We’re trying to setup Sign in with Apple. We’ve setup everything on the iOS side and it’s sending all the necessary information to Auth0. We can see the email in the Auth0 log when a successful login is made.
The problem is that when the server tries to call /userinfo the users’ email is not included in the resulting payload (see sample payload below): { "sub": "apple|000109.6b2727499ac54f708cadbb624XXXXXXXXXX", "nickname": "kayttXXXXX", "name": "kayttXXXXX@privaterelay.appleid.com", "picture": "https:\/\/s.gravatar.com\/avatar\/81a508397c4fb8b60ef200d993609aee?s=480&r=pg&d=https://cdn.auth0.com/avatars/ka.png", "updated_at": "2020-07-02T19:23:14.995Z", "http:\/\/har.com\/claims\/groups": [], "given_name": "kayttXXXXX@privaterelay.appleid.com", "family_name": "" }
Is there something else that we have to configure?
We followed these steps, but in Objective-C, should be the same. https://auth0.com/docs/quickstart/native/ios-swift-siwa
Another weird thing we noticed was that the Authorized Applications tab of the user that’s created doesn’t have any applications. Not sure if that’s why it’s happening.
We are using the native flow, not the web flow.
Gotchya thanks for providing that context. Can we work together with the quickstart maintainer in order to solve that hurdle by creating a GitHub issue in the qucikstart repo?
Create the issue copy-pasting the context you shared here and share with us the link to the issue so we can proceed. Thanks!
I would love to do that, but it will probably be a while. I have a couple of other apps to work on. I’m surprised no else has gotten this issue before, so I’m assuming something is wrong in our configuration or something, although it’s so weird that it’s half working.
Sorry I was on vacation last week. The profile does include the email. We ended up creating a rule that returns this email. We had to change the backend to look for this new key with the email. Ideally we would want it to work just like all the other social logins we use.
So seems like an issue with the Apple Account I used when setting up Sign In With Apple. Other Apple Accounts are working fine. I did do things like ‘Try Connection’ and made other changes to Apple and Auth0 settings and was repeatedly using an Apple account which seems to have gotten in a bad state even though the Profile information looked correct. Also note we tested on both Lock.js v11.26.1 and v11.22.5.
Note that we came across a weird issue which may be related when trying to delete a User account created via Apple Sign In from our Auth0 tenant. Once it was discovered other Apple accounts seem to work as expected, I tried to delete my Auth0 user from the tenant and try again. On signing-up again with my Apple ID, I became a “ghost” user in Auth0 with (empty) name and limited profile information. I then went into my Apple ID settings to remove the apps as approved Sign With Apple apps and went and deleted the “empty” user in Auth0 and then everything started working as I had a new Apple User ID provided to Auth0.
Definitely weirdness around scopes or permissions so maybe trick is to either use a new Apple Account when you encounter trouble or make sure to delete auth entries in both Auth0 Tenant and Apple ID Settings when trying to start from scratch.
We haven’t tried the web yet, we’re using a native app. Although the tests we did through the Auth0 dashboard seems to return all the necessary information, but I’m not sure how a web implementation would differ.
One thing we started checking was if we had correct scopes requested to get email which may be helpful to double-check.
In Auth0 Tenant Users & Roles → Users, select a particular User that used Apple, and check the Authorized Applications lists your application with openid profile email perms.
Authorized Applications is empty for anyone logging in through native Sign in with Apple for us. Also because it’s not web the scope is set in Swift code in the Apple’s Sign in SDK.
We can see in the log that the email is set in the profile. I’m guessing that some how because the Authorized Applications are empty /userinfo doesn’t return the email since there’s no authorized application, but I’m not sure.
We are running into the same issue. Any updates here? After signing in with Apple, the user doesn’t even have the “email” field at all. The option to allow users to hide their email (an Apple feature) is turned off. @konrad.sopala do you have any more information on how to resolve the issue?
If you look at @konrad.sopala answers above he wanted to debug the issue by creating an issue in the quickstart repo. Since we used a work around I never got around to continue debugging the issue, feel free to follow up with them since you’re having the same issue
