The format of Apple OIDC (OpenID Connect) claims, as used in Ory, is a JSON object typically containing fields such as email and email_verified. When integrating Apple as an OIDC provider, the claims are made available to your Jsonnet mapping as an object, for example:

jsonnet local claims = {     email_verified: false,   } + std.extVar('claims');  {   identity: {     traits: {       // Only return the email if it exists and is marked verified by Apple       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,     },   }, }

The key claims you can expect from Apple include: - email: The user's email address (if available) - email_verified: Boolean indicating if the email is verified Apple's ID token, which is the source of these claims, typically only contains the user's email address and its verification status. Additional claims may be present depending on the user's Apple account and the scopes requested, but the above are the primary ones used in Ory's integration. If you need to map these claims to Ory identity traits, you do so via a Jsonnet snippet as shown above, and you can make the mapping conditional based on the presence and verification of the email claim [Webbrowser Apple OIDC mapping](https://www.ory.sh/docs/kratos/social-signin/apple#webbrowser). If you use the Apple SDK on native apps, you may also receive the user's full name as part of the credential, which you can submit as additional traits during registration or login [Apple SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/apple#using-the-apple-sdk-on-native-apps). In summary, the Apple OIDC claims format is a JSON object with at least email and email_verified fields, and optionally name fields if available.

To get the user name from Apple OIDC claims in Ory, you need to consider the following: - Web Browser Flow: The ID token issued by Apple for web flows typically only contains the user's email address and its verification status. The knowledge sources do not indicate that the user's name is included in the claims for web-based OIDC flows. Therefore, you generally cannot get the user's name from Apple in the web flow—only the email is reliably available [Apple OIDC mapping for web](https://www.ory.sh/docs/kratos/social-signin/apple#webbrowser). - Native App Flow (using Apple SDK): When using the Apple SDK in a native app, you can request the user's full name as part of the authentication process. The SDK provides the name in the credential object, which you can then submit to Ory as part of the

traits

field in the registration or login flow. Here’s an example from the documentation:

typescript   traits: {     name: {       first: credential.fullName?.givenName || "given name",       last: credential.fullName?.familyName || "last name",     },   }

You include this in your call to

updateRegistrationFlow

or

updateLoginFlow

along with the

id_token

and

id_token_nonce

 [Apple SDK on native apps](https://www.ory.sh/docs/kratos/social-signin/apple#using-the-apple-sdk-on-native-apps). Summary: - For web flows, you generally cannot get the user's name from Apple OIDC claims—only the email is available. - For native app flows using the Apple SDK, you can obtain the user's name and submit it as part of the identity traits to Ory. If you need the user's name in a web flow, Apple does not provide it via OIDC, and there is no workaround documented in the knowledge sources.