Sign in with Apple missing email claim in the (JWT) identityToken

We have implemented a sign in with Apple(SiwA) for our iOS app. for the signup we require the user's Apple id and email address. We are getting user name and email details on first login attempts but after that to get the email we are decoding identity token and get the email address.


We observed that the identity token does not always contain the email address.


Please follow the below steps to reproduce the issue.


step 1: User clicks on Sign in with Apple button and it displays Apple authorization popup with details like name, share-email, and hide email option then in success response we get an email in received apple identity token.


step 2: Now user revoke signing access from the apple account by following steps (Setting -> Apple account -> Password & Security -> Apple id logins -> remove the app from options)


step 3: After step 2, User clicks again Sign in with the apple button and usually, it shows Authorization popup with details like step 1 and we got an email from the identity token in this case so we don't have any issue.


step 4: After step 2, the user clicks on the sign in with the Apple button and authorization popup contains only email address instead of a name, share email, or hide email options. In this case, we didn't get an email from the identity token.


The main problem is Authorization popup is not resetting after revoking access, it shows like previously logged-in state, and in this case, we don't get email otherwise we always get an email address from identity token.


Can we debug/identify why Authorization popup is not resetting after revoked access?


Any help would be appreciated.

We are having similar problem, would like to know why emai is missing in identity token.

Thx

Same issue is happening to one of my users consistently. Any solutions/workaround would be appriciated.

I am having different problem. I want to handle "Hide My Email" case. How can i get email address everytime when user chooses this option.

How you are decoding the userIdentity. If your using your own code or any other library please suggest.


BTW, My project is in Obj-C. Thanks in Advance.

Same here. No way at the moment to test all the different flows that we would expect from the Apple Sign In feature. Hope that Apple does not expect us to create an Apple account for every test we need to perform in order to make sure that the app works as intended. This makes testing really difficult, on top of which, Apple has strong-armed us into adding this feature.

They rejected our app for this reason, that we provided other social authentication options, like Google and Facebook, and did not include Apple Sing In.

At that point we had 2 options, to disable social auth all together, leaving thousands of users with no means to authenticate, or offer Apple Sign In within the app. Obviously, we did not go for the first one, so Apple Sing in it was. I was supposed to start my holiday 3 days ago, instead I started building this new feature in place. Yet this is where I am at. A nobody, in the middle of the Apple desert.

Very poor experience Apple. Really disappointed.

This would not be a huge issue, if we did not have critical issues being addressed in our latest release off the app, which got rejected by the App Store team on the basis of Apple Sign In. I have asked them to approve this release, hence the critical issues being addressed within it, with the promise to include the Apple Sign in feature in the next. And they wouldn't have it.

These things take at least 1 week to plan around, if you want to make sure you check all the security checkboxes. Just a huge disappointment.

And now this, no way to reset/revoke access, to be able to use the same account through all the possible journeys that a user could take while using the Apple Sing in feature.

We are in same situation here. No email is provided in JTW and they are refusing our app update.
We aren't receiving the JWT id_token at all. Just the user information during first login. What's more, if the login is via device, we never receive user info or token even when auth succeeds (emulator works fine). I'm tired, hungry, angry, disappointed, but why should Apple care about little old me?
Can I suggest that apple follow the tried and tested methods used by all other social login providers...

it already works... not sure there was a need to over complicate it apple..by a lot!

I have a similar problem.

step 1: User clicks on Sign in with Apple button and it displays Apple authorization popup with details like name, share-email, and hide email option then in success response we get an email in received apple identity token.

step 2: Now user revoke signing access from the apple account by following steps (Setting -> Apple account -> Password & Security -> Apple id logins -> remove the app from options)

step 3: After step 2, User clicks again Sign in with the apple button and instead of show the popup at step 1 the user view the usually popup that asks only for code / touch id / face id

I don't think that this is a correct flow, after revoking informations the userId does not change
We are experiencing the same issue. We get ID tokens without the email claim.
It is still not clear if it happens on first sign-in or only at following sign ins.

Anyway I don't understand the idea behind it - why should the ID token contain different fields if the scopes we request does not change??
I struggled with this too and I found two issues that you need to resolve:
  1. Make sure you specify scope=email when you send your initial authorize request (appleid.apple.com/auth/authorize endpoint). This requires that you use form-post response mode, so your callback URI will be invoked with HTTP method POST instead of GET.

  2. If you have already used your email address to log on, then the account hasn't consented to hand-over the email address to your website/application. Go to your account management page (https://appleid.apple.com/account/manage) and click on APPS & WEBSITES USING APPLE ID Manage.... Remove the website.

After these steps, I was able to obtain the email address in the identity token.
The email gets missing when user chooses to hide his personal email and then disables the forwarding option in Apple ID settings. Luckily this option is on by default so you'll get the email on user registration... but after that you'll have to use the subject ID (sub)
We having same problem sending scope scope=name%20email but getting email only in the jwt identity token

👌

I've some idea about the problem.

If there is a email in the id_token, up to the scope you use at the first time the user login in your app.

Remember, first time.

If the user login with authorize request without email scope, then you can never retrive the email of him even you use email scope in the later authorize request.

There is a way to retrive again, is that the user delete your app in his apple id setting, and login again with email scope.

It has wasted me a lot of time.

I think it's a design problem. But obviously, apple don't think so.

I've wasted weeks searching for true reason why I randomly fail to get email information.

Following are the conclusions I came up after long suffering:

  1. You do not define scope and response_mode in the login uri(url which you would link to the button click event), you will get email in the id_token as JWT only once and this cannot be reverted unless you change the uri and add scope and response_mode first and delete the app you once signed in with 'Sign in with apple' in the appleid.apple.com manage page consequently. If you do not specify scope and response_mode, this will let you use GET method to redirect(or "return") to your frontend and it will enable easy login feature just like other major service providers. However, you cannot use email(true email or anonymous email all together) to authorize your users later and your only option is to use sub values in the id_token.

  2. You define scope and reponse_mode in the login uri, you will get email in the id_token everytime. You can use this email to authorize your users. However, if you delete scope and response_mode after users have signed up to your service, some users will still be provided with email in their id_token but others won't be provided with their email anymore. This randomness hit me hard for days. If you stick to specifying scope and response_mode in the uri, then this will not let you get id_token and code in your frontend since the only response_mode possible is POST(form_post) method. You might have to setup redirect uri(or "return url") to somewhere POST method is accepted. Probably like backend server or another api that changes POST method to a GET method. Since your response to your request from frontend will not land back to frontend, you will then have to figure out how to send back the user info and the token needed for authenticating the user in the frontend without relying on the 'reponse' from the apple server. I personally had to use HttpResponseRedirect as the return value of the backend api. I urlencoded the information I wanted to send to frontend.

I hope this clumsy depiction of what I went through can shed some light on others who are stuck with this issue.

Sign in with Apple missing email claim in the (JWT) identityToken
 
 
Q