Testing sign-in-with-apple(SIWA) with transfer ID before transfer app

Hi

This means that you can log in using the transfer ID instead of the original user ID.

Transfer ID is not something you use to login and users will never see it.

If you plan to transfer an app from your team to another team, you can generate a transfer identifier any time. If you are recipient of an app from another team, you can obtain the transfer identifier after the transfer and up to 60 days.

in "Obtain Team-Scoped Identifiers" section

For all migrated users who sign into your application after the transfer, the ID token issued by Apple contains the transfer identifier in addition to your team-scoped identifier. Use the transfer identifier to correlate the Sign in with Apple user in the data records migrated from the previous owner. The ID token continues to include the transfer identifier for up to 60 days from the transfer date.

Doesn't this mean that the transfer ID can be used to identify a user for 60 days?

Once the user signs in with their Apple ID after the application has transferred to your team, the issued ID token will contain both the standard identifier ("sub" claim) unique to your team and the transfer identifier. You can then use the transfer identifier to correlate the signing in user to an existing user you may have received from the original team that transferred the app to you.

The question below is not clear since the transfer identifiers cannot be used to sign in.

"Can I login with this transfer ID before or during the transfer app?"

Can you elaborate the scenario you are considering ?

As a prerequisite, my case is not to transfer the app to a wholly third party.
Our purpose is to create a dedicated account for the app's subsidiary and transfer the app to it as the app grows.
Therefore, it is not a work that involves changing the actual server.

So we would like to do the following

• We want to perform the transfer work without stopping the service

• If we need to stop the service, we want to minimize it

The scenario currently considering is

1. Generate a transfer IDs and register them in our database

2. Initiate the app transfer

3. App transfer completed

4. When the user logs in, the transfer ID is used instead of the user ID to identify the user

5. Within 60 days, get a new user ID based on the transfer IDs of all users and register them in our database

6. Use the new user ID to identify the user

Are these steps wrong or are there better ways?

"For all migrated users who sign into your application after the transfer, the ID token issued by Apple contains the transfer identifier in addition to your team-scoped identifier"

Is there an example of how this looks specifically? We're trying to understand the code we need to write to correlate, but can't find an example of how the token comes back to understand how we would parse it apart to do the lookup.

Ref: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple

transfer_sub

A string value that represents the transfer identifier for migrating users to your team. This claim is present only during the 60-day transfer period after you transfer an app. For more information, see Bringing new apps and users into your team.

I guess it's the transfer_sub.