I have a Flutter app with a authentication flow using Firebase Authentication and I want to create an entry in Cloud Firestore with the email retrieved from the user field of the UserCredential object returned by the firebase_auth library on sign-in.
This works perfectly for Google and Email+passowrd authentication providers, however for Apple that email is . I was expecting to get a private email of the type "@privaterelay.appleid.com" but I am not. How can I get the email of Apple users on sign-up?
In addition, on Firebase console in the Authentication view almost all the user are being registered with an empty "identifier" (where the email should be), however some are also registered with their "@privaterelay.appleid.com" emails. Why is that?
2
Answers
That is the way apple sign in works. Users can choose to not share their e-mail.
The behavior you’re observing with Firebase Authentication and Apple sign-in is expected, and it’s due to how Apple handles user privacy and data protection.
Email Privacy Protection:
Apple’s Sign In with Apple feature prioritizes user privacy by providing users with the option to hide their email addresses when signing in to third-party apps. When users choose to hide their email addresses, Apple generates a unique and random email address (e.g., "@privaterelay.appleid.com") that forwards emails to the user’s real email address. This feature is known as "Email Privacy Protection."
When a user signs in with Apple and chooses to hide their email address, Firebase Authentication will indeed return a random email address like "@privaterelay.appleid.com" in the UserCredential object, instead of the user’s actual email address.
Firebase Authentication Identifier:
The "identifier" field you see in Firebase Authentication’s user list is where Firebase stores the user’s email or other identifier. However, when a user signs in with Apple and hides their email address, Firebase will indeed store the "@privaterelay.appleid.com" address as the identifier, as that’s the information provided by Apple.
The reason some users are registered with empty identifiers in Firebase Authentication could be due to various reasons, including issues with token exchange between your app and Firebase during the authentication process or errors during user creation.
To address these challenges and to ensure you have the user’s actual email address (if available), you can follow these steps:
Check the Apple identityToken:
When a user signs in with Apple, the UserCredential object contains an identityToken field. You can decode this token to extract the user’s real email address if it’s available. Note that the email address will only be included if the user did not choose to hide it during the sign-in process. You can use a library like jwt_decode to decode the token and extract the email.
Request Email Scopes:
When integrating Sign In with Apple in your app, ensure that you request the necessary email-related scopes when initiating the sign-in process. This might increase the chances of obtaining the user’s actual email address.
Handle Missing Emails Gracefully:
Be prepared for cases where the user’s email is not available (e.g., they chose to hide it). In such cases, you can inform the user that their email is not accessible due to privacy settings.
Remember to keep your app’s user experience respectful of privacy choices made by users, and always handle sensitive user data with care in accordance with relevant privacy laws and regulations.