That is all. Thanks for listening.

Now I would just love to have a quick guide for using Apple Sign In as an Okta generic oidc inbound provider. Is this possible already ?

I actually just got this working last night!

Do you know where you can find the .well-known/openid-configuration on the apple url? Do they even use it?

I haven't found it yet. I wouldn't be surprised if they just don't have that endpoint

So talked with the Apple engineers here at WWDC: They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email

Just verified again, and I don't get back name or email address when I request "name email" scope. I did find a bug where apparently Apple is ignoring the "scope" parameter after the very first time you authorize an app though, so could be related.

That is not a bug that is feature. They told me they will only give you the info once. Probably why scope won’t matter after your first invoke.

interesting. well the bug is that I have *never* gotten it, because I didn't request it the first time, and now I can't request it ever again.

Yep. That seems like a bug. If you forget it well you are left without it. You should be able to request new scopes...