iosopenid-connectsign-in-with-apple

Sign In With Apple - Updated Scope Not Reflected in JWT claims


I'm currently testing SWIA implementations, and found some interesting behavior related to scope in the authorization flow.

Situation that I'm facing right now is:

  1. User signs in with his/her Apple Id through the mobile app's or website's SWIA feature for the vert first time without email scope.
  2. User will be granted JWT without email claim as expected.
  3. Later, we changed to add email scope for the authorization process.
  4. User (from #1) signs in again, and goes through SWIA with email scope
  5. User will be granted JWT without email claim
  6. Unless otherwise user manually de-authorize the app from their Apple ID portal (or in the mobile app), updated scope will not be reflected

It also happens in the opposite way (i.e. having email scope for the very first request, and then later remove email scope. This will still grant JWT with email claim)

Is this something expected from Apple's OIDC server? or am I doing something wrong? I've tested it with both native iOS SWIA and on the web client as well, and both produce the same result.

Not quite sure if this is as per OIDC specification.

Any insight or help would be greatly appreciated.


Solution

  • I know its a late reply, Sign in with Apple does not provide incremental changes to the user scopes. If some user authorized with initial scope won't get until he revoke our application as described here https://support.apple.com/en-us/HT210426.That mean the newly added scope, only affects newly authorized users, and would include the email claim in their identity token (and in the initial user body of the authorization response).

    Additionally the above steps don't show the option to revoke the app until at least one of the app login happens and the app should be in production not sandbox or testing.

    apps not showing as there is no app requested for email/name apps not showing as there is no app requested for email/name

    it will appear if login success from production app

    it will appear if login success from production app