Single Sign-On (SSO) has become the gold standard for seamless user authentication. With providers like Google, Facebook, and Apple, integrating social login has never been easier. But when using Apple SSO, many developers face a confusing issue:
❗ After the first login, Apple no longer returns the user's first and last name.
This behavior isn't a bug — it's by design. In this blog, we’ll dive into:
-
Why Apple behaves this way
-
How it's different from Google and Facebook
-
How to fix it in your app
-
Whether you can use Apple’s private relay email for OTP/communication
🍏 Why Apple Doesn’t Return Name After First Login — By Design
Apple is known for putting user privacy first, and its SSO implementation reflects that.
When a user signs in using Apple for the first time, Apple returns the given_name, family_name, and optionally the email. However, subsequent logins will not return the name again, regardless of scopes.
📜 Apple Developer Docs:
“Apple only shares user information such as name and email once, during the initial authorization.”
This is intentional to:
-
Minimize personal data shared with third-party apps
-
Give users complete control over their identity
-
Ensure developers store data responsibly
🔍 Why This Is Not an Issue with Google or Facebook
Both Google and Facebook take a more traditional OAuth 2.0 approach. When requested via appropriate scopes (profile, email), they consistently return:
-
First name
-
Last name
-
Profile picture
-
Email
| Feature | Apple | Google / Facebook |
|---|---|---|
| Name returned always | ❌ Only on first login | ✅ On every login |
| Email always returned | ✅ Yes (if allowed) | ✅ Yes |
| Can hide real email | ✅ Yes (private relay option) | ❌ No |
| Privacy-first approach | ✅ Very strict | ❌ Less strict |
🛠️ How to Fix the Missing Name Issue
To build a robust Apple SSO integration, here’s what you should do:
✅ 1. Store the Name at First Login
After the first login, extract and persist the name in your backend.
Map<String, Object> claims = decodeJwt(appleIdToken);
String firstName = (String) claims.get("given_name");
String lastName = (String) claims.get("family_name");
if (firstName != null && lastName != null) {
userService.saveUserName(userId, firstName, lastName);
}
🔁 2. Fetch Name From Your DB for Later Logins
Since Apple won’t send it again, use the stored name for future user sessions:
User user = userRepository.findByAppleSub(appleSub);
String name = user.getFirstName() + " " + user.getLastName();
✏️ 3. Prompt User If Name Was Never Captured
If the name wasn’t captured during the first login (e.g., due to a bug or user canceling), prompt the user to enter it manually.
📧 Can You Use Apple’s Private Relay Email for OTP and Communication?
Yes! If a user chooses “Hide My Email” during Apple SSO, Apple generates a relay address like:
randomstring@privaterelay.appleid.com
✅ You Can Send OTPs and Emails to It
Apple forwards emails sent to this relay address to the user’s actual Apple ID inbox. You can use it for:
-
OTPs
-
Welcome emails
-
Password reset links
-
Transactional notifications
✅ Apple guarantees delivery as long as your domain is registered and emails are compliant.
🔒 Key Considerations
| Aspect | Details |
|---|---|
| Relay Validity | Relay remains active while the user uses your app |
| SPF/DKIM Required | Set up email authentication to avoid spam filtering |
| No Marketing Emails | Stick to transactional emails; avoid promotional content |
| Reply-to Address | Set it up if you expect users to reply |
📥 Can Users Access It?
Absolutely. Users receive emails sent to @privaterelay.appleid.com in their actual inbox, just like any other email. They typically don’t see or interact with the relay address directly.
🧩 Bonus: How to Detect First-Time Apple Login
You can determine if it's a first-time login based on whether given_name and family_name are present in the ID token or the user JSON payload. If they're missing, it's a returning login.
🧭 Final Thoughts
Apple's approach to SSO is driven by a strong privacy philosophy. While it may introduce some extra work for developers, it's a positive step for user data protection.
To ensure a smooth experience:
-
Store user name on first login
-
Use Apple’s private relay email confidently for OTPs and communication
-
Respect user privacy — and be ready to ask for missing info if needed
Need Help With Apple, Google, or Facebook SSO in Spring Boot or WebFlux?
I help teams build secure and privacy-conscious SSO integrations. Reach out if you’d like a tailored solution!
Would you like this in HTML format or exported as a file for publishing?
