Sign in with Apple doesn't return user email

Hello,

We've stumbled upon the issue with "Sign in with Apple" functionality today. It worked absolutely fine for quite a long time on our dev instances, but today as we've deployed it to production - it stopped working both on dev and prod.

The issue is that idToken doesn't have email field for all the requests except 1 specific email for some unknown reason. Because of this - we cannot identify the user in our database.

We've tried to test with multiple Apple accounts, including the ones we've already used, the ones that were never used for this app and even the absolutely new accounts with no luck (except 1 specific account).

What we do:

  • Redirect user to authorization page like this: https://appleid.apple.com/auth/authorize?client_id={SERVICE_ID}&redirect_uri={REDIRECT_URI}&response_type=code
  • After authorization user is redirected to the redirect_uri where we get state and code.
  • On the server-side of web app we create client_secret signed JWT (as required by documentation) and send POST https://appleid.apple.com/auth/token request with the following data:
{    
    code,
    client_id: result.Item.clientId,
    client_secret,
    grant_type: "authorization_code",
}
  • In response we get JSON with "access_token", "token_type", "expires_in", "refresh_token" and "id_token"
  • We parse "id_token" to get email. Code we use to parse:
    const idToken = JSON.parse(body).id_token || "";
    const [, infoPart] = idToken.split(".");
    const buff = Buffer.from(infoPart, "base64");
    const text = buff.toString("ascii");
    const json = JSON.parse(text);
    if (json.hasOwnProperty("email")) {
        endUserEmail = json.email;
    }

The issue is that for all accounts we've tested except 1 - there's no "email" field.

We've also tried to use AWS Cognito to verify if this is the issue with our implementation. They specify scope=email%20name&response_mode=form_post in their request. Unfortunately, the result is the same - Cognito returns an error saying that there's no email.

Is it some kind of misconfiguration on our side? What should we do to allow users to sign in with Apple ID?

Thank you,

Dmitrii Khizhniakov

Web developer

Graebert GmbH

https://graebert.com

Up vote post of dkhizhniakov Down vote post of dkhizhniakov
234 views
Posted by
dkhizhniakov
Reply
Add a Comment