ASAuthorizationAppleIDRequest with name and mail scope returns nil values

Question

I'm implementing Sign in with Apple and noticed that the email and fullName properties of the returned ASAuthorizationAppleIDCredential are only filled on the very first Sign-In for this Apple ID. On all subsequent Sign-Ins those properties are nil.

Is this a bug on iOS 13 or expected behaviour?

Here is the code I'm using to start the request:

@available(iOS 13.0, *)
dynamic private func signInWithAppleClicked() {
    let request = ASAuthorizationAppleIDProvider().createRequest()
    request.requestedScopes = [.fullName, .email]

    let controller = ASAuthorizationController(authorizationRequests: [request])
    controller.delegate = self
    controller.presentationContextProvider = self
    controller.performRequests()
}

I'm receiving the credential in this delegate method:

public func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
    guard let credential = authorization.credential as? ASAuthorizationAppleIDCredential else { return }

    let userIdentifier = credential.user
    let token = credential.identityToken
    let authCode = credential.authorizationCode
    let realUserStatus = credential.realUserStatus
    let mail = credential.email // nil
    let name = credential.fullName // nil
}

Answer 1

Seems like a bug but after reading different posts on apple forums it looks like this seems to be the expected behaviour.

So some takeaways.

1. On the first time sign in with apple (signup) make sure to create user account on your backend.

2. In case of any connection error with your servers, make sure you save the user details locally (because you are not getting this next time) and keep retrying to create account on your backend.

3. For testing on device you can revoke your apple ID login for your app. After revoking it will work like a signup next time and you will get the details like (email, name, etc).

To revoke access on your device with IOS 13.

iPhone Settings > Apple Id > Password & Security > Apple ID logins > {YOUR APP} > Stop using Apple ID

Answer 2

In case you're wondering how to retrieve email second and subsequent times, here's a hint: use identityToken which contains encoded in JWT user authorisation data including email.

1. Import this library to decode JWT: https://github.com/auth0/JWTDecode.swift
2. try this code

    import JWTDecode
    // ...
    if let identityTokenData = appleIDCredential.identityToken,
    let identityTokenString = String(data: identityTokenData, encoding: .utf8) {
    print("Identity Token \(identityTokenString)")
    do {
       let jwt = try decode(jwt: identityTokenString)
       let decodedBody = jwt.body as Dictionary<String, Any>
       print(decodedBody)
       print("Decoded email: "+(decodedBody["email"] as? String ?? "n/a")   )
    } catch {
       print("decoding failed")
    }

Or decode it at PHP backend like this:

    print_r(json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $identityTokenString)[1])))));

Answer 3

It is a correct behavior when implementing SignIn with Apple.

This behaves correctly, user info is only sent in the ASAuthorizationAppleIDCredential upon initial user sign up. Subsequent logins to your app using Sign In with Apple with the same account do not share any user info and will only return a user identifier in the ASAuthorizationAppleIDCredential. It is recommended that you securely cache the initial ASAuthorizationAppleIDCredential containing the user info until you can validate that an account has successfully been created on your server.

To overcome this issue we can store all the required information in Keychain. I have created Singleton class for SignIn With Apple. I am sure it will help you.

Git source: https://github.com/IMHitesh/HSAppleSignIn

You need to follow below steps:

Step:1

Add the AppleSignIn folder into your project.

Step:2

Enable SignIn with Apple in Capabilities.

Step:3 -> IMPORTANT

Goto your UIViewController and Add Container view for SignIn with apple.

if #available(iOS 13.0, *) {
    appleSignIn.loginWithApple(view:viewAppleButton, completionBlock: { (userInfo, message) in
        if let userInfo = userInfo{
            print(userInfo.email)
            print(userInfo.userid)
            print(userInfo.firstName)
            print(userInfo.lastName)
            print(userInfo.fullName)
        }else if let message = message{
            print("Error Message: \(message)")
        }else{
            print("Unexpected error!")
        }
    })
}else{
    viewAppleButton.isHidden = true
}

Answer 4

This seems to be the expected behaviour:

This behaves correctly, user info is only sent in the ASAuthorizationAppleIDCredential upon initial user sign up. Subsequent logins to your app using Sign In with Apple with the same account do not share any user info and will only return a user identifier in the ASAuthorizationAppleIDCredential. It is recommened that you securely cache the initial ASAuthorizationAppleIDCredential containing the user info until you can validate that an account has succesfully been created on your server.

Source https://forums.developer.apple.com/thread/121496#379297

Answer 5

This is not bug but it will indicate that your authentication successfully store to your device setting.

if you want to that all information again then you need to following this states.

1. go to your device -> Settings -> Apple ID -> Password & Security -> Apps Using your Apple ID -> you get list of apps used sign in with apple {find your app} -> swift left of your apps row {show Delete option} -> click on Delete

2. restart your app or repress sign in with apple button

Now you can get all information

Answer 6

In https://developer.apple.com/documentation/signinwithapplerestapi/authenticating_users_with_sign_in_with_apple it says:

Because the user’s information isn’t shared with your app in any subsequent API calls, your app should store it locally, immediately after you receive it from the API response. In case of subsequent failures in your process or network, you can read the information from local storage and try processing it again.

Answer 7

The email would be given on the first time sign in. If the user do not "revoke" the apple sign in of your app (which is in the user's Apple ID of system setting page) the callback for signing in would be returned with a nil email value. You could save the user id and email info of the first time sign-in successful result, and when the next time sign in to judge the difference between the return and the saved info.

A better practice is to judge the the value of ASAuthorizationAppleIDProvider.getCredentialState while your app is being "active" for syncing the sign-in state with back-end server in time.

Please refer to: How to Sign Out of Apple After Being Authenticated

Answer 8

I wrote a Helper class specific for this issue. This Helper class can help to save and retrieve the user info securely to and from keyChain. I am using SwiftKeychainWrapper library to do the heavy task for me. Feel free to copy paste the helper class in your code.You might need to add any other extra information depending on your need.

import Foundation
import SwiftKeychainWrapper

/// A Helper class which abstract Keychain API related calls.
final class KeyChainService {
    // MARK: - Properties
    static let shared = KeyChainService()
    
    /// Returns previous saved user name if available.
    var appleUserName: String? {
        return KeychainWrapper
            .standard
            .string(forKey: .appAppleUserName)
    }
    
    /// Returns previous saved user appleId/email  if available.
    var appleUserEmail: String? {
        return KeychainWrapper
            .standard
            .string(forKey: .appAppleEmailId)
    }
    
    
    /// Saves the apple user name into keychain.
    /// - Parameter name: Apple user name retrieved form AppleLogin.
    /// - Returns: true if succeed otherwise false.
    @discardableResult
    func saveAppleUserName(name: String?) -> Bool {
        guard let name = name else {return false}
        return KeychainWrapper.standard.set(
            name,
            forKey: KeychainWrapper.Key.appAppleUserName.rawValue
        )
    }
    
    /// Saves the apple user email into keychain.
    /// - Parameter email: Apple userId/email  retrieved form AppleLogin.
    /// - Returns: true if succeed otherwise false.
    @discardableResult
    func saveAppleEmail(email: String?) -> Bool {
        guard let email = email else {return false}
        return KeychainWrapper.standard.set(
            email,
            forKey: KeychainWrapper.Key.appAppleEmailId.rawValue
        )
    }
    

    /// Deletes both apple user name and saved Id from keyChain.
    func deleteSavedAppleUserInfo(){
        KeychainWrapper.standard.remove(forKey: .appAppleUserName)
        KeychainWrapper.standard.remove(forKey: .appAppleEmailId)
    }
}

// MARK: - KeychainWrapper + Extensions
extension KeychainWrapper.Key {
    /// A random string used to identify saved user apple name from keychain.
    static let appAppleUserName: KeychainWrapper.Key = "appAppleUserName"
    
    /// A random string used to identify saved user apple email /Id from keychain.
    static let appAppleEmailId:KeychainWrapper.Key = "appAppleEmailId"
}

Answer 9

Aug 2023 update: This is still happening. As mentioned here before, this is expected behavior. When decoding the JWT on subsequent calls, the JWT body (section) is missing.

The only consistent way I've been able to get the name/email again, is by signing out in Settings, removing the app and restarting the device.

The correct way to handle this is by caching the credentials, either on the device or server side (the recommended way, doing S2S updates).