Transferring app in AppStore, Sign in with Apple and Auth0

Hi all,

I’m planning the process of the app transfer in Apple’s AppStore.

Our app utilizes SIWA (Sign in with Apple) feature.

The authorization in the app is implemented with Auth0 React Native SDK (Apple is set up as a Social Connection / Identity Provider).

The process of the app transfer is really tricky to say at least. We need to keep our user’s accounts created with SIWA after the app transfer. The issue is that after updating Apple’s Identity Provider settings in Auth0 (after the app transfer this information will change), Apple will give Auth0 different IDs for the same users.

Apple provides a way to correlate “old” user IDs with “new” ones via the “transfer IDs” which will be available during the process of app transfer. For example, during the transfer, Apple will provide a transfer_sub claim in the ID token. The recipient team can then use these transfer identifiers to correlate “new” user ID with the existing entry in the database.

That was a long intro to the actual question, but I guess it may help people with similar setups, as there is not much information on the internet about this specific case (SIWA + Auth0 + app transfer).

The issue is when users authenticate using Auth0, the client app does not receive an ID token issued by Apple (which contains transfer_sub). This process happens under the hood on the Auth0 side. The client app receives only access/ID/refresh tokens issued by Auth0.

I tried to add a custom claim containing the transfer_sub from Apple to the Auth0’s token using Actions (Login flow). However, according to the documentation Actions do not have access to the original ID token of the Identity Provider (Apple in my case).

Also, I tried to obtain the original IdP’s token via the Auth0 Management API, but I got only refresh_token, and not access_token / ID token in the identities section of the user object.

Am I missing something? From what I discovered to the moment, obtaining the transfer_sub claim from the Apple’s ID token and passing it down to the Auth0 token can only be implemented in the logic of Apple’s social connection in Auth0, and it seems to be proprietary and not customizable.

All of this is even more complicated because I can not test the e2e app transfer process before the actual transfer of the production app starts.

Please, give me some ideas on how to handle this. Any help will be greatly appreciated.

Hi @burivuh,

Thanks for the detailed write up. I am going to confer with the team and I’ll update here.

I’m in the same position, @burivuh !

How did you end up solving the problem @burivuh ?

Was there any update to this @dan.woda ?

Hi!

I managed to transfer the app.

In short, the process was the following (my memory almost wiped out this traumatic experience):

1. Generate transfer IDs and register them in our database
2. Migration: add columns apple_migration_id and apple_migration_transfer_id to our users’ profiles table
3. Wrote and run the script:
   1. Obtain access token via /auth/token (old team)
   2. For each user with id = ‘apple|…’
   1. Obtain transfer ID via /auth/usermigrationinfo
   2. Save it to the transfer_sub column in DB
4. Make changes to the backend code, so that it can work with both “old” and “new” user IDs – this was the most tedious part
5. Initiate the app transfer from a current (“old”) account in AppStore Connect
6. Accept the transfer in the new account in AppStore Connect – 60 days period starts
7. Run Script to obtain new team-scoped user IDs:
8. Obtain access token via /auth/token (new team)
9. For each user with transfer_id
   1. Obtain a new team-scoped user ID
   2. Save it to the apple_migration_id column in DB
10. Change client ID/secret/etc. in Apple IdP settings in Auth0 to the new one
11. TBD: at some point, I guess we will be able to finally remove old IDs and transfer IDs from the users’ table and remove the logic added in step 2

@timbo I can share more details if it’s still relevant, ping me at burivuhgmail.com