From 25897e913e59414f197dba73d59ee77c98015433 Mon Sep 17 00:00:00 2001
From: Trey t <treytartt@fastmail.com>
Date: Wed, 3 Jun 2026 22:30:33 -0500
Subject: [PATCH] Auto-verify Sign in with Apple emails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Apple OIDC mapper now marks the email verified unconditionally via
verified_addresses. SIWA cryptographically proves control of the Apple ID and
Apple owns/verifies the (relay) email, so a code is redundant. Gating on
Apple's `email_verified` claim was unreliable — Apple omits it on many
authorizations, which made verification random (sometimes a surprise code
prompt). Password sign-ups still verify via the honeyDue API flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 deploy-k3s/manifests/kratos/configmap.yaml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/deploy-k3s/manifests/kratos/configmap.yaml b/deploy-k3s/manifests/kratos/configmap.yaml
index 3a2bb80..313e185 100644
--- a/deploy-k3s/manifests/kratos/configmap.yaml
+++ b/deploy-k3s/manifests/kratos/configmap.yaml
@@ -207,14 +207,26 @@ data:
     // returns the name on the very first authorization and not in the ID
     // token claims, so only email is mapped here.
     //
-    // NOTE: we intentionally do NOT carry Apple's email_verified across via
-    // verified_addresses. Product decision: every account-creation flow —
-    // including Sign in with Apple — must complete an email verification step.
+    // Sign in with Apple emails are marked verified UNCONDITIONALLY: completing
+    // SIWA cryptographically proves the user controls that Apple ID, and Apple
+    // owns/verifies the (relay or real) email, so a 6-digit code would be
+    // redundant. We deliberately do NOT gate this on Apple's `email_verified`
+    // claim — Apple omits that claim on many authorizations (only sends it on
+    // the first grant), which made auto-verification random: sometimes verified,
+    // sometimes a surprise code prompt (observed 2026-06-03). Marking it
+    // verified on every SIWA makes the behaviour consistent: Apple users never
+    // see a code; password sign-ups still verify via the honeyDue API flow.
     local claims = std.extVar('claims');
     {
       identity: {
         traits: {
           email: claims.email,
         },
+        verified_addresses: std.prune([
+          if 'email' in claims then {
+            via: 'email',
+            value: claims.email,
+          },
+        ]),
       },
     }