Problem statement
Users associated with Apple social connection received the following email after being deleted using DELETE /api/v2/users/{id} Management API endpoint. This has not been seen in other social connections (e.g., Google). Is this expected?
Title:
{Service ID} has revoked your Sign in with Apple account.
Message Body:
{Service ID} has revoked your Sign in with Apple account.
Next time you use Sign in with Apple to sign in to your {Service ID} account, you'll have to share your name and email again. Learn more...
Apple Support
Example Email:
Steps to reproduce
Steps that can be taken to recreate the problem.
- Create an Apple Social Connection
- Create a user and associate the user to the Apple Social Connection
- Delete the user using DELETE /api/v2/users/{id} Management API endpoint
- The user receives an email titled {Service ID} has revoked your Sign in with Apple account.
Cause
This is expected:
- When users on an Apple connection are deleted, Auth0 checks if users have any refresh tokens stored on the user. These refresh tokens need to be revoked when the user is deleted to prevent ongoing access to the account.
- When the relationship between the user’s application and Apple ID connection is revoked, Apple sends this email to the user. Auth0 does not send this email.
Solution
This is expected behaviour and the email generated is from Apple, not Auth0.