auth0
diff --git a/‎articles/api/authentication/api-authz/_get-token.md
+103-7 b/‎articles/api/authentication/api-authz/_get-token.md
+103-7
diff --git a/‎articles/connections/apple-setup.md
-114 b/‎articles/connections/apple-setup.md
-114
diff --git a/‎articles/connections/apple-siwa/add-siwa-to-native-app.md
+93 b/‎articles/connections/apple-siwa/add-siwa-to-native-app.md
+93
@@ -1,14 +1,17 @@
 # Get Token
 
 Use this endpoint to:
-- Get an <dfn data-key="access-token">Access Token</dfn> in order to call an API. You can, optionally, retrieve an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn> as well.
-- Refresh your Access Token, using a Refresh Token you got during authorization.
+- Get an <dfn data-key="access-token">Access Token</dfn> in order to call an API. Optionally, you can also retrieve an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn>.
+- Refresh your Access Token using a Refresh Token you got during authorization.
 
 Note that the only OAuth 2.0 flows that can retrieve a Refresh Token are:
 - [Authorization Code Flow (Authorization Code)](/flows/concepts/auth-code)
 - [Authorization Code Flow with PKCE (Authorization Code with PKCE)](/flows/concepts/auth-code-pkce)
 - [Resource Owner Password](/api-auth/grant/password)
 - [Device Authorization Flow](/flows/concepts/device-auth)
+- Token Exchange\*
+
+\* Only for certain native social profiles
 
 ## Authorization Code Flow
 
@@ -75,7 +78,7 @@ This is the flow that regular web apps use to access an API. Use this endpoint t
 
 | Parameter        | Description |
 |:-----------------|:------------|
-| `grant_type` <br/><span class="label label-danger">Required</span> | Denotes the flow you are using. For Authorization Code use  `authorization_code`. |
+| `grant_type` <br/><span class="label label-danger">Required</span> | Denotes the flow you are using. For Authorization Code, use `authorization_code`. |
 | `client_id` <br/><span class="label label-danger">Required</span> | Your application's Client ID. |
 | `client_secret` <br/><span class="label label-danger">Required</span> | Your application's Client Secret. |
 | `code` <br/><span class="label label-danger">Required</span> | The Authorization Code received from the initial `/authorize` call. |
@@ -91,13 +94,13 @@ This is the flow that regular web apps use to access an API. Use this endpoint t
 
 <%= include('../../../_includes/_test-this-endpoint') %>
 
-If you have just executed the [Authorization Code Grant](#authorization-code-grant) you should already have a code set at the **Authorization Code** field of the *OAuth2 / OIDC* tab. If so, click **OAuth2 Code Exchange**, otherwise follow the instructions.
+If you have just executed the [Authorization Code Grant](#authorization-code-grant), you should already have a code set at the **Authorization Code** field of the *OAuth2 / OIDC* tab. If so, click **OAuth2 Code Exchange**; otherwise, follow the instructions.
 
 1. At the *Configuration* tab, set the **Application** field to the application you want to use for the test.
 
 1. Copy the <dfn data-key="callback">**Callback URL**</dfn> and set it as part of the **Allowed Callback URLs** of your [Application Settings](${manage_url}/#/applications).
 
-1. At the *OAuth2 / OIDC* tab, set the field **Authorization Code** to the code you retrieved from [Authorization Code Grant](#authorization-code-grant). Click **OAuth2 Code Exchange**.
+1. At the *OAuth2 / OIDC* tab, set the field **Authorization Code** to the code you retrieved from the [Authorization Code Grant](#authorization-code-grant). Click **OAuth2 Code Exchange**.
 
 
 ### More Information
@@ -166,7 +169,6 @@ Content-Type: application/json
 This is the flow that mobile apps use to access an API. Use this endpoint to exchange an Authorization Code for a Token.
 
 
-
 ### Request Parameters
 
 | Parameter        | Description |
@@ -577,7 +579,101 @@ Use this endpoint to refresh an <dfn data-key="access-token">Access Token</dfn>
 
 1. At the *OAuth2 / OIDC* tab, set the field **Refresh Token** to the Refresh Token you have. Click **OAuth2 Refresh Token Exchange**.
 
-
 ### More Information
 
 - [Refresh Token](/tokens/refresh-token)
+
+## Token Exchange for Native Social
+
+```http
+POST https://${account.namespace}/oauth/token
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=SUBJECT_TOKEN&subject_token_type=SUBJECT_TOKEN_TYPE&client_id=${account.clientId}&audience=API_IDENTIFIER&scope=SCOPE
+```
+
+```shell
+curl --request POST \
+  --url 'https://${account.namespace}/oauth/token' \
+  --header 'content-type: application/x-www-form-urlencoded' \
+  --data 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=SUBJECT_TOKEN&subject_token_type=SUBJECT_TOKEN_TYPE&client_id=${account.clientId}&audience=API_IDENTIFIER&scope=SCOPE'
+ }'
+```
+
+```javascript
+var request = require("request");
+
+var options = { method: 'POST',
+  url: 'https://${account.namespace}/oauth/token',
+  headers: { 'content-type': 'application/x-www-form-urlencoded' },
+  form:
+   { grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+     subject_token: 'SUBJECT_TOKEN',
+     subject_token_type: 'SUBJECT_TOKEN_TYPE',
+     client_id: '${account.clientId}',
+     audience: 'API_IDENTIFIER',
+     scope: 'SCOPE',
+   };
+
+request(options, function (error, response, body) {
+  if (error) throw new Error(error);
+
+  console.log(body);
+});
+```
+
+> RESPONSE SAMPLE:
+
+```JSON
+HTTP/1.1 200 OK
+Content-Type: application/json
+{ 
+  "access_token": "eyJz93a...k4laUWw",
+  "id_token": "eyJ...0NE",
+  "refresh_token": "eyJ...MoQ",
+  "expires_in":86400,
+  "token_type":"Bearer"
+}
+```
+
+<%= include('../../../_includes/_http-method', {
+  "http_badge": "badge-success",
+  "http_method": "POST",
+  "path": "/oauth/token",
+  "link": "#token-exchange-native-social"
+}) %>
+
+:::warning
+This flow is intended for use with native social interactions **only**. Use of this flow outside of a native social setting is highly discouraged.
+:::
+
+When a non-browser-based solution (such as a mobile platform's SDK) authenticates the user, the authentication will commonly result in artifacts being returned to application code. In such situations, this grant type allows for the Auth0 platform to accept artifacts from trusted sources and issue tokens in response. In this way, apps making use of non-browser-based authentication mechanisms (as are common in native apps) can still retrieve Auth0 tokens without asking for further user interaction.
+
+Artifacts returned by this flow (and the contents thereof) will be determined by the `subject_token_type` and configuration settings of the tenant.
+
+### Request Parameters
+
+| Parameter        | Description |
+|:-----------------|:------------|
+| `grant_type` <br/><span class="label label-danger">Required</span> | Denotes the flow you are using. For Token Exchange for Native Social, use `urn:ietf:params:oauth:grant-type:token-exchange`. |
+| `subject_token` <br/><span class="label label-danger">Required</span> | Externally-issued identity artifact, representing the user. |
+| `subject_token_type` <br/><span class="label label-danger">Required</span> | Identifier that indicates the type of `subject_token`. Currently supported native social values are: `http://auth0.com/oauth/token-type/apple-authz-code`. |
+| `client_id` <br/><span class="label label-danger">Required</span> | Your application's Client ID. |
+| `audience` | The unique identifier of the target API you want to access. |
+| `scope` | String value of the different <dfn data-key="scope">scopes</dfn> the application is requesting. Multiple scopes are separated with whitespace. |
+
+### Request headers
+
+| Parameter        | Description |
+|:-----------------|:------------|
+| `auth0-forwarded-for` | End-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios. For more information on how and when to use this header, refer to [Using resource owner password from server-side](/api-auth/tutorials/using-resource-owner-password-from-server-side). |
+
+### Remarks
+
+- The <dfn data-key="scope">scopes</dfn> issued to the application may differ from the scopes requested. In this case, a `scope` parameter will be included in the response JSON.
+- If you don't request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant. You can customize the scopes returned in a rule. For more information, refer to [Calling APIs from Highly Trusted Applications](/api-auth/grant/password).
+
+### More Information
+- [Add Sign In with Apple to Native iOS Apps](/connections/apple-siwa/add-siwa-to-native-app)
+- [iOS Swift - Sign In with Apple Quickstart](/quickstart/native/ios-swift-siwa)
+
@@ -0,0 +1,93 @@
+---
+title: Add Sign In with Apple to Native iOS Apps
+description: Learn how to add native login functionality to your native app with Apple. 
+topics:
+  - authentication
+  - connections
+  - social
+  - apple
+contentType: how-to
+useCase:
+  - add-login
+  - customize-connections
+  - add-idp
+---
+# Add Sign In with Apple to Native iOS Apps
+
+You can add functionality to your native iOS application to allow your users to authenticate using Sign In with Apple. For more implementation details, you can try the Auth0 [iOS Swift - Sign In with Apple Quickstart](/quickstart/native/ios-swift-siwa).
+
+## How it works
+
+For a native app, the Sign in with Apple login flow works as follows:
+
+![Sign In with Apple Authentication Flow](/media/articles/connections/social/apple/apple-siwa-authn-flow.png)
+
+* **Steps 1 & 2**: User authenticates via Apple's SDK on their iOS device, and receive an authorization code in the response. The user does not have to leave the app and use a browser to log in.
+* **Step 3**: The application calls Auth0's `/oauth/token` endpoint to exchange the Apple authorization code for Auth0 tokens.
+* **Step 4 & 5**: The Auth0 platform exchanges the Authorization code with Apple for tokens.  Auth0 validates the tokens, and uses the claims in the tokens to construct the identity of the user.
+* **Step 6**: Auth0 saves the user profile, executes rules and authorization, then issues Auth0 access tokens (refresh tokens and ID tokens) as requested. These tokens are used to protect your APIs and users managed by Auth0.
+
+## Prerequisites
+
+Before you configure Sign In with Apple for your native app in Auth0, you must:
+
+* Have an [Apple Developer](https://developer.apple.com/programs/) account, which is a paid account with Apple. (There is no free trial available unless you are part of their [iOS Developer University Program](https://developer.apple.com/support/compare-memberships/).)
+
+* Have set up a [custom domain](/custom-domains) on your Auth0 tenant (because you must be able to do domain verification with Apple).
+
+* [Register Apps in the Apple Developer Portal](/connections/apple-siwa/set-up-apple). Make a note of the following IDs and key for the application connection settings in the Auth0 Dashboard:
+
+  * App ID
+  * Apple Team ID
+  * Client Secret Signing Key
+  * Client Signing Key ID (optional)
+
+::: note
+If you are using the Classic Universal Login flow or embedding `Lock.js` in your application, make sure you are using `Lock.js` version 11.16 or later.
+:::
+
+## Configure and enable the connection in Auth0
+
+Once you have the credentials you need from your Apple Developer account, you need to configure the application client and the connection settings in Auth0.
+
+1. On the Dashboard, go to [Applications](${manage_url}/#/applications), choose your application, and click the gear icon to view the settings page.  
+
+2. At the bottom of the page, click **Show Advanced Settings** and go to the **Device Settings** tab. Under **Native Social Login**, enable the **Enable Sign In with Apple** toggle. 
+
+    ![Application Client Settings: Advanced Device Settings](/media/articles/connections/social/apple/apple-app-mobile-settings.png)
+
+3. Under **iOS**, fill in the **App ID** field with the native app's App ID/Bundle Identifier.
+
+4. Go to [Connections > Social](${manage_url}/#/connections/social) and click on the **Apple** connection. 
+
+5. On the **Settings** tab, fill in the following fields:
+
+    * **Apple Team ID**
+    * **Client Secret Signing Key**
+    * **Key ID** (Apple will accept the key without the ID)(optional)
+
+    ![Application Connection Settings](/media/articles/connections/social/apple/apple-connection.png)
+
+6. Click **Save**.
+
+::: note
+Native apps cannot be tested from the browser. This means that the **TRY** button on the Apple connection is used exclusively for testing web-based flows.
+:::
+
+## Logout
+Since the Native iOS login implementation does not make use of standard browser-based flows, application owners must also take care to perform logout appropriately. When an application needs to perform a logout, it must take the following actions:
+
+ * [Revoke the Auth0 Refresh Token](/api/authentication#revoke-refresh-token)
+ * Delete the Auth0 refresh token stored in the iCloud Keychain
+ * Delete the Apple user identifier stored in the iCloud keychain
+
+Also, keep in mind that logout can result from user actions (i.e., clicking a "log out" button) or from a user revoking access to the given app. The latter will be indicated through the native [ASAuthorizationAppleIDProvider.getCredentialState](https://developer.apple.com/documentation/authenticationservices/asauthorizationappleidprovider/3175423-getcredentialstate) method.
+
+:::note
+One nuance of Apple's IdP is that it only returns requested scopes (such as email, first name, and last name) in the ID token on the **first** response. More destructive approaches to logout (such as deleting the user) could result in loss of profile information, which would require end users to unauthorize and reauthorize an app.
+:::
+
+## Keep reading
+
+* [Rate Limits on Native Social Logins](/policies/rate-limits#limits-on-native-social-logins)
+* [Test Sign In with Apple Configuration](/connections/apple-siwa/test-siwa-connection)