Hi Natthakorn123,Is it possible that there will be support also with a response_mode with a standard get? I've created a subroutine with response_mode=form_post but I want to have less maintenance and to keep this in line with the oauth providers (linkedin, google+, facebook etc).
Indeed, too bad, they revoked the feature (thank you for the communication), No GET-response from the https://appleid.apple.com/auth/authorize anymore.Example:https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=www.example.com&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsocial-auth%2Fapple&state=bde56fc21c&scope=email&response_mode=form_post
@aks_64You'll only get the emailaddress once from the token validation: https://appleid.apple.com/auth/token in the id_tokenYou should save the email with the sub (identifier).
@tsombreroUsed the following example (in https://appleid.apple.com/account/manage delete your app, you get the email only the first time)https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=www.example.com&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsocial%2Fapple&state=dedfdd8816&scope=emailIt is a GET response, then the token validation as described above with the field email in the id_tokenUse the sub-field as identifier
Thanks for this update! Also nice that the form_post is not required. The only note is that name is not in the response. Also the email/name field is should be always in the ID token (at this moment only with the startup). I'll make a workaround for this, but it is not the "standard"-way in the oauth procedure.
This is a nice solution for the embeded Apple Web JS https://developer.apple.com/documentation/signinwithapplejs/configuring_your_webpage_for_sign_in_with_appleBut not for the OAUTH2 implementation.We should indeed verify this data. Perhaps the best solution is that the validation response: https://appleid.apple.com/auth/token should have this (encode base64) user data (email and name) without the response_mode=form_post variable (also support get responses, see comment jeroen klippa).Example:[access_token] => a2293d83289aa41f7ad22de6844511826.0.mzuq.oCJsXOEXZQX1v8NQCQOy0g[token_type] => Bearer[expires_in] => 3600[refresh_token] =>[id_token] => REeyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvYXBwbGVpZC5hcHBsZS5jb20iLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJleHAiOjE1NjE0OTA2MTUsImlhdCI6MTU2MTUzMzU4OCwic3ViIjoiMDAwMTMyLmMzTWlPaUpvZEhSd2N6b3ZMMkZ3Y0d4bGFXUWFzZHNhLjg5MTQiLCJhdF9oYXNoIjoiQnBiVmVmTm5waVBUY1BzcWt3VEppZyIsImVtYWlsX2R1bW15IjoiZXhhbXBsZUBwcml2YXRlcmVsYXkuYXBwbGVpZC5jb20ifQ==.SyCF8jT50FHALit-u9H_TyzPikirYnDq1RiDT3ennHQrNl0UcRE4bDmVM1qlG2cfHPH5OtpyQZIjGi_r9v7ZoN2EfyDGlg08yEWGwwCNlrCkcHcA9gjNN2RYmT4Yt3toRLgnwSDyzHOP6FS7I1kzwcdZmJTuGrYPThxe80F6rQABUWUBDAl2KgP7ujt1j8H3LrfV0r3RKTHA7azWWu9rVAFrx1_IeRk-ASDW0OPrqDJoF8YdZF1Da4-br-gTOt_LJhZFhuPh1WDgZj6AAcytTrSL4AhW2BrN_U0bMw47nw7k9OZbcbDNb-j3hEAkQdvZYEBHIRtEMxrzTAgs7oxbtg[iss] => https://appleid.apple.com[aud] => www.example.com [exp] => 1560776678[iat] => 1560776078[sub] => 000132.c3MiOiJodHRwczovL2FwcGxlaWQasdsa.8914[at_hash] => SrJXsKX1f4FpGPFmiUPzUQ[user] => {"name":{"firstName":"Jane","middleName":"","":"Doe"},"email":"j123easj2@privaterelay.appleid.com"} (ENCODE BASE64)Is this a good solution for the OAUTH2 implementation?
Nice! For our release planning, is a release date and field name of the email in the id_token known at your side?
Same issue here, important how to fix this. Some technical details:The flow is working correctly as described in https://developer.apple.com/documentation/signinwithapplerestapiAs in the presentation https://developer.apple.com/videos/play/wwdc2019/706Request: https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=www.example.com&redirect_uri=https%3A%2F%2Fwww.example.com%2Fhandle%2Fapple%2F&state=acfb01022b&scope=emailThe scope has explicitly asked for email.After a succesfull login: Example Token request: https://appleid.apple.com/auth/token?code=CODE_FROM_APPLEID&redirect_uri=https://www.example.com/handle/&client_id=www.example.com&client_secret=DONT_TELLThe validation response: https://appleid.apple.com/auth/token Has the following response[access_token] => a2293d83289aa41f7ad22de6844511826.0.mzuq.oCJsXOEXZQX1v8NQCQOy0g[token_type] => Bearer[expires_in] => 3600[refresh_token] =>[id_token] => REeyJraWQiOiJBSURPUEsxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvYXBwbGVpZC5hcHBsZS5jb20iLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJleHAiOjE1NjE0OTA2MTUsImlhdCI6MTU2MTUzMzU4OCwic3ViIjoiMDAwMTMyLmMzTWlPaUpvZEhSd2N6b3ZMMkZ3Y0d4bGFXUWFzZHNhLjg5MTQiLCJhdF9oYXNoIjoiQnBiVmVmTm5waVBUY1BzcWt3VEppZyIsImVtYWlsX2R1bW15IjoiZXhhbXBsZUBwcml2YXRlcmVsYXkuYXBwbGVpZC5jb20ifQ==.SyCF8jT50FHALit-u9H_TyzPikirYnDq1RiDT3ennHQrNl0UcRE4bDmVM1qlG2cfHPH5OtpyQZIjGi_r9v7ZoN2EfyDGlg08yEWGwwCNlrCkcHcA9gjNN2RYmT4Yt3toRLgnwSDyzHOP6FS7I1kzwcdZmJTuGrYPThxe80F6rQABUWUBDAl2KgP7ujt1j8H3LrfV0r3RKTHA7azWWu9rVAFrx1_IeRk-ASDW0OPrqDJoF8YdZF1Da4-br-gTOt_LJhZFhuPh1WDgZj6AAcytTrSL4AhW2BrN_U0bMw47nw7k9OZbcbDNb-j3hEAkQdvZYEBHIRtEMxrzTAgs7oxbtg[iss] => https://appleid.apple.com[aud] => www.example.com [exp] => 1560776678[iat] => 1560776078[sub] => 000132.c3MiOiJodHRwczovL2FwcGxlaWQasdsa.8914[at_hash] => SrJXsKX1f4FpGPFmiUPzUQIn the response there is no (anonymous) email address.
