feat: support transfer_sub in apple id tokens (#2162)

hf · web-flow · commit 8a7100648602 · 2025-09-15T10:42:14.000+02:00
Gain access to the [`transfer_sub` claim present in Apple ID tokens](https://developer.apple.com/documentation/signinwithapple/bringing-new-apps-and-users-into-your-team) when an app is being transferred from one owner to another (e.g. when an app is purchased by another company).
diff --git a/internal/api/provider/oidc.go b/internal/api/provider/oidc.go
@@ -170,6 +170,8 @@ type AppleIDTokenClaims struct {
 
 	AuthTime       *float64        `json:"auth_time"`
 	IsPrivateEmail *IsPrivateEmail `json:"is_private_email"`
+
+	TransferSub string `json:"transfer_sub"`
 }
 
 func parseAppleIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, error) {
@@ -201,6 +203,10 @@ func parseAppleIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, e
 		data.Metadata.CustomClaims["auth_time"] = *claims.AuthTime
 	}
 
+	if claims.TransferSub != "" {
+		data.Metadata.CustomClaims["transfer_sub"] = claims.TransferSub
+	}
+
 	if len(data.Metadata.CustomClaims) < 1 {
 		data.Metadata.CustomClaims = nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,8 @@ type AppleIDTokenClaims struct {`
`170`	`170`
`171`	`171`	AuthTime *float64 `json:"auth_time"`
`172`	`172`	IsPrivateEmail *IsPrivateEmail `json:"is_private_email"`
	`173`	`+`
	`174`	+ TransferSub string `json:"transfer_sub"`
`173`	`175`	`}`
`174`	`176`
`175`	`177`	`func parseAppleIDToken(token oidc.IDToken) (oidc.IDToken, *UserProvidedData, error) {`
`@@ -201,6 +203,10 @@ func parseAppleIDToken(token oidc.IDToken) (oidc.IDToken, *UserProvidedData, e`
`201`	`203`	`data.Metadata.CustomClaims["auth_time"] = *claims.AuthTime`
`202`	`204`	`}`
`203`	`205`
	`206`	`+ if claims.TransferSub != "" {`
	`207`	`+ data.Metadata.CustomClaims["transfer_sub"] = claims.TransferSub`
	`208`	`+ }`
	`209`	`+`
`204`	`210`	`if len(data.Metadata.CustomClaims) < 1 {`
`205`	`211`	`data.Metadata.CustomClaims = nil`
`206`	`212`	`}`