Sign In with Apple: Learn About the New Identity Provider

See what Sign In with Apple, announced at Apple WWDC 2019, is and how to add it to applications. Apple has stated this identity provider will be mandatory for iOS App Store apps.

Brought to you by @bruno.krebs :man_technologist:t5:

Read on :apple:

5 Likes

Apple is mandating that “Sign in with Apple” be listed above other identity provider login options in mobile apps.

1 Like

So what is the implications for iOS apps that provide

  1. an Passwordless SMS Auth0 sign in flow?
  2. a social media Auth0 sign in flow?
  3. a user name and password Auth0 sign in flow?

Thanks for any advice, even if it’s a link to official documentation from Apple. We’re eager to know what the ramifications will be for us.

Hi @dschnare,

There is still a lot we don’t know about the implications of Sign In with Apple, but from what we’ve seen, the only one of those scenarios that will fall under the mandate for supporting Sign In with Apple to be in the App Store would be those that use social logins. In that case, it seems Apple will require you also support Sign In with Apple. If you’re using Auth0 already, Sign In with Apple can be turned on like any other social connection (you can try our beta to get an idea of what it looks like).

There are some broader implications that we’re taking a look at as well. For example, if someone has an existing account and wants to start using Sign In with Apple, how do you link their Apple account with information in existing accounts if they choose to hide their email? There may be some setups that allow the user to easily connect existing accounts when they first sign in with an Apple - we should have more about this soon on the blog.

1 Like

I’m trying to do REST-API authentication using Apple sign-in. I’m struggling with the brief expiry duration on their id token and the seeming inability of the iOS app to refresh the id token without user interaction. Any thoughts on that? See also:


Howdy. Thank you for joining the Auth0 Community. I consulted with our architecture team to get you an answer :slight_smile:

Are you currently using Auth0 as part of your authentication strategy?

When just using Sign in with Apple, you are only issued ID Tokens that are short lived without a good way to refresh them.

When using SIWA with Auth0, you would get an Access Token and a Refresh Token. You can then use the Refresh token to refresh the other tokens.

Hi Dan. Thanks for your reply.

No, I’m not using Auth0. At this point I think that’s not possible in my system. My server-side relies on having credentials for a users cloud storage system (e.g., Dropbox, Google Drive) in order to access that cloud storage. It would be insufficient to just have Auth0 credentials.

It sounds like Auth0 uses Apple Sign In only for initially establishing an account, and from then on relies other credentials (SIWA?). I’m curious about what happens if a user revokes access for the application for Apple Sign In. Is that detected by Auth0? If so, how and when is that detected?

This detection of revocation is one of my concerns about Apple Sign In for my use case. It seems there are only limited opportunities to programmatically learn about when such a revocation occurs. More specifically, it seems this can typically only occur server-side and once every 24 hours. (See https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_user).

I’d appreciate any more insights you can provide.

Thanks,
Chris.