Recently our Sign In with Apple integration has been affected by an inconsistency in Apple token response, where the email_verified attributed has a false value in the response but inside the id_token payload the email_verifiedattribute is set to true (the correct value), our integration has been working as expected until recently and haven't found an official announcement on this change.
When making a call to https://appleid.apple.com/auth/token to exchange a code for a token using
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \
-d 'grant_type=authorization_code' \
-d 'redirect_uri=REDIRECT_URI'
We're getting the following response where email_verified is set to false
{
"access_token": "XXXXXXX",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "XXXXXXX",
"id_token": "XXXXXX",
"email_verified": false
}
But by inspecting the id_token payload the email_verified attribute has the correct value: true
{
"iss": "https://appleid.apple.com",
"aud": "xxxxx",
"exp": 1724433090,
"iat": 1724346690,
"sub": "xxxxxxxxx",
"at_hash": "xxxxxxxxxxx",
"email": "my-apple-id@gmail.com",
"email_verified": true,
"auth_time": 1724346672,
"nonce_supported": true
}
I'd like to know the reason for this inconsistency, or if it is an issue and is under the Apple team's radar.