to implement this feature. Now I did it and it works with a completely new account like expected. But it doesnt work for accounts which already signed in to the app, because apple provides only on the intital sign up the name of the user, which I save in the database afterwards. I told the reviewer that he/she has to reset its account (to revoke the connection to my app) or use a different account because he already signed up for the account, but the review doesn't want to do it, because it has to work without resetting the account. Unfortunatley there is no other solution. Does anyone has an idea how to solve this issue? Here is the anwer of the reviewer: "Hello, Regarding 4.0, Sign in with Apple provides sign-in information and is intended to be a self-contained, all-in-one login system. To resolve this issue, it would be appropriate to revise the Sign in with Apple experience in your app to address the issues we identified above. We look forward to reviewing your resubmitted app. Best regards, App Store Review"

I have tried to add sign in with apple to my website but i have a problem when I click the sign in with apple button I get this error Invalid Client Id Can anyone please tell me what is the correct way to add sign in with apple?

We'll be switching our application from being available for anonymous users to requiring login. We only have social logins so no email + pw method. FB, Google and as per Appstore requirements Apple ID. I know that the review process requires testers to be able to login, but I couldn't find any concrete information if having Apple ID is enough? I also couldn't find a way to create test accounts for Apple ID production mode, only for sandbox which as far as I know isn't enough for the testers as they need to be able to test the production application.

This is the follow up to this post post Tinder walkaround requires alot of extra work -> sending confirmation e-mail & handling that and all the cases. Apple should realy make that optional! As an example for my application option to sign in anonymously is not "best user experience" as a user is added to the "group" trough email and if by missatke he/she login with annonymus account and try to sign out to try sign in with normal account the option of choosing "normal" email will not be longer available. Then they need to go trough iphone settings and clear that (which no one acctuelly knows abbout)! There are some fixes where one can "revokeTokenWithAuthorizationCode" when signing out but those are just "fixes" that makes everything ugly. So dear apple the logic that this is for the "best user experience" does not hold for every application so that should be reconcidered, please!