Sign In With Apple -Updated Scope Not Reflected in JWT Claims

I'm currently testing SWIA implementations, and found some interesting behavior related to scope in the authorization flow.

Situation that I'm facing right now is:

  1. User signs in with his/her Apple Id through the mobile app's or website's SWIA feature for the vert first time without email scope.

  2. User will be granted JWT without email claim as expected.

  3. Later, we changed to add email scope for the authorization process.

  4. User (from #1) signs in again, and goes through SWIA with email scope

  5. User will be granted JWT without email claim

  6. Unless otherwise user manually de-authorize the app from their Apple ID portal (or in the mobile app), updated scope will not be reflected

It also happens in the opposite way (i.e. having email scope for the very first request, and then later remove email scope. This will still grant JWT with email claim)

Is this something expected from Apple's OIDC server? or am I doing something wrong? I've tested it with both native iOS SWIA and on the web client as well, and both produce the same result.

Not quite sure if this is as per OIDC specification.

Any insight or help would be greatly appreciated.
Up vote post of James G Down vote post of James G
2.2k views
Posted by
James G
Reply
Add a Comment

Replies

Hi James G,

Is this something expected from Apple's OIDC server? or am I doing something wrong? I've tested it with both native iOS SWIA and on the web client as well, and both produce the same result.

Sign in with Apple does not provide incremental changes to the user scope. If the application initially omitted, and later included, the email scope, only newly authorized users would include the email claim in their identity token (and in the initial user body of the authorization response).

If a user were to revoke access to your app via the steps outlined here, they would be treated as a newly authorized user and would also respect the requested email scope.

If you have any further questions about Sign in with Apple, please [submit a Technical Support Incident] (https://developer.apple.com/support/technical/) and I'll be happy to help.
Posted by
ppinkney
Up vote reply of ppinkney Down vote reply of ppinkney
Add a Comment