amplify-js When I use sign in with apple in amplify, it jumps to safari, so it is rejected by the App Store review.

Auth.federatedSignIn({provider: 'SignInWithApple'});

When I use this code, it jumps to safari, so it will be rejected by the app review. Is there a way to use sign in with apple without jumping to safari? スクリーンショット 2020-12-10 0 52 55

Dec 09 '20 15:12 shinpeiyamagiwa

@shinpeiyamagiwa Yes! We have a section in the docs about setting up an in app browser so that the OAuth flow happens within your app instead of jumping over to Safari: https://docs.amplify.aws/lib/auth/social/q/platform/js#full-samples

Dec 09 '20 20:12 amhinson

Hello i use the in app browser but still got rejected. :(

Anyone have the same problem and know how to fix it?

response from apple.

Skärmavbild 2020-12-10 kl 11 20 09

Dec 10 '20 10:12 mcarlstein

@mcarlstein Could you share a code snippet of your Amplify configuration and Auth. federatedSignIn() usage?

Dec 10 '20 16:12 amhinson

Auth.federatedSignIn({ provider: 'SignInWithApple' })

then config

Skärmavbild 2020-12-10 kl 20 45 31

urlOpener

i use react-native-inappbrowser-reborn

Skärmavbild 2020-12-10 kl 20 45 07

i guess they complain about this popup.

Simulator Screen Shot - iPhone 8 - 2020-12-10 at 20 39 36

you need more info?

Dec 10 '20 19:12 mcarlstein

Thanks for all the info @mcarlstein! 🙏

This is the first I've heard of Apple rejecting this behavior. We will look further into alternative solutions for this, but unfortunately it is not likely to be simple due to how Cognito currently handles the OAuth2 flow. For the time being if you are in a bind, you could call Auth.federatedSignIn() without the provider to show the Cognito Hosted UI, in which the user can then select "Sign In With Apple" to continue the flow. This might require the UI to be reworked a bit, however.

Dec 10 '20 20:12 amhinson

Yes okey thanks!

Maybe apple just having a bad day. I will try to contact them to get more information about this.

Will post here when i have more.

Dec 10 '20 20:12 mcarlstein

@amhinson

just talk to an apple representative and when you log in with apple, you must not go through any external steps, but you must enter directly into the app. However, it is okay to go through extra steps when logging in with google or facebook. So now I do not really know how to solve this. Is it possible to use https://github.com/invertase/react-native-apple-authentication instead in any way?

Dec 15 '20 13:12 mcarlstein

@mcarlstein Have you stumbled on any workaround yet?

Feb 16 '21 03:02 nubpro

Hi @nubpro @mcarlstein @amhinson

In my project, I would like to share that Apple has accepted "Sign in with Apple" with a little change.

In urlOpener, I changed ephemeralWebSession to true, so that iOS doesn't show the dialog before opening in-app browser. At least, about Jan, 2 React Native apps I involved have been accepted with this change.

async function urlOpener(url, redirectUrl) {
  await InAppBrowser.isAvailable();
  const { type, url: newUrl } = await InAppBrowser.openAuth(url, redirectUrl, {
    showTitle: false,
    enableUrlBarHiding: true,
    enableDefaultShare: false,
    ephemeralWebSession: true, // update
  });

  if (type === 'success') {
    Linking.openURL(newUrl);
  }
}

Detail

in iOS, ephemeralWebSession has these pros/cons.

ephemeralWebSession === true

No confirmation dialog.
User MUST provide authentication info like ID/PW, Touch ID or Face ID etc, EVERY TIME.

ephemeralWebSession === false

iOS shows the confirmation dialog. (EVERY TIME, Even if for logout!!!!)
iOS will reuse auth info if exists. That means user only needs to provide authentication info at first time.

So I recommend to check the url before calling InAppBrowser.openAuth() and set ephemeralWebSession dynamically depends on the url.

Feb 16 '21 12:02 gki

@mcarlstein Have you stumbled on any workaround yet?

No sorry I have not.

Feb 16 '21 15:02 mcarlstein

I'm trying to get a similar behaviour with the native library for Facebook, Google and Apple and using federatedSignIn with legacy provider like so:

Facebook example:

  const facebookLogin = async () => {
    const result = await Facebook.logInWithReadPermissionsAsync({
      permissions: ['public_profile', 'email'],
    });

    console.log(result);

    if (result.type === 'success') {
      const {data} = await facebookMe({
        accessToken: result.token,
        fields: ['name', 'email', 'picture', 'first_name', 'last_name'],
      });

      await Auth.federatedSignIn(
        'facebook',
        {token: result.token, expires_at: result.expirationDate.getTime()},
        {name: data.name ?? '', email: data.email ?? ''},
      );
    }

    return result;
  };

But for now it's not really working for me, on Facebook I got an error saying Token is not from a supported provider of this identity pool even with everything setup properly... On google it seams to work, but federatedSignIn just return the same token as the idToken provided by google, without any accessToken or refreshToken.

Sep 03 '21 22:09 magrinj

For anyone looking to use a native Sign In with Apple (SIWA), here's the work-around:

Use this package, or native SIWA code with Swift and decode the idToken from Apple, to get the email and name of your user.
Sign in with amplify with authenticationFlowType: "CUSTOM_AUTH",
You'll have to implement 3 lambdas to define auth challenge, create auth challenge, and verify auth challenge response
Add them as hooks to your Cognito user pool
If your sign-in errors out with UserNotFoundException then sign Up with randomized password
If your sign in receives challengeName CUSTOM_CHALLENGE, respond with the idToken you've got from apple
In your verify challenge response hook use verifyAppleToken npm package to validate the token
In your define auth hook, issue the tokens, voila = you're signed in with your cognito user! You might have to verify nonce for extra security

Unfortunately, it's NOT possible to use native SIWA with federatedSignIn (it must use hosted UI, for Cognito auth backend to generate cognito users linked to identities). I've tried many workarounds, with no luck.

Jul 13 '22 14:07 mkrn

I am actually SUPER disappointed by this conclusion. Even though I am very thankful for @mkrn and his thoughts, I really don't get why Amplify makes it so incredibly hard to provide a custom authentication flow, because Firebase already showed us how easy it can be done and I am quite shocked at how bad of a job Amplify is doing at this, especially as I do not want to settle for the mediocre UX that the HostedUI would provide my users.

Nevertheless, thanks to everybody contributing

Aug 31 '22 22:08 DatMoser

Hi @DatMoser - we share your frustration about how complex it is to setup CUSTOM_AUTH currently with Amplify. We have multiple conversations happening internally now to find ways to streamline this experience for our customers.

Sep 01 '22 07:09 abdallahshaban557

Has there been any movement on this? I'm confused as to why there is documentation describing how to implement Apple Sign In with Amplify while every preliminary discussion I've looked at prior to attempting implementation seems to have its own issues. I'm personally interested in why this doesn't work.

A better question is: If I follow the Expo CLI full sample code, will this work? I'm assuming not, or this issue would be closed.

For anyone looking at a variety of attempted solutions, here are some related issues: #4689 , #6637 , #4580 , #6547

Considering Apple is now going to enforce all apps submitted to App Store to have Apple Sign In as an authentication option, I'd expect this to be a high priority item, however it seems like this is now entering its third year of issues... Hope there's some progress soon.

Nov 22 '22 22:11 pjsandwich

@abdallahshaban557 has there been any updates internally regarding this? It still doesn't appear possible to login without having to go through Safari on iOS.

Jan 05 '23 03:01 jadechip

@jadechip I was able to implement following the docs, however, If you have an existing iOS project you will need to generate new provisioning certificates, may be different process if you're doing bare RN vs Expo

Jan 05 '23 18:01 pjsandwich

@pjsandwich any specific docs you followed for this?

Jan 11 '23 14:01 kewur

@pjsandwich any specific docs you followed for this?

https://docs.amplify.aws/lib/auth/social/q/platform/react-native/#oauth-and-federation-overview and select Sign in with Apple. If you have an existing app, you won't need to create some of the Apple resources or keys, but you will need to generate new provisioning certificates.

Jan 11 '23 14:01 pjsandwich

Has there been any solutions to not show an external/in-app browser?

Jan 16 '23 07:01 itsramiel

Hi @itsramiel currently tracking this issue, are you implementing InAppBrowser.openAuth() from react-native-inappbrowser-reborn as shown in the docs?

[1] https://docs.amplify.aws/lib/auth/social/q/platform/react-native/#full-samples

Jan 20 '23 23:01 nadetastic

@nadetastic yes I am.

Just to make it clear for you. When I use InAppBrowser.openAuth(), it will open the in app browser and then show the native ios login, not the web based login which is nice.

https://user-images.githubusercontent.com/80689446/215415748-81b139b3-eac2-4413-bba2-f72fd08cbd67.MP4

What I am wondering and looking for is to never have the InAppBrowser open at all. Can't it make the auth call without opening a browser. It is not nice UX.

Jan 30 '23 07:01 itsramiel

I have Expo app with SIWA using Amplify Authentication. Took quite some time but I was able to set it up to a workable state 😅.

By using preferEphemeralSession: true option in WebBrowser.openAuthSessionAsync I'm able to prevent the dialog window (which is very frustrating UX, especially during signout) from showing BUT when I call Auth.signOut() the in-app browser still automatically opens and closes (see video). This is bad UX. Can this be solved (i.e. by a web call without the in-app browser opening)?

async function urlOpener(url, redirectUrl) {
  const { type, url: newUrl } = await WebBrowser.openAuthSessionAsync(url, redirectUrl, {
    preferEphemeralSession: true, // private session, so doesn't show dialog BUT asks apple verification code every time
  });

  if (type === 'success' && Platform.OS === 'ios') {
    WebBrowser.dismissBrowser();
    return Linking.openURL(newUrl);
  }
}

https://user-images.githubusercontent.com/58375689/226905968-b817939c-d477-440a-ae56-96c991ab4cff.mp4

Mar 22 '23 12:03 ervibern

classic amplify, 3 years later and we still cannot have a standard sign in with apple method. The browser popup approach looks awful, there should be the native apple bottom modal that prompts you to double tap to sign in, no redirecting to the browser. This is why I switched to firebase which just works in about 10 minutes. This should absolutely be a priority and its very telling that it isn't.

Sep 05 '23 15:09 aldensully

Hello everyone, we are working closely with the Amazon Cognito team to resolve this pain point. We understand that the Sign In With Apple experience through hosted UI is a sub-optimal experience, and we are working on enabling a mechanism for helping you use it natively in your apps. We will provide updates on this issue as we make progress.

Sep 05 '23 15:09 abdallahshaban557

With the release of the latest major version of Amplify (aws-amplify@>6), this issue should now be resolved! The Auth.federatedSignIn() method has been renamed to signInWithRedirect which displays the sign-in UI inside a platform-dependent webview. On iOS devices, an ASWebAuthenticationSession will be launched and, on Android, a Custom Tab.

Please refer to our release announcement, migration guide, and documentation for more information.

Dec 12 '23 20:12 nadetastic

Is it really not possible to provide a way for us to pass an identity token from sign in with apple to the amplify SDK ?

Jul 10 '24 16:07 DarrKing