Sign in with Apple - "Exclusively"?

The guidelines state:


Apps that exclusively use a third-party or social login service (such as Facebook Login, Google Sign-In,
Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or
authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option.


However just a bit further down:


Sign in with Apple is not required if:
Your app exclusively uses your company’s own account setup and sign-in systems.


So, if my app were to offer both third-party SSO and our own account setup, it would fit under neither of these cases. What gives?

Replies

Is your company a major player such as FB, Google, Twitter, LinkedIn, Amazon, or WeChat? No? Then what's the question? See the first quote.

I believe your question is whether you need to use Apple sign in if you do not ‘exclusively‘ use 3rd party and social log ins. You are literally correct that the first requirement to use Apple sign in does not apply if you offer your own, 1st party, sign in (and you are not a social website). Therefore these two statements, by themselves, do not explicitly require you to add Apple sign in.

I am in the same situation. The review guidelines are ambiguous as there is a "You are required if" statement that says only if you offer third party sign in exclusively. They then go on to define a "You are not required if" statement that says you are not required if you only use your own own authentication exclusively. This leaves all apps that offer both their own authentication and third party authentication to fall into neither category and is therefore ambiguous as to what the rule is. My whole team has read it and we have no idea if we have to implement this. When Apple Sign in was announced, they stated that it would be required for all developers that use a third party sign in.

Actually, as stated in these guidelines, there is not ambiguity; you are not required to use Apple sign in because neither of the statements apply if you use both third-party and your own system for log-in.


But.....it is not unreasonable to assume that the statement "Apps that exclusively use a third-party or social login service..." is incorrect and the correct statement is "Apps that use a third-party or social login service...". If so, you will be rejected. Tell us what happens.

>They then go on to define a "You are not required if" statement that says you are not required if you only use your own own authentication exclusively.


Correct, in which case where you use both you are exempt. Seems clear enough.

I'm actually not sure how some don't see this as ambiguous. My internal team have all read it and agree that it has conflicting criteria. As the original poster stated, Apple gives two conflicting statments.


1. "You must if you offer exclusively third party sign on" - I don't fall in this category, because I offer my own authentication and third party sign on. Okay I don't have to offer this.


2. "You don't have to if you offer exclusively your own authentication" - Hmmm, I also don't fall into this exception since I don't offer exclusively my own sign on. Since I don't qualify for any exemptions listed, I would assume I do have to implement Apple Sign On.


So I don't have to implement sign in, although I don't meet any of the exemptions that would allow me to not have to offer apple sign in.


If the wording is incorrect as suggested by PBK, then it would be clear that we have to implement this if the word "exclusively" were removed.


My apps were existing and have been through 2 reviews each since iOS13 without Apple Sign On, though the enforcement for existing apps won't happen until April 2020. The dev work is done, we just have it sitting in a branch in case we need to pull it over. I'll keep checking to see if they update the guidelines and update here if so.

Ambiguous means two (or more) different possible meanings, not two conflicting meanings. No ambiguity here. Just a possible error by Apple.


You correctly interprete both statements as not applying to your situation ("I don't fall in this category" and "I also don't fall into this exception"). But then you go on to conclude "Since I don't qualify for any exemptions listed, I would assume I do have to implement Apple Sign On." Why do you do that? You need to fall into a 'listed exemption' only if you fall into the original "must also offer" category. So unless Apple incorrectly included the word "exclusively" in the guideline you, unambiguously, do not need to use Apple Sign In.


But.....IMHO they incorrectly included the word "exclusively" in that "(a)pps that exclusively use" statement and, if so, and again unambiguously, you must use Apple Sign In if you use a third-party or social login system. (Note - they use a singular 'a third-party' in the first 'exclusivity' so that's another error - do you escape the requirement by using both Google and Facebook?) This interpretation is driven by that 'exclusively' in the first exemption which doesn't seem to make any sense otherwise.


But... I may be wrong. The first exemption, in fact, does make sense, and is required when read by Facebook, Google and other social login services. Therefore, perhaps that first exemption is meant to apply only to a social login company that only uses its own login system and would otherwise be required to use Apple Login. All others would not fall into the original 'must also offer' since they do not 'exclusively use a ..social login'.


It's not a question of ambiguity. It's a question of whether or not there is an error in the guideline as written. Albeit, your choice is ambiguous; don't use Apple Sign In and quote the Guidelines back to Apple if you get rejected (I'm not suggesting that will work) or use Apple Login. We shall see whether or not Apple edits their guidelines to actually include your use case in the future.

The wording is inconclusive, period. It simply doesn't address the case of offering your own sign in system as well as a 3rd party system. Anyone that claims otherwise is speculating unless they've gotten an official response from Apple. We've had a team review the language and they all agree it's inconclusive. Hopefully we'll get clarification before April of 2020 but if you need to know today I'd reach out to support requesting clarification: https://developer.apple.com/contact/


func isSignInWithAppleRequired() -> Bool {
    switch (supportsCompanySignIn, supportsThirdPartySignIn) {
    case (true, true):
        // TODO
    case (false, true):
        return true
    case (true, false):
        return false
    case (false, false):
        return false
    }
}
Just to update here as well, Apple did end up updating their criteria in 4.8 as shown here appstorereviewguidelineshistory.com/ and they have removed the word "exclusively" on March 4th. This now makes all apps that offer any third party logins along with their own authentication to be required to implement Apple Sign In. I did not catch this and was just rejected for not having it. Luckily we implemented this just in case, though it will still take some time to get it merged back in and go through QA.