The revoke tokens endpoint (/auth/revoke) is the only way to programmatically invalidate user tokens associated to your developer account without user interaction. This endpoint requires either a valid refresh token or access token for invalidation, as Sign in with Apple expects all apps to securely transmit and store these tokens for validation and user identity verification while managing user sessions. If you don’t have the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request and meet the account deletion requirement. You'll need to follow this workaround to manually revoke the user credentials: Delete the user’s account data from your systems. Direct the user to manually revoke access for your client. Respond to the credential revoked notification to revert the client to an unauthenticated state Important: If the manual token revocation isn’t completed, the next time the user authenticates with your client using Sign in with Apple, they won’t be presented with the initial authorization flow to enter their full name, email address, or both. This is because the user credential state managed by Sign in with Apple remains unchanged and returns the.authorizedcredential state, which may also result in the system auth UI displaying the “Continue with Apple” button. Respond to the credential revoked notification Once the user’s credentials are revoked by Apple, your client will receive a notification signaling the revocation event:  For apps using the Authentication Services framework to implement Sign in with Apple, register to observe the notification named credentialRevokedNotification. For web services, if an endpoint is registered for server-to-server notifications, Apple broadcasts a notification to the specified endpoint with the consent-revokedevent type. When receiving either notification, ensure you’ve already performed the following operations to meet the requirements of account deletion: Deleted all user-related account data, including: The token used for token revocation; Any user-related data stored in your app servers; and Any user-related data store in the Keychain or securely on disk in the native app or locally on web client. Reverted the client to an unauthenticated state. Securely store user tokens for account creations For all new user account creations, follow the expected authorization flow below: Securely transmit the identity token and authorization code to your app server. Verify the identity token and validate the authorization code using the /auth/token endpoint.  Once the authorization code is validated, securely store the token response — including the identity token, refresh token, and access token. Validate the refresh token up to once per day with Apple servers (to manage the lifetime of your user session and for future token revocation requests), and obtain access tokens (for future token revocation, app transfer, or user migration requests). For information about verifying an identity token and validating tokens, visit Verifying a user and Generate and validate tokens. If you have questions about implementing these flows, including client authorization, token validation, or token revocation, please submit a Technical Support Incident.

I am implementing Sign in with Apple using the JS framework.When the user (me, right now) signs in for the first time, I get data I need!The parameters look like thisParameters:{"state"=>"[state]", "code"=>"[code]", "id_token"=> "[jws token]", "user"=>"{\"email\":\"[the email I need]\"}"}My scope is just "email," I don't need (or want) their name.Next, I try signing in again (same everything)But, I get this optionWhen I click "continue" the data looks like thisParameters:{"state"=>"[state]", "code"=>"[code]", "id_token"=> "[id token]"}As you can tell, there is no user object, no email, nothing I can use!If I do the code response and get an access token, I can't use it. There's no public, known endpoints to just get the email they used. There's no point in storing the email if I can never check for it the next time they sign in.This is happening on multiple browsers on macOS 10.14.4.On my iPhone running iOS 13 developer beta 3, every time I click the button, I get the option to "share" or "hide" my email (even though, as shown above, I've sign in before), and sharing the email actually shares it, while hiding it.. well hides it.However, the user data is always there.This bug(?) only appears when clicking Continue, which I can assume appears on devices that aren't running iOS 13. It's quite a problem on devices that aren't this small set of devices, so I hope this is either known, easily fixable, or something! Thanks for any help you can provide.

We've implementing SIWA on iOS and a web application using Sign in with Apple JS. I've setup a service ID tied to the application ID and can succesfully get callbacks on both platforms. I'm noticing that the user id provided by the iOS app is different than the id provided by the web application.We were expecting these to be different so we can store on our end and identify the user without having to use their email.

https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_userAs per the above link, to verify an IDToken signature, Apple's public key needs to be used.I am able to fetch Apple's public key, but I am unable to verify the signature of IDToken via the public key. I am trying to implement this in Java.. What exactly is meant by "JWS E256 signature"? Which algorithm?Also, once public key is fetched (sample PK posted below), which algorithm to use to form the public key? { "keys": [ { "kty": "RSA", "kid": "AIDOPK1", "use": "sig", "alg": "RS256", "n": "someValue", "e": "someValue" } ] }

All app icon sizes are correct in assets catalog, but app icon does not appear under Apps Using Apple ID in device settings. Is there another place to set app icon for sign in with apple?Thanks.

In the following environment: iOS 14 beta, Xcode Version 12.0 beta 6 (12A8189n) try to implement user Apple Login with Firebase. Works until password entering screen and then hangs up on simulator or finished with error on device. Sign In with Apple is enabled in App.

We have changed return URLs for one Service ID, but the change is not propagated. The old return URL still works and we get "Invalid web redirect URL". We even tried deleting Service ID with old return URLs and created new Service ID with new redirect URLs. But the only one that works is the one that we deleted.

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&redirect_uri=' + backEndURL + '&response_type=id_token%20code&response_mode=form_post&scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to *** with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Something seems to be wrong in the Apple Sign In modal. After pressing the Continue button and going through Face ID, it displays Sign Up Not Completed and does not proceed. This was working fine a few days ago, but then I had to download a new provisioning profile and now it is broken. There are no errors in the log when this happens, but when I close the sign in modal it logs: [core] Authorization failed: Error Domain=AKAuthenticationError Code=-7003 "(null)" The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.) Please help! I even spun up a fresh new project and made new ID / Provisioning profile and this error is still happening. Thanks!

Hi there, This is the first time to post here and I hope someone can share similar experience. Our company app update was rejected twice within a week by this reason. (Your app requires users to provide their name and/or email address after using Sign in with Apple. ) Which we already submitted a new build of this fix along with an explanation and screen recording. However as you may know, there's no way to retrieve username after the first-time Apple sign in (value is null), so what our solution is to save the username in our server instantly after the 1st time API callback. It works as expected in several physical devices and simulators. However, I wonder the situation now is: The device / robot that use to check our APP didn't clear the "Apps Using Apple ID" in iOS setting, the fix will not work because it has already passed the 1st time login. Otherwise in our side, we cannot find and resolve the issue. Anything I can do other than file an appeal to App Review Team? Thanks for your time.

We recently are adding apple signup in our app and in our db we have 50 chars as max length of user identifiers. i was wondering how long they can be on apple and whether we should tweak the max length on our side.

I have implemented a Sign up with Apple button with usePopup=true. When I click the button I get the popup window. After authenticating I click the final "Continue" button and nothing happens. Well technically there is a request to https://appleid.apple.com/appleauth/auth/oauth/authorize. Clicking "Continue" more than once results in the error "Your request could not be completed because of an error. Please try again later." Where do I go from here?

Hi guys, I have been using a services id for my apps and websites to use Sign in with Apple feature over 3 months. All of a sudden the website urls and return urls I newly add to the services id don't work. I am getting "invalid_request Invalid web redirect url." errrors. I have checked the urls carefully, (https), I also added many new ones but none of them worked. In order to test it I also removed some of the current return urls from my websites to see if it will stop working but no, the ones I removed still work which kind of confirms my theory that it does not update the list, it is bugged. Quite weirdly, the new native apps I submitted to the store also does not work, it gives the error "Sign-up Not Completed" Does any one have any idea? Such a weird problem all of a sudden

Some background: A user must sign up for an account on our platform via a browser before they can sign in to our iOS app using an Apple ID otherwise we present the following error message as shown in the attached image. Authentication and session management is handled using AWS Cognito on our platform and we believe AWS Cognito is using the relevant API for Apple ID Sign Ins. For account deletion we are providing an account deletion option within the app to the user (who has to be signed in) under Account Settings. For a valid deletion request, we are deleting a user’s records from our database. For revoking, generating, and validating tokens we are using AWS cognito to handle token revocation, generation, and validation. Ask: Apple reviewers provided additional information (shown below) to help us resolve this issue. But i am not clear how this addresses their concern and would appreciate some guidance on how i could resolve it. Apple reviewer recommendation Apps that offer Sign in with Apple should use the REST API to revoke user tokens. If you have not retained the user’s refresh token, access token, or authorization code, you must still fulfill the user’s account deletion request. To learn more, we recommend reviewing the following resources: Handling account deletions and revoking tokens for Sign in with Apple Revoke tokens Generate and validate tokens

We're trying to release a social media app that uses social sign in. The two sign in options are google sign in and apple sign in. Our app keeps getting rejected because the testers cannot login to the demo account. Apple requires a 2 factor verification, and google requires a 2 factor verification. At this point, we are stuck. We don't want to go through the process of keeping track of usernames and passwords just for app review. What do we do?

I have an "identifier" for my app in Certificates, Identifiers & Profiles.. I am trying to change the "Sign In with Apple" capability for the identifier. I click "Edit" (see image 1) to open the "Sign In with Apple: App ID Configuration" modal. In this modal, I change the radio button to "Group with an existing primary App ID", and then select my App ID from the dropdown; (see image 2). I click "Save" on the modal and it closes as expected. Then I click "Save" on the main page, and then "Confirm". After clicking "Confirm", I get the error message below: "There is a problem with the request entity. Please choose a different app identifier to set up related consent." (See image 3) I tried do the same process for another app and its identifier, but encountered the same problem. Can anyone point me in the right direction? I've been in contact with Apple support but haven't made any progress in weeks. Thanks. My goal is to enable Sign In with Apple in my app; maybe my approach is wrong, but I saw somewhere that I needed to enable 'Group with an existing primary App ID'.

I implemented Sign in with Apple but in all cases the button is always black. I would like to show it in light/ dark mode depending on the phone settings. This is my code: class MyAuthorizationAppleIDButton: UIButton { private var authorizationButton: ASAuthorizationAppleIDButton! @IBInspectable var cornerRadius: CGFloat = 3.0 @IBInspectable var authButtonType: Int = ASAuthorizationAppleIDButton.ButtonType.default.rawValue @IBInspectable var authButtonStyle: Int = ASAuthorizationAppleIDButton.Style.black.rawValue override public init(frame: CGRect) { super.init(frame: frame) } required public init?(coder aDecoder: NSCoder) { super.init(coder: aDecoder) } override public func draw(_ rect: CGRect) { super.draw(rect) // Create ASAuthorizationAppleIDButton authorizationButton = ASAuthorizationAppleIDButton(authorizationButtonType: .signIn, authorizationButtonStyle: .black) let type = ASAuthorizationAppleIDButton.ButtonType.init(rawValue: authButtonType) ?? .default let style = ASAuthorizationAppleIDButton.Style.init(rawValue: authButtonStyle) ?? .black authorizationButton = ASAuthorizationAppleIDButton(authorizationButtonType: type, authorizationButtonStyle: style) authorizationButton.cornerRadius = cornerRadius // Show authorizationButton addSubview(authorizationButton) // Use auto layout to make authorizationButton follow the MyAuthorizationAppleIDButton's dimension authorizationButton.translatesAutoresizingMaskIntoConstraints = false NSLayoutConstraint.activate([ authorizationButton.topAnchor.constraint(equalTo: self.topAnchor, constant: 0.0), authorizationButton.leadingAnchor.constraint(equalTo: self.leadingAnchor, constant: 0.0), authorizationButton.trailingAnchor.constraint(equalTo: self.trailingAnchor, constant: 0.0), authorizationButton.bottomAnchor.constraint(equalTo: self.bottomAnchor, constant: 0.0), ]) } } So basically with the code above, I can set on Storyboard the style of the button but it seems that even if I change the value at my code, the result is based on what I chose on Storyboard's variable. Is there any solution where I would be able to show the button in light/ dark mode depending on the phone settings ?

I was referring to documentation provided at here for implementing "Sign In With Apple" feature for macOS. Everything works well, except I need one more feature, user can login with another apple ID (not registered in macOS) if user want to. I saw multiple apps have that in apple authentication screen, but I can't find any documentation/articles to support that. Anyone has any idea ?

I want to know if the user identity(sub) maintains the same when the user un-links the linked app from the Apple ID setting and re-links it. I would be grateful if you could give me an reply.

I double checked and my redirect url is the same in service id. It looks like the domains I add has no effect. I have another service id that works with apple sign in. I deleted the return url on it and it still works. Is there a delay or something. Can someone help me with this please? I am about to lose my mind

Currently as part of project, we are decoding the token at server side which we received from iPhone app after apple login. iOS code snippet: let appleIDToken = appleIDCredential.identityToken let idTokenString = String(data: appleIDToken, encoding: .utf8) idTokenString value is passed to server. Server side code snippet: jwt.decode(token, { complete: true }); token value is idTokenString which we received from iOS app. We are facing security concern as this token is able to decode directly without any security key. Is there any way by which we can get token from apple with encrypted key. This key will be kept as a secret key at apple and our project side as well. Hence, it will be secured or is there any apple link where this token can be decoded. Please check on this concern. We have attached screenshot for your reference.