next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard

Published 20 hours ago verified publisher icon nextauthjs

Missing name information in Apple profile

Open boredland opened this issue 2 years ago • 1 comments

Provider type

Apple

Environment

System: OS: Linux 5.15 Manjaro Linux CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz Memory: 17.43 GB / 23.21 GB Container: Yes Shell: 5.9 - /usr/bin/zsh Binaries: Node: 16.17.0 - ~/.nvm/versions/node/v16.17.0/bin/node Yarn: 1.22.19 - ~/.nvm/versions/node/v16.17.0/bin/yarn npm: 8.19.1 - ~/.nvm/versions/node/v16.17.0/bin/npm Browsers: Chromium: 104.0.5112.79 Firefox: 103.0.2

Reproduction URL

https://github.com/boredland/apple-profile

Describe the issue

I am using the default configuration of the Apple provider:

AppleProvider({
      clientId: process.env.APPLE_ID,
      clientSecret: process.env.APPLE_SECRET,
}),

Sadly the name info (even tho the provider looks right) is not part of the profile object. I get this instead:

{
  iss: 'https://appleid.apple.com',
  aud: 'xxx.web',
  exp: xxx,
  iat: xxx,
  sub: 'xxx.2008',
  at_hash: 'xxx',
  email: '[email protected]',
  email_verified: 'true',
  auth_time: 1662204877,
  nonce_supported: true
}

How to reproduce

set up apple auth and log the profile:

AppleProvider({
      clientId: process.env.APPLE_ID,
      clientSecret: process.env.APPLE_SECRET,
      profile(profile) {
        console.log(profile)
        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
          image: null,
        }
    },
}),

Expected behavior

I expected to find the name { firstName, lastName } object inside the profile.

boredland avatar Sep 03 '22 11:09 boredland

This is likely because Apple not conforming to the OAuth spec...

Related PR here: https://github.com/nextauthjs/next-auth/pull/4579

You can try to work around this as described here: https://github.com/nextauthjs/next-auth/pull/4579#issuecomment-1236028225

balazsorban44 avatar Sep 07 '22 18:09 balazsorban44

It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!

stale[bot] avatar Nov 12 '22 01:11 stale[bot]

Still relevant i think

sakulstra avatar Nov 13 '22 15:11 sakulstra

anyone bring this up with apple?

dlazares avatar Nov 18 '22 00:11 dlazares

For the first time in apple callback, it sends us the name with a one time code (5 minute expiry).

first time:

{
  "state": "secret",
  "code": "cbb6c577637e74....",
  "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ....",
  "user": "{\"name\":{\"firstName\":\"Ryan\",\"lastName\":\"Yang\"},\"email\":\"[email protected]\"}"
}

after the second:

{
  "state": "secret",
  "code": "ce4e8e95545624268ab785....",
  "id_token": "eyJraWQiOiJXNldjT0tCIiwiYWxnIjoiUlMyNTYifQ...."
}

https://stackoverflow.com/questions/63500926/apple-sign-in-authorize-method-returns-name-only-first-time

wickedev avatar Dec 02 '22 05:12 wickedev

It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!

stale[bot] avatar Feb 02 '23 00:02 stale[bot]

To keep things tidy, we are closing this issue for now. If you think your issue is still relevant, leave a comment and we might reopen it. Thanks!

stale[bot] avatar Feb 17 '23 23:02 stale[bot]

Still having that issue. According to Apple's Guideline 4.0 - Design, if the user name is not used in authentication information when signing up, it will be rejected. As a result, I am unable to release my service on the App Store.

Is this an issue on Apple's side as mentioned above? How can i solve this problem?

kohj1018 avatar Mar 08 '23 03:03 kohj1018

Second security problem is that user post filed can not be trusted. After redirection to redirect_uri you can trust email just from id_token filed but you must verify id_token integrity developer.apple.com/documentation/sign_in_with_apple/… OR you can request appleid.apple.com/auth/token and id_token from this server-to-server request can be directly trusted without additional verification. But as said problem is user filed which can be faked by user/attacker.

nolimitdev avatar Mar 18 '23 08:03 nolimitdev

Still not sure this is working properly. I have familiarity with SIWA and am aware that the name only appears on the first login, and then should be null afterwords, but I am seeing this even after disassociating my Apple ID from my app by clicking "Stop using Sign in with Apple" from the Sign in with Apple settings. I've also tried it with a different Apple ID that has never been authenticated with my app, and I still see name: undefined.

bradpurchase avatar Jul 07 '23 13:07 bradpurchase