user_profile email parameter not saved during token exchange in v1.16.0

[saurajthapa]

When using token exchange with the user_profile parameter, the firstName and lastName are correctly saved to Keycloak, but the email field is not being stored.
Environment:

Extension version: 1.16.0
Keycloak version: 26.3.0
Token exchange method: ID token

Steps to Reproduce:

Configure Apple Identity Provider in Keycloak
Make a token exchange request with user_profile parameter:

POST /realms/{realm}/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&client_id=my-client
&subject_token={apple_id_token}
&subject_issuer=apple
&subject_token_type=urn:ietf:params:oauth:token-type:id_token
&user_profile={"name":{"firstName":"John","lastName":"Doe"},"email":"john@example.com"}

Check the created user in Keycloak database

Expected Behavior:
User should be created with:

first_name: "John"
last_name: "Doe"
email: "john@example.com"

Actual Behavior:
User is created with:

first_name: "John" ✅
last_name: "Doe" ✅
email: NULL ❌

Database Verification:
sqlSELECT username, email, first_name, last_name
FROM user_entity
WHERE username = '{apple_user_id}';

Result:

username	email	first_name	last_name
001251.874d1792f37642918f6400e98fa3b8aa.1010		John	Doe
Additional Notes:

The token exchange succeeds and returns a valid access token
The returned access token contains given_name and family_name but does NOT contain the email claim
According to the documentation, the user_profile parameter should include email: {"name":{"firstName":string,"lastName":string},"email":string}
This appears to be a bug where the extension processes firstName/lastName from user_profile but ignores the email field

[klausbetz]

Thank you, @saurajthapa!

The level of detail is a great help!

I have tow more questions. What scopes do you use to request the ID token? Is the email address part of your ID token? (you can debug your ID token using https://www.jwt.io/)

There could be an edge case where the ID token does not contain the email of the user so that Keycloak cannot extract the email automatically. If that's the case then I'll try to provide a fix for that.

[saurajthapa]

Hi @klausbetz, thanks for the prompt response!
Scopes Used:
I'm using token exchange with an Apple ID token, so no explicit scopes are requested in my token exchange call. The ID token is generated by Apple's native sign-in flow on iOS.
ID Token Contents:
Here's the decoded ID token I'm sending in the subject_token parameter (decoded via jwt.io):
{
"iss": "https://appleid.apple.com",
"aud": "com.pelc.beldl****",
"exp": 1768362836,
"iat": 1768276436,
"sub": "001251.874d1792f376429**************.1010",
"c_hash": "B4rk71uYE49Td*************",
"auth_time": 1768276436,
"nonce_supported": true
}

**Key Issue: Email is NOT in the ID token** 

You're absolutely right - the email is **not present in the ID token** from Apple. This is expected behavior from Apple since they only provide user data (email, firstName, lastName) on the **first authentication**, not in subsequent ID tokens.

**That's why I'm using the `user_profile` parameter:**

According to your documentation, the `user_profile` parameter is specifically designed to handle this case:

POST /realms/{realm}/protocol/openid-connect/token

user_profile={"name":{"firstName":"Kear","lastName":"bro"},"email":"kear@example.com"}
The documentation states:

"optional. The JSON string that Apple sends on the first login (only required for the first login if you want to store the user's name)"

What's Working:

firstName and lastName from user_profile are correctly saved to Keycloak

What's NOT Working:

email from user_profile is not being saved to Keycloak

My Request:
Since the ID token doesn't contain the email , could you add support to extract the email field from the user_profile parameter during token exchange, similar to how firstName and lastName are currently being extracted?
This would allow mobile apps to properly set the user's email on first login via token exchange.
Thanks for looking into this!

[klausbetz]

Thanks for your insights!

I prepared a test version for you that contains the fix to also consider the email address from the userJson and is compatible to your Keycloak version 26.3.0.
If the test version works for you I'll create a new release.

apple-identity-provider-1.16.1.jar.zip

[saurajthapa]

Tested the apple-identity-provider-1.16.1 version; it works.

Observation:

On the first login, the first name, last name, and email are updated correctly.
Once the user is created and linked to the Apple ID, subsequent logins do not update these fields.
Is this expected behavior, or should user details update on every login?

[txshiro]

@saurajthapa
In my case, setting the Sync mode to Force in the Apple identity provider configuration resolved an issue where user attributes were not updating after revoking and reauthorizing Sign in with Apple.

Previously, if a user initially chose “Hide My Email,” then later revoked Sign in with Apple from their Apple ID settings and signed in again without hiding their email, the email address in Keycloak was not updated. After switching Sync mode to Force, the subsequent login correctly updates the user’s email to their real email address.

The same behavior applies to first and last names: they are updated after the user revokes access and signs in again. However since Apple only provides first and last name on the initial authorization, I don't think you can update these on every login.