Can't retrieve name and email from Sign In flow

Hi,


We've just implemented Apple Sign In according to the documentation (https://developer.apple.com/documentation/signinwithapplerestapi), the login is working fine, but there is no way to get the email from the token. We tried a lot of different scopes, and while only a few seem to be valid (name, email, openid), they don't seem to change anything to the response of the token. The only field that's in there is "id_token", and the only useful field in the "id_token" is "sub", which seems to be a unqiue identifier. Is there a way to retrieve the email address?


Thanks!

Accepted Reply

To request user information in the `id_token` (assuming you are requesting via the `/auth/authorize` REST API), you'll need to include the `scope` query parameter, which supports the values—`name` and `email`. You can request one, both, or none.


Note: Use space separation and percent-encoding for multiple scopes; for example, `"scope=name%20email"`.


For additional information about preparing the authorization request, please see the following documentation—


https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Replies

Thanks! My only concern is that the way things are changing it doesn't feel safe to code against a GET flow until it is documented as supported.


@Apple can we please document and support the GET redirect-flow to help with Android clients and others who don't handle POSTs well?

Do you plan on adding the name to the id token? It makes it easier to grab it alongside eveything else here.

Could you please add the name to the id_token? It's also really annoying that you only get this information the first time someone goes through the flow, is it possible to always add this information?

According to @Natthakorn123 using form_post will be required later on. I also don't feel quite conviced that the way we are developing our flow now will work when it's finally released. We can't implement form_post with a major overhaul in our authentication implementation and with some middleware API endpoint that handles redirecting between Apple and our Angular app.

I'm also having issues with exchanging the code from the mobile SDK serverside.

When I try to do an oAuth2 exchange with the authorizationCode from the mobile SDK, the server returns the HTTP 400 error "{"error":"invalid_grant"}"

what are your request details? grant_type='authorization_code' should be - is it?

@tdh42 how did you get the user json in response ? I implemented both "Sign in with Apple REST API" and "Sign in with Apple JS" and in both cases I didnt get the user json in response, I am sure i have implemented them correctly as I am getting response from Apple but no user info in both cases, in both cases I am getting following response :-


Sign in with Apple JS ==> { "code" : "...." , "state" : ".... ", "id_token" : "...." }

Sign in with Apple REST API ==> { "access_token" : "...." , "token_type" : "....", "bearer" : "......", "expires_in" : "......", "refresh_token" : ".....", "id_token" : "......." }


NOTE :-

1) I have also decoded and checked id_token there is no user info in there

2) "......" means some data

@aks_64

You'll only get the emailaddress once from the token validation: https://appleid.apple.com/auth/token in the id_token


You should save the email with the sub (identifier).

All I get now is {"iss":"https://appleid.apple.com","aud":"*****","exp":1566915927,"iat":1566915327,"sub":"*****","at_hash":"LO4e93EaBSHzBZ3RajVYcA","auth_time":1566915325}, no email info, though my authUrl looks like https://appleid.apple.com/auth/authorize?response_type=code&client_id=****&redirect_uri=****&state=****&scope=name%20email&response_mode=form_post


where can I get email address?

This is still not the case today, any planning to include those?

Hi Natthakorn123,


Is it possible that there will be support also with a response_mode with a standard get? I've created a subroutine with response_mode=form_post but I want to have less maintenance and to keep this in line with the oauth providers (linkedin, google+, facebook etc).

Yes, this is what we do. We have it working using our web application, we get a proper code and can exchange it for a token.

However, when we try to exchange a code that was received by the app using the mobile SDK, we get the error message "invalid_grant".

This issue is still not completely resolved given the following scenario in this post:


https://forums.developer.apple.com/message/383083#383083

How about the name? Is it included in "id_token"? I am using the web API and I can retrieve the email but not the name. Tried removing as well my site in apple https://appleid.apple.com/account/manage but just keep getting the email and not the name.