So I’m (extremely) new to developing for iOS, and I’m looking to implement the “Sign in With Apple“ feature for an application that interacts with a server I’ve built. Following the guide I’m able to get a user’s email and name. When I send that information to my server to create a user account, do I need to do anything else (like validating that the email is actually associated with an Apple account or that the user actually owns it, etc)? I looked at the Sign in With Apple from the web article and it doesn’t seem like it’s relevant to my use case. Is it standard practice to just trust the client in the iOS world?
Hi @hamhab,
There are two scenarios for native apps implementing Sign in with Apple:
- a native app without a server infrastructure to manage user sessions
- a native app with a server infrastructure to manage user sessions
For the former, Apple determines whether a user is a real person by combining on-device machine learning, account history, and hardware attestation using privacy-preserving mechanisms. Because the device can only be authenticated with a single Apple ID account, no more validation is needed.
For the latter (your use case), the recommendation is the verify the user by having your server validate either the authorization grant code or identity token received in your native app. Please read the following documentation for more information:
Verifying a user https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user
Note: When validating tokens and generating client secrets, be sure to use the bundle ID of your native app as the client ID, since that was the client that was authorized by the user.
If you receive an errors with these REST API requests, please see the technote below:
TN3107: Resolving Sign in with Apple response errors https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors
Cheers,
Paris X Pinkney | WWDR | DTS Engineer
