We are implementing Sign In With Apple in our React Native app. I’m trying to understand how to handle this flow:
- User creates an account using Sign In With Apple
- User deletes their account
- User returns to the app and tries to login/create a new account using Sign In With Apple
Even though the tokens have been revoked via a request sent to Apple (I receive the email from Apple so I know that’s working), our app is still linked to the Apple ID in my device settings.
So when the user tries to create a new account, Apple does not provide an email address in the login flow, only the tokens and user id. Since we have deleted their account on Auth0, and have no email provided (even a masked one), we can’t create a new account.
This means the user would have to manually go in to settings and delete our app from the list of apps associated with their Apple ID if they wanted to create a new account after deleting their old one.
Is there a way around this?
Hi @joshreed
I believe that the issue is caused by the fact that Apple only sends the user’s email and name payload exactly once —during the very first authorization. If you delete the user in Auth0, Auth0’s cache of that email is wiped. The reason your revocation request isn’t completely unlinking the app from the iOS device settings is that you are likely revoking the Apple Access Token instead of the Apple Refresh Token . To force Apple to “forget” the app and send the email payload again on the next signup, you must explicitly revoke the SIWA Refresh Token.
To completely sever the connection and force Apple to send the email again, you must configure Auth0 to capture the Apple Refresh Token, and then pass that token to Apple during your deletion flow.
To fix this, you will need to:
- Go to your Auth0 Dashboard > Authentication > Social > Apple .
- Scroll down and ensure Fetch Refresh Token is enabled.
->When a user initiates an account deletion in your React Native app, your backend must intercept the request before deleting the Auth0 user.
- Use the Auth0 Management API (
GET /api/v2/users/{id} ) to fetch the user’s profile.
- Look inside the
identities array for the Apple connection.
- Extract the
refresh_token string from that specific identity object.
- Send your POST request to Apple’s
/auth/revoke endpoint using the extracted token. Ensure you set the hint parameter:
token_type_hint=refresh_token
- Once Apple processes the refresh token revocation, the app will instantly vanish from the user’s iOS Settings.
- Now, you should be able to safely call
DELETE /api/v2/users/{id} to remove the user from Auth0. The next time they tap Sign In with Apple, the OS will treat it as a brand new authorization and provide the email
Let me know if this does the trick for you or if you have any other questions!
Kind Regards,
Nik
Thanks so much Nik! This sounds like exactly what we need.
One quick question as I start investigating what you’ve suggested: We have a web site also set up to use Apple Sign in. When creating an account there it also adds an entry to the device settings, but when deleting from the web it successfully deletes the entry. Our backend team is indicating they’re not doing anything custom to handle Apple deletion/revocation, and that Auth0 is handling it out of the box.
Is this custom work with the refresh token only necessary for native apps? Or would the process be the same for a website and I just need to figure out some configuration difference we may have between the two?
Hi again!
Sorry for the delayed reply.
Yes, this solution would require you to use refresh tokens for your native application. If a refresh token is not available, it will resort to only the access token causing the issue that you were experiencing.
Also, yes, the process is similar to both your native and web browser authentication.
Let me know if you have any other questions!
Kind Regards,
Nik