I’m planning the process of the app transfer in Apple’s AppStore.
Our app utilizes SIWA (Sign in with Apple) feature.
The authorization in the app is implemented with Auth0 React Native SDK (Apple is set up as a Social Connection / Identity Provider).
The process of the app transfer is really tricky to say at least. We need to keep our user’s accounts created with SIWA after the app transfer. The issue is that after updating Apple’s Identity Provider settings in Auth0 (after the app transfer this information will change), Apple will give Auth0 different IDs for the same users.
Apple provides a way to correlate “old” user IDs with “new” ones via the “transfer IDs” which will be available during the process of app transfer. For example, during the transfer, Apple will provide a transfer_sub claim in the ID token. The recipient team can then use these transfer identifiers to correlate “new” user ID with the existing entry in the database.
That was a long intro to the actual question, but I guess it may help people with similar setups, as there is not much information on the internet about this specific case (SIWA + Auth0 + app transfer).
The issue is when users authenticate using Auth0, the client app does not receive an ID token issued by Apple (which contains transfer_sub). This process happens under the hood on the Auth0 side. The client app receives only access/ID/refresh tokens issued by Auth0.
I tried to add a custom claim containing the transfer_sub from Apple to the Auth0’s token using Actions (Login flow). However, according to the documentation Actions do not have access to the original ID token of the Identity Provider (Apple in my case).
Also, I tried to obtain the original IdP’s token via the Auth0 Management API, but I got only refresh_token, and not access_token / ID token in the identities section of the user object.
Am I missing something? From what I discovered to the moment, obtaining the transfer_sub claim from the Apple’s ID token and passing it down to the Auth0 token can only be implemented in the logic of Apple’s social connection in Auth0, and it seems to be proprietary and not customizable.
All of this is even more complicated because I can not test the e2e app transfer process before the actual transfer of the production app starts.
Please, give me some ideas on how to handle this. Any help will be greatly appreciated.