Apple Connection User Sub Claim Contains Dot (.) Characters

Knowledge Articles
1

Overview

This article will explain why a returned token’s sub-claim returns as a dot (.) while using an Apple Social connection.

Applies To

  • Apple Connection
  • Tokens

Cause

The user_id is based on the returned value from the Identity Provider (IdP), with a strategy prefix:

  • <strategy>|<user ID from IdP>
  • E.g., for an Apple Social connection, the user ID would look something like:
  • apple|abc123.def456.ghi789
  • As Apple passes a user ID with dot (.) characters, these are seen in the sub-claim of tokens.

Enterprise connections have an additional connection name prefix, as a tenant may have multiple enterprise connections using the same protocol/connection type:

  • <strategy>|<connection name>|<user ID from IdP>
  • e.g., for an SAML Enterprise connection called “Customer1”, a user with the ID “123xyz” on the SAML IdP would be stored in Auth0 as:
  • samlp|Customer1|123xyz

Solution

It is not possible to change the user_id format that Auth0 stores from external IdPs. It will always follow the above syntax.

If it is essential to alter the format of the user ID, the following workaround can be used:

  1. Use Actions to store a secondary identifier based on the original user ID.
  2. Strip out unwanted characters from the secondary identifier, for example.
  3. Add this modified identifier to tokens for the application’s or API’s consumption:
exports.onExecutePostLogin = async (event, api) => {
  if (event.connection.name === "apple") {
    console.log("Triggering user id modification for token")
  var modifiedUserId = "";
  //check for previously generated user ID
  if (event.user.app_metadata?.modifiedUserId) {
    modifiedUserId = event.user.app_metadata.modifiedUserId;
  } else {
    //strip '.' characters and save modified ID to app metadata
    modifiedUserId = event.user.user_id.replace('.','');
    api.user.setAppMetadata("modifiedUserId",modifiedUserId);
  }
//add edited user ID as a custom claim to access and/or ID tokens
  api.accessToken.setCustomClaim("https://<your namespace here>/modifiedUserId",modifiedUserId);
  api.idToken.setCustomClaim("https://<your namespace here>/modifiedUserId",modifiedUserId);
  };
};

See Create Custom Claims for more details on this process.

NOTE: For the purposes of user searches using the Auth0 Management API, searching metadata for identifiers, particularly nested metadata, is not performant and should not be used for time-sensitive or critical operations. See User Search Best Practices for more information.