Created user has no email and username is sub of idToken

[Jozott00]

First of all, thanks for the great extension!

I have implemented a native Apple login button so I use the token exchange endpoint /realms/packme/protocol/openid-connect/token. The problem is that even if I provide the user_profile on the first token exchange, the user created has no email field and the username is the sub of the idToken.

I think it would be more common if the username was the email address and the email address was set like the first and last name.

Is there a reason why the current implementation was chosen? Is it because the user could hide their email address, so it is not a valid identifier?

[klausbetz]

Hi @Jozott00,

Thank you!
This one seems a bit odd to me.
I dove into the depths of the Keycloak source code and noticed that the behavior you describe is exactly the same as what's implemented in OIDCIdentityProvider (the base on which this extension is built on).

However, it seems that your ID-Token is missing the email claim. Therefore Keycloak defaults to the sub claim.
You can easily change this by also requesting the email scope from Apple. Then the email is included in the ID-Token and it should work just fine.

This extension technically accepts an email inside the userJson param, but it is ignored in favor of the ID-Token.