Import email, first & last name upon sign-in

[odm-mma]

Thank you for this project Benjamin, we've integrated it on our Keycloak server and it basically works really well. One thing we are struggling with is that it does not seem to provide any user attributes to Keycloak when signing in.

After signing in for the first time, Keycloak redirects to a form asking the user to fill out any attributes that are required but missing, which is email, first name and last name. I can see in your code that you are requesting the email and name scopes, and that you are also setting those in the context, so I would expect it to work.

Is this a known limitation of your provider, or are we missing something? Please advise.

[BenjaminFavre]

Thank you for your feedback. Sadly, I think what you experiment is rather a limitation of Apple.

Apple shares user info with Keycloak (or any other client) only the very first time a user sign in with Apple: if you delete the user from Keycloak and then he registers again with Apple, it won't be the first time from Apple's point of view (and Keycloak won't receive any attributes). The only way to reset this for a specific user (if you have its credentials) is to log in to https://appleid.apple.com/, navigate to "Security" > "Apps & websites using Apple ID" > "Manage..." and then delete the corresponding client.

The API collects this information and shares it with your app the first time the user logs in to the app using Sign in with Apple.

source

Last time I tested it, my provider handled user attributes correctly when received from Apple, i.e. for a first login from the Apple's point of view. That being said, Apple sometimes makes changes in its protocol that require changes in my provider too, and I might have not noticed. Could you please ensure you are testing in the context of a first sign in from Apple's point of view ?

[odm-mma]

Thanks for your detailed explanation. I tested it again clearing all information on Apple's as well as Keycloak's side as you said. Here is what I did:

1. I removed our App from the "Apps using Apple ID" for the account I am trying to sign in with
2. I removed the corresponding Keycloak user entirely
3. I signed in using Sign-In With Apple for the first time after performing the steps above

Still, Keycloak will ask for email, first name and last name. When you find the time, could you run through this yourself to see if your provider still picks up all the information correctly?

[ebiscardi]

@EMC-MMA Try to set 'Trust Email' switch to 'ON' in the configuration page of the Apple identity provider in Keycloak

[BenjaminFavre]

I've just made a test and it works as expected : my account is created in Keycloak with firstname, lastname and email received from Apple, and without Keycloak prompting any form. My configuration of Apple identity provider is all defaults (except of course for client, team and key IDs as well as client secret). "Trust email" is OFF for me. I have tested with Keycloak 11.0.2 and the version 1.0.1 of my provider. Can you tell me what is your Keycloak version ?

[odm-mma]

That is very strange. We too have version 11.0.2 of Keycloak. I've tested with both versions 1.0.0 and 1.0.1 of your provider, also with "Trust Email" on and off. Keycloak always redirects to a form. Before each sign-in attempt, I am removing our application from the "Apps using Apple ID".

I am starting to believe that it may be some other setting on Keycloak, maybe regarding the registration flow or something similar. Are you testing on a clean install of Keycloak with all settings on default?

Thank you for your help so far.

Here are our settings for your provider:

[doublechecker]

Hey there,

i just had the same issue. The fact that we need to only can retrieve the personal data on first sign-in only and that the protocol of apple is not as every other provider is doing it is a shame. But as always thats just apple...

Anyways. For me it started to work when putting the scopes explicitly. Try to put following in "Default Scopes" openid name email

And ofc don't forget to remove your app on the apple account page to have your account be handled as "new" login step(already mentioned above).

In addition if you want to have it working on safari for mac also, you need to put those "Default Scopes" not with a space " " but with already url encoded value because for some reason safari on mac cannot handle this.... In my case it would be openid%20name%20email

Hope it helps.

[odm-mma]

@doublechecker You are right, your fix indeed does work. Thank you for sharing!

[BenjaminFavre]

Hey, I finally could reproduce the bug!

Apple now sends a new user info, middleName, but only when it is set in your Apple profile. I had no middle name set in my Apple profile, so everything was OK when I tested. As soon as I added a middleName to my profile, my extension crashed (in the logs) and the Keycloak form popped up. I was not ignoring unknown fields during JSON deserialization from Apple (which supported only firstName and lastName), so the crashes... I corrected the deserialization process to ignore future new fields added by Apple so there will be no crash anymore.

I read your comments and I'm surprised you fixed it by setting the scopes. In my extension, I already set the default scopes so there should be no need to override them during config. Are you sure it is necessary? Are you sure the problem was not you have a middle name set in your profile? If it is necessary, I would like to edit default scopes in the code to make it work for everyone. Or at least to add a note in the readme.

Anyway, thank you for your help!

[doublechecker]

@BenjaminFavre yes you are right. When i put my middle name i land at the keycloak form. So i guess it was related to some other problem. We will update our keycloak with your fix and if i have some tiime i will try to reproduce the other problem that i had regarding the scopes.

But what i already can say is that this "openid%20name%20email" stuff solved my problems on Safari Mac, but i guess the creation of the url is not part of this plugin but of keycloak itself?