Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are:
- When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested).
- For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested).
The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user.
We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions:
- Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address?
- Apple at Work & School users: is there a way to identify that someone is using this type of account?
- Is there any other known edge case when the email could be empty in the JWT?
Thanks in advance!
Hi @carloscarcamo,
You wrote:
Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address?
No, this is not correct. The email claim is included in the ID token regardless of the user's email forwarding status.
Next, you wrote:
Apple at Work & School users: is there a way to identify that someone is using this type of account?
No, there is no way to distinguish between Sign in with Apple and Apple at Work & School users.
Then, you wrote:
Is there any other known edge case when the email could be empty in the JWT?
Not all Apple IDs have an email address. In some regions, only a phone number is required to create an account. No email will be provided for these users. To learn more about these accounts, please see below:
Create and manage an Apple Account using a phone number instead of an email address
https://support.apple.com/en-in/105034
In addition, if a user that does have an email address for their account already authorized with a developer once without the requested email scope, then the email will not be provided within the ID token unless the user revokes access and authorizes again.
Cheers,
Paris X Pinkney | WWDR | DTS Engineer
