iosapple-sign-insign-in-with-apple

Apple's JWT Identity token during the Sign In With Apple transfer period


I carefully checked the documentation and searched the net - but I didn't find the definitive answer. :(

After the transfer of the app from old dev team to new dev team is started, the Apple's user's auth response (JWT Identity token), will contain both sub and transfer_sub properties.

But what value will the sub property contain? Is it the old sub which was relevant for the old team, or it will contain new sub relevant for the new team?

I came across this 2 theories:

  1. For the specific user, on the first call right after the migration started, the sub will contain old sub (related to old team), but on following calls it will contain the new sub (related to the new team) - or -
  2. From the start of the migration the sub will contain the new sub (related to new team) - or -
  3. Something else?

(Of course - it is clear to me - that response will contain transfer_sub so we can match the user with user data in our db, also it is clear how to generate new sub based on transfer_sub.)

Thank you!


Solution

  • I have just received the answer from apple support:

    The sub (or user ID) is team-scoped.

    So, before the app transfer is complete, the user ID returned will be associated with the app owner—the transferring team.

    Upon completion of the app transfer, the user ID returned will still be associated with the app owner— the recipient team.

    This unique value will be different for each team, but the transfer_sub (or transfer ID) will remain the same across the developer team pairs.

    UPDATE: Please note that "Upon completion of the app transfer" doesn't refer to the end of 60 days transition period, but to the period of few min to few days which are needed for the app to appear on the target team account.