Can't retrieve name and email from Sign In flow

This is still not the case today, any planning to include those?

Hi Natthakorn123,

Is it possible that there will be support also with a response_mode with a standard get? I've created a subroutine with response_mode=form_post but I want to have less maintenance and to keep this in line with the oauth providers (linkedin, google+, facebook etc).

Yes, this is what we do. We have it working using our web application, we get a proper code and can exchange it for a token.

However, when we try to exchange a code that was received by the app using the mobile SDK, we get the error message "invalid_grant".

This issue is still not completely resolved given the following scenario in this post:

https://forums.developer.apple.com/message/383083#383083

How about the name? Is it included in "id_token"? I am using the web API and I can retrieve the email but not the name. Tried removing as well my site in apple https://appleid.apple.com/account/manage but just keep getting the email and not the name.

I know your responses are a few months old and that things have likely changed but do you have any idea why I might be getting "invalid_grant"? There are a couple of other people in here who are struggling with it and it seems to be a complete blocker. Thank you.

Is the name included in the id_token? Assuming the scope parameter included in the authorization URL looks like 'scope=email name'.

Which URL encoding do you expect on the API for the space symbol within the scope parameter? Should spaces be replaced by '+' or %20? Many libraries use '+', and that's how it worked for me, but as shown on this thread, this user is using %20.

Thanks

I have recevied email address in id_token, but i am unable to receive privatlyrelay email address if user not share email address. Also i never received user name in id_token.

To request user information in the `id_token` (assuming you are requesting via the `/auth/authorize` REST API), you'll need to include the `scope` query parameter, which supports the values—`name` and `email`. You can request one, both, or none.

Note: Use space separation and percent-encoding for multiple scopes; for example, `"scope=name%20email"`.

For additional information about preparing the authorization request, please see the following documentation—

https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Here is auth request;

https://appleid.apple.com/auth/authorize?state=local&client_id=com.xyz.auth&redirect_uri=https%3A%2F%2Fxyzcom%2Fcallback%2Fapple&scope=name%20email&response_mode=form_post&response_type=code%20id_token

i am still not able to recevie privatelyrelay email address.

here is id_token

eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRvZG8tY2xvdWQuYXV0aCIsImV4cCI6MTU4NjMyODg1MiwiaWF0IjoxNTg2MzI4MjUyLCJzdWIiOiIwMDAzMTkuYjNmYzZmNjJlMThlNDU3MjgwNTU1YTY0N2JhN2RhNTkuMDcxOSIsImNfaGFzaCI6InFLMldrTjFGSERGNF9YN2FfdWt0UVEiLCJhdXRoX3RpbWUiOjE1ODYzMjgyNTIsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.jWudBpsSYBZ5PYa89AfikrjP-jsQh2G-iraDEIM_138nE5nn-XB9qqtkf6u250PpZqSdfI2Unw5G-VM_qUlOdSqGRYCte4J4sUMua_Bku6A75N0NBsBb4hT49htyuLX-0mJufiLJklLiXGXp0nWxbiHgX5cAlo80vETl3Bl9iDXjGCzT_6-H1WkNCpvsOQObxj-5P-NT3_yVNnHbjCvb4nCQRn9lvJYUbP4-iCA5YN3s3lZZS6INISkRcJFuukgt8KzbTVYM70m3f-ySdRt4d_C66v1G0ejdaQSwxZFsffgWJ2X-sqzwuB9z-uWz7TbYvDRK6k4Z_txmywS9SbNrEw

My auth request is https://appleid.apple.com/auth/authorize?client_id=com.***.yyy&redirect_uri=http://xyz.com&response_type=code%20id_token&scope=name%20email&response_mode=form_post but I am still only getting the user information at the first request. From then on, only the code and id_token is getting received.

Another thing that confused me, that it seems like th API doesn't send the information as JSON data in the post, instead it is sending it, as if it was the addition to the query, for example: "code=<code>&id_token=<id_token>" usually. But when I request it the first time, so the user gets send with, it is like "code=<code>&id_token=<id_token>&user={"name":{"firstName":<firstName>,"lastName":<lastName>},"email":<strange String what isn't an email>}".

As you can see, only the user is send as Json, and the email is not an email (eg: it was "wj92b" one time"), but this could be fixed by receiving it through the JWT in the id_token.

I don't know how to fix it, I would really appreciate an answer.

@ppinkney

can you please reply ? i am still unable to receive relayemail address.

Here is auth request;

https://appleid.apple.com/auth/authorize?state=local&client_id=com.xyz.auth&redirect_uri=https%3A%2F%2Fxyzcom%2Fcallback%2Fapple&scope=name%20email&response_mode=form_post&response_type=code%20id_token

i am still not able to recevie privatelyrelay email address.

here is id_token

eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnRvZG8tY2xvdWQuYXV0aCIsImV4cCI6MTU4NjMyODg1MiwiaWF0IjoxNTg2MzI4MjUyLCJzdWIiOiIwMDAzMTkuYjNmYzZmNjJlMThlNDU3MjgwNTU1YTY0N2JhN2RhNTkuMDcxOSIsImNfaGFzaCI6InFLMldrTjFGSERGNF9YN2FfdWt0UVEiLCJhdXRoX3RpbWUiOjE1ODYzMjgyNTIsIm5vbmNlX3N1cHBvcnRlZCI6dHJ1ZX0.jWudBpsSYBZ5PYa89AfikrjP-jsQh2G-iraDEIM_138nE5nn-XB9qqtkf6u250PpZqSdfI2Unw5G-VM_qUlOdSqGRYCte4J4sUMua_Bku6A75N0NBsBb4hT49htyuLX-0mJufiLJklLiXGXp0nWxbiHgX5cAlo80vETl3Bl9iDXjGCzT_6-H1WkNCpvsOQObxj-5P-NT3_yVNnHbjCvb4nCQRn9lvJYUbP4-iCA5YN3s3lZZS6INISkRcJFuukgt8KzbTVYM70m3f-ySdRt4d_C66v1G0ejdaQSwxZFsffgWJ2X-sqzwuB9z-uWz7TbYvDRK6k4Z_txmywS9SbNrEw

Hello! I've managed to get the user's email address on the first login but never got the name. Is this normal? I'm using OpenId Connect on ASP.NET Web Forms.

Hi, were you able to retrieve the user's email address on subsequent logins?

Hello ppinkey!
And everyone having trouble,
We've just implemented Apple Sign In for bubble.is as a plugin according to the documentation. (https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms).
The login is working fine, but we can't retrieve the name, even if the purpose set in scope is only "name". what we receive:

1. { "state": "EN", "code": "c10ab6**********************Ckggusd4UAdj-A",
2. "id_token": "eyJraWQiOiJBSURP*****UOQ",
3. "user": "{\"email\":\"********\"}" }

can this be an issue apple side? Can you please check that the scopes are correctly set?
Thanks a lot for your help.

Code Block 
		fetch(`${redirectUri}`, {
			method: "POST",
			headers: {
				"Content-Type": "application/x-www-form-urlencoded"
			}
		})
			.then(res => res.json())
			.then(responseJson => {
				console.log(responseJson);
			});

Hello,

I'm still not getting the name and email from Sign in Flow. My application is implemented in .Net Core 3.1 using the OpenIdConnect.

I've specified the scopes as following but when getting the code and idtoken, not user data is added.

.AddOpenIdConnect("Apple", async options => 
{
 options.Scope.Clear();                    
 options.Scope.Add("name");
 options.Scope.Add("email");
  ...
}
..
options.Events.OnAuthorizationCodeReceived = async context =>
{
 // no user object within the idtoken
}

The authentication cookie is generated but can't proceed with new account creation. I'm also using the ExternalLogin structure OnGetCallbackAsync. The url seems to have all required info as explained in this ticket.

Is someone facing same issue? Thanks

Surprisingly, it's 2022 and this is still an issue for many developers. My issue is that some id_token from cetain users won't include email, even when it is their very first login attempt. The 'form_post issue' almost forced me to not include scope and I believe this is causing random exclusion of email information in the id_token.

How come apple not able to support a better developer experience just like they publicize in the ads for their customers?

And there is still no solution for this problem, unfortunately ☹️

Yea... turns out we're the last victims of this. This is just a very very bad experience overall. We get no email no nothing regardless of the first, last or nth time of login.

In accepted response is To request user information in the id_token... But it is not true, user info is never in id_token but just after first sign-in (Ok, Apple decided just one time and makes developer life complicated as Apple always does) after redirection from https://appleid.apple.com/auth/authorize to redirect_uri When authorizing we set also 'response_type' => 'code id_token' + 'scope' => 'name email' but user info is not included in decoded id_token but just as separate parameter "user"...

<h2>POST params:</h2>Array ( [state] => ... [code] => ... [id_token] => eyJr...UUg [user] => {"name":{"firstName":"...","lastName":"..."},"email":"..."} )

What about security dear Apple? How we can trust fields in user param? Email, OK, it is included also in id_token which can we verify by signature and Appples public key.

@ppinkney are you sure user info is included in id_token?