I understand your issue with Apple Sign-In across different platforms. This is a common challenge when implementing social sign-in across both mobile apps and web applications. Based on the knowledge sources, when you have different client IDs for the same provider (Apple in this case - one for your mobile app using the bundle identifier and another for your web app using the service ID), Ory Kratos treats them as separate providers. This is why you're getting the error message when a user tries to log in on the web after registering through the mobile app. The error message you're seeing indicates that Ory has detected that the email address from the Apple Sign-In on web is already associated with an existing account (the one created through your mobile app). There are a few approaches to handle this: 1. Use additional_id_token_audiences: According to the documentation, you don't necessarily need to define separate providers for different platforms. You can specify the identifier of your app in the

additional_id_token_audiences

config option of the provider. [Using the Google SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/google#using-the-google-sdk-on-native-apps) mentions this approach (though for Google, the concept is similar for Apple). 2. Account Linking: Users can manually link their accounts through the settings page, but this requires them to first log in with their existing credentials, which might not be ideal for your use case. 3. Automatic Account Linking: Ory supports automatic account linking when the same identifier is used across different authentication methods, but the user would need to verify an additional credential (like a password) before the accounts can be linked. This is a security measure to prevent unauthorized account takeovers. Unfortunately, the knowledge sources indicate that email addresses must be unique across all providers in Ory Kratos. As mentioned in a GitHub discussion: "No its not possible to circumvent this because the email address must be unique. You could potentially circumvent this with multiple Ory Network projects / multiple Ory Kratos instances, but it is not documented." [kratos, login with different oidc providers, with same email address](https://github.com/ory/kratos/discussions/4162) For your specific case with Apple Sign-In, I recommend exploring the first approach - using a single provider configuration with appropriate audience settings to support both platforms, rather than creating separate provider configurations for web and mobile.

@chilly-king-10285 can you tell me more about

additional_id_token_audiences

I'd be happy to explain more about

additional_id_token_audiences

in the context of Ory's social sign-in functionality. Based on the knowledge sources,

additional_id_token_audiences

is a configuration option that helps solve the exact problem you're facing with Apple Sign-In across different platforms (mobile app and web). When you're using native SDKs for social sign-in (like Apple's Sign In with Apple SDK on iOS or Google's SDK on Android), these SDKs generate ID tokens that are specifically intended for your mobile application. The audience (

aud

claim) in these tokens is typically set to your mobile app's client ID or bundle identifier. The

additional_id_token_audiences

configuration allows Ory to recognize and accept ID tokens that have a different audience value than the primary client ID configured for the provider. This means you can: 1. Configure a single provider (e.g., "apple") in Ory 2. Set the main client ID to your web service ID 3. Add your mobile app's bundle identifier to the

additional_id_token_audiences

list This way, when a user signs in through either your mobile app or website, Ory will recognize that the authentication is coming from the same provider and will associate it with the same user account, rather than treating them as separate providers requiring account linking. As mentioned in the GitHub discussion about a similar issue with Google Sign-In across platforms: > "If you're using the native OIDC sign in using `id_token`s, you can specify the identifier of your app in the

additional_id_token_audiences

config option of the provider." [Automatically link identities same provider](https://github.com/ory/kratos/discussions/4223) This approach should allow you to maintain a single user identity across both your mobile app and web application when using Apple Sign-In, eliminating the need for manual account linking or creating multiple provider configurations. Unfortunately, the knowledge sources don't provide a specific code example for the

additional_id_token_audiences

configuration with Apple Sign-In, but the concept should be applicable across different OAuth2/OIDC providers including Apple.

Yes, the

additional_id_token_audiences

property can be used with generic OIDC providers in Ory. Based on the knowledge sources, Ory supports configuring generic OpenID Connect providers through its social sign-in functionality. While the specific documentation about

additional_id_token_audiences

was mentioned in the context of Google sign-in, this property is part of the general OIDC configuration options that should be applicable to any OIDC-compliant provider, including those configured as generic providers. The separation of

id

and

provider

in the OIDC configuration makes it possible to have several OIDC providers of the same type. As explained in a GitHub discussion: > "The separation of

id

and

provider

makes it possible to have several OIDC providers of the same

provider

type, e.g. several 'generic' providers." [What is the difference between

provider

and

id

in the OIDC provider configuration?](https://github.com/ory/kratos/discussions/4261) For your specific case with Apple Sign-In across platforms, you should be able to configure a single generic OIDC provider with Apple as the identity provider, and use the

additional_id_token_audiences

property to handle both your web service ID and mobile app bundle identifier. This approach should help you solve the issue where users registered through your mobile app cannot sign in on the web without encountering the "account already exists" error.