Can't retrieve name and email from Sign In flow

App & System Services General
HalvinCarris
HalvinCarris OP
Created Jun ’19
Replies 54
Boosts 1
Views 73k
Participants

Hi,


We've just implemented Apple Sign In according to the documentation (https://developer.apple.com/documentation/signinwithapplerestapi), the login is working fine, but there is no way to get the email from the token. We tried a lot of different scopes, and while only a few seem to be valid (name, email, openid), they don't seem to change anything to the response of the token. The only field that's in there is "id_token", and the only useful field in the "id_token" is "sub", which seems to be a unqiue identifier. Is there a way to retrieve the email address?


Thanks!

Answered by DTS Engineer in 413866022

To request user information in the `id_token` (assuming you are requesting via the `/auth/authorize` REST API), you'll need to include the `scope` query parameter, which supports the values—`name` and `email`. You can request one, both, or none.


Note: Use space separation and percent-encoding for multiple scopes; for example, `"scope=name%20email"`.


For additional information about preparing the authorization request, please see the following documentation—


https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

Replies  54
Boosts  1
Views  73k
Participants  
Apple Staff, Frameworks Engineer
Frameworks Engineer OP
Apple
Jun ’19

This will be enhanced soon, and the email or anoymous email will be in id_token.

1
Apple Staff,
OP
Apple
Jun ’19

The change to include the email address in the ID token is currently being worked on and will be available soon.


Currently the email address is provided to the application front-end through the post to the redirect uri.

0
sekarkdhana
sekarkdhana OP
Jun ’19

"Currently the email address is provided to the application front-end through the post to the redirect uri"

but in post repose to redirect uri we are getting only state, id_token and code. How can i get the email address?

0
jeroen.klippa
jeroen.klippa OP
Jun ’19

This. We only get state and code in the redirect uri, no email address.

0
Apple Staff,
OP
Apple
Jun ’19

We only support response_mode "form_post". we will make form_post as default and remove redirect. In the meantime please add &response_mode =form_post in the request


ex.


https://appleid.apple.com/auth/authorize?response_mode=form_post&....

0
jeroen.klippa
jeroen.klippa OP
Jun ’19

But... Why? form_post is not really common. It also makes handling authentication hard when using Javascript apps like Angular. This will just be another hassle for us to implement this, now we have to implement a method serverside to transform the form_post into a redirect again.

0
tsombrero
tsombrero OP
Jul ’19

Saw this for the first time today, there are now four items in the posted form data on successful login: state, code, id_token, and *user*. User has firstName, lastName, and email in a json blob.


Should we be concerned about replay attacks, since the user info is unsigned? In other words, if a nefarious actor replays a previous post but changes the "user" to something else, is that detectable?

1
tsombrero
tsombrero OP
Jul ’19

I think the idea of including user name/email in the JWT as Aniwat mentioned above would get us out of the woods

0
Apple Staff, Frameworks Engineer
Frameworks Engineer OP
Apple
Jul ’19

The email should be in included in ID token now. Please try.

0
tsombrero
tsombrero OP
Jul ’19

@tdh42 where do you see that form_post is not required?

0
Can't retrieve name and email from Sign In flow
First post date Last post date
 
 
Q