Amplify Gen2 SignInWithApple not adding email attribute to userpool that requires email

[JustinHaut]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify Gen 2

Environment information

``` System: OS: macOS 14.6.1 CPU: (10) arm64 Apple M1 Pro Memory: 69.11 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.12.2 - /opt/homebrew/opt/node@20/bin/node Yarn: 1.22.22 - ~/.npm-global/bin/yarn npm: 10.8.2 - ~/.npm-global/bin/npm Watchman: 2024.04.15.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 130.0.6723.119 Safari: 17.6 npmPackages: %name%: 0.1.0 @aws-amplify/backend: ^1.3.1 => 1.6.2 @aws-amplify/backend-cli: ^1.2.9 => 1.4.1 @aws-amplify/core: ^6.5.3 => 6.5.3 @aws-amplify/core/internals/adapter-core: undefined () @aws-amplify/core/internals/aws-client-utils: undefined () @aws-amplify/core/internals/aws-client-utils/composers: undefined () @aws-amplify/core/internals/aws-clients/cognitoIdentity: undefined () @aws-amplify/core/internals/aws-clients/pinpoint: undefined () @aws-amplify/core/internals/providers/pinpoint: undefined () @aws-amplify/core/internals/utils: undefined () @aws-amplify/core/server: undefined () @aws-amplify/react-native: ^1.1.6 => 1.1.6 @aws-amplify/rtn-web-browser: ^1.1.1 => 1.1.1 @aws-amplify/ui-react-native: ^2.2.13 => 2.2.16 @babel/core: ^7.20.0 => 7.26.0 @react-native-async-storage/async-storage: 1.23.1 => 1.23.1 @react-navigation/bottom-tabs: ^6.5.9 => 6.6.1 @react-navigation/native: ^6.1.18 => 6.1.18 @react-navigation/native-stack: ^6.11.0 => 6.11.0 @react-navigation/stack: ^6.4.1 => 6.4.1 @types/react: ~18.2.45 => 18.2.79 @types/react-dom: ~18.2.25 => 18.2.25 @types/react-navigation: ^3.0.8 => 3.0.8 HelloWorld: 0.0.1 aws-amplify: ^6.8.2 => 6.8.2 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/data: undefined () aws-amplify/data/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () aws-cdk: ^2.161.0 => 2.166.0 aws-cdk-lib: ^2.161.0 => 2.166.0 axios: ^1.7.7 => 1.7.7 axios-retry: ^4.5.0 => 4.5.0 constructs: ^10.3.0 => 10.4.2 esbuild: ^0.24.0 => 0.24.0 (0.23.1) expo: ~51.0.39 => 51.0.39 expo-build-properties: ~0.12.5 => 0.12.5 expo-file-system: ^17.0.1 => 17.0.1 expo-local-authentication: ~14.0.1 => 14.0.1 expo-secure-store: ~13.0.2 => 13.0.2 expo-splash-screen: ~0.27.7 => 0.27.7 expo-status-bar: ~1.12.1 => 1.12.1 expo-store-review: ^7.0.2 => 7.0.2 expo-system-ui: ~3.0.7 => 3.0.7 expo-updates: ~0.25.27 => 0.25.27 jwt-decode: ^4.0.0 => 4.0.0 nanoid: ^5.0.7 => 5.0.8 (3.3.7) react: 18.2.0 => 18.2.0 (18.3.1) react-dom: 18.2.0 => 18.2.0 (18.3.1) react-native: 0.74.5 => 0.74.5 react-native-device-info: ^13.0.0 => 13.2.0 react-native-gesture-handler: ~2.16.1 => 2.16.2 react-native-get-random-values: ^1.11.0 => 1.11.0 react-native-paper: 4.12.8 => 4.12.8 react-native-progress: ^5.0.1 => 5.0.1 react-native-reanimated: ~3.10.1 => 3.10.1 react-native-safe-area-context: 4.10.5 => 4.10.5 react-native-screens: 3.31.1 => 3.31.1 react-native-url-polyfill: ^2.0.0 => 2.0.0 react-native-worklets-core: ^1.5.0 => 1.5.0 tsx: ^4.19.1 => 4.19.2 typescript: ~5.3.3 => 5.3.3 (4.4.4, 4.9.5) uuid: ^9.0.0 => 9.0.1 (8.3.2, 7.0.3) npmGlobalPackages: @aws-amplify/cli: 12.13.0 aws-cdk: 2.167.1 eas-cli: 13.2.3 expo-cli: 6.3.10 n: 9.2.0 npm: 10.8.2 sharp-cli: 4.1.1 ts-node: 10.9.1 typescript: 4.7.4 yarn: 1.22.22 ```

Describe the bug

My userpool is setup to have users login with their email. When I add apple as an external provider, scope email, map email, I can login fine the first time; however, the email does not get stored in cognito userpool so when I log out I cannot log back in.

Google as an external provider works as expected. Regular sign up and login with email works as expected.

In summary, sub gets created and Apple adds identities attribute to the userpool, but no email.

export const auth = defineAuth({
  loginWith: {
    email: true,
    externalProviders: {
      google: {
        clientId: secret('GOOGLE_CLIENT_ID'),
        clientSecret: secret('GOOGLE_CLIENT_SECRET'),
        scopes: ['email'],
        attributeMapping: {
          email: 'email'
        }
      },
      signInWithApple: {
        clientId: secret('SIWA_CLIENT_ID'),
        keyId: secret('SIWA_KEY_ID'),
        privateKey: secret('SIWA_PRIVATE_KEY'),
        teamId: secret('SIWA_TEAM_ID'),
        scopes: ['email'],
        attributeMapping: {
          email: 'email'
        }
      },
...
}
)

Expected behavior

Expected signInWithApple to add the scoped email or at least a placeholder to cognito email attribute -or, to have the initial signup/login fail if email truly isn't available.

Reproduction steps

1. Create an expo project add latest amplify Gen2,
2. Add auth with external providers and make email required,
3. Create respective apple identifier and key,
4. Add button to mobile app "Continue with Apple" that executes the signInWithRedirect("Apple")
5. Check your userpool. The user gets created, but with no email.
6. Log out
7. Try logging back in.

Code Snippet

Log output

``` {"code": undefined, "fullError": [OAuthSignInException: attributes required: [email]], "message": "attributes required: [email]", "name": "OAuthSignInException"} ```

aws-exports.js

{
  "auth": {
    "user_pool_id": "us-east-2_XXXXXXXXX",
    "aws_region": "us-east-2",
    "user_pool_client_id": "XXXXXXXXXXXXXX",
    "identity_pool_id": "us-east-2:XXXXXXXXX",
    "mfa_methods": [],
    "standard_required_attributes": [
      "email"
    ],
    "username_attributes": [
      "email"
    ],
    "user_verification_types": [
      "email"
    ],
    "groups": [],
    "mfa_configuration": "NONE",
    "password_policy": {
      "min_length": 8,
      "require_lowercase": true,
      "require_numbers": true,
      "require_symbols": true,
      "require_uppercase": true
    },
    "oauth": {
      "identity_providers": [
        "GOOGLE",
        "SIGN_IN_WITH_APPLE"
      ],
      "redirect_sign_in_uri": [
        "myapp://profile"
      ],
      "redirect_sign_out_uri": [
        "myapp://"
      ],
      "response_type": "code",
      "scopes": [
        "phone",
        "email",
        "openid",
        "profile",
        "aws.cognito.signin.user.admin"
      ],
      "domain": "mydomain.auth.us-east-2.amazoncognito.com"
    },
    "unauthenticated_identities_enabled": true
  },
  "version": "1.3"
}

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @JustinHaut 👋 and thanks for opening this issue. It looks like this might be the result of making the email attribute required within the user pool for your authentication flow (see here). This can cause an error to be thrown when attempting to sign in with an external provider like Apple. There's more context on some of these differences between social providers here.

Unfortunately, this also means that you may need to create a new user pool that does NOT have the email attribute set to be required (since required attributes cannot be updated in Cognito at this time). Was this a new app that had a small amount of users or (if you had to start over) would you need to migrate the existing users?

[JustinHaut]

Hi @cwomack! 👋 thanks for the quick response! Small amount of users but if I create a new userpool and switch to username then there would be no verify email which is a nice filter. 😕 On the flip side I could eliminate email entirely, but that would exclude non gmail, apple, amazon, facebook users. What would you suggest here? Easiest option would be eliminate apple as an external provider.