After a successful authentication with apple, code is returned.
In the authorize url we can request additional information through the scope param.
Doing so will result in user object being returned as well.
When users login through safari though, a native window modal (keychain) takes control and does the authorize request for us.
First problem with that approach is that nonce is not passed through from our original authorize url, so we cannot use it to verify the front & back channel token.
The second problem is that when using multiple scopes, ex [:email, :name], they are encoded like this email+code.
The html rfc spec states that in query params (stuff after ?) spaces can be encoded as signs '+' and everything before with '%20'.
Apple's native popup is not aware of the '+' as an encoding method and tries to interpret multiple scopes as a single value, which is of course incorrect and ends up ignoring it altogether.
For this reason when using the plain apple sign in button in your example project through safari and the native popup appears (and intercepts the call) email & name are never returned.
When using the JS SDK provided by apple, the scope is url encoded (email%20code) and we get the information as expected. We also get the option to choose which name and email to share.
ps. The above examples were taken after revoking access to the heroku app from the apple id console, because apple gives the email & name only the first time for a new client.
nov
commented
4 years ago
After a successful authentication with apple,
codeis returned. In the authorize url we can request additional information through the scope param. Doing so will result inuserobject being returned as well.When users login through safari though, a native window modal (keychain) takes control and does the authorize request for us. First problem with that approach is that
nonceis not passed through from our original authorize url, so we cannot use it to verify the front & back channel token. The second problem is that when using multiple scopes, ex[:email, :name], they are encoded like thisemail+code. The html rfc spec states that in query params (stuff after ?) spaces can be encoded as signs '+' and everything before with '%20'. Apple's native popup is not aware of the '+' as an encoding method and tries to interpret multiple scopes as a single value, which is of course incorrect and ends up ignoring it altogether.For this reason when using the plain apple sign in button in your example project through safari and the native popup appears (and intercepts the call) email & name are never returned.
When using the JS SDK provided by apple, the scope is url encoded (
email%20code) and we get the information as expected. We also get the option to choose which name and email to share.ps. The above examples were taken after revoking access to the heroku app from the apple id console, because apple gives the email & name only the first time for a new client.