Post

Replies

Boosts

Views

Activity

Sign In with Apple 'email_verified' inconsistency
Recently our Sign In with Apple integration has been affected by an inconsistency in Apple token response, where the email_verified attributed has a false value in the response but inside the id_token payload the email_verifiedattribute is set to true (the correct value), our integration has been working as expected until recently and haven't found an official announcement on this change. When making a call to https://appleid.apple.com/auth/token to exchange a code for a token using curl -v POST "https://appleid.apple.com/auth/token" \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'client_id=CLIENT_ID' \ -d 'client_secret=CLIENT_SECRET' \ -d 'code=CODE' \ -d 'grant_type=authorization_code' \ -d 'redirect_uri=REDIRECT_URI' We're getting the following response where email_verified is set to false { "access_token": "XXXXXXX", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "XXXXXXX", "id_token": "XXXXXX", "email_verified": false } But by inspecting the id_token payload the email_verified attribute has the correct value: true { "iss": "https://appleid.apple.com", "aud": "xxxxx", "exp": 1724433090, "iat": 1724346690, "sub": "xxxxxxxxx", "at_hash": "xxxxxxxxxxx", "email": "my-apple-id@gmail.com", "email_verified": true, "auth_time": 1724346672, "nonce_supported": true } I'd like to know the reason for this inconsistency, or if it is an issue and is under the Apple team's radar.
1
1
474
Aug ’24