I'm currently testing SWIA implementations, and found some interesting behavior related to scope in the authorization flow.
Situation that I'm facing right now is:
Is this something expected from Apple's OIDC server? or am I doing something wrong? I've tested it with both native iOS SWIA and on the web client as well, and both produce the same result.
Not quite sure if this is as per OIDC specification.
Any insight or help would be greatly appreciated.
Situation that I'm facing right now is:
User signs in with his/her Apple Id through the mobile app's or website's SWIA feature for the vert first time without email scope.
User will be granted JWT without email claim as expected.
Later, we changed to add email scope for the authorization process.
User (from #1) signs in again, and goes through SWIA with email scope
User will be granted JWT without email claim
Unless otherwise user manually de-authorize the app from their Apple ID portal (or in the mobile app), updated scope will not be reflected
Is this something expected from Apple's OIDC server? or am I doing something wrong? I've tested it with both native iOS SWIA and on the web client as well, and both produce the same result.
Not quite sure if this is as per OIDC specification.
Any insight or help would be greatly appreciated.