How to configure Sign In with Apple

Image from https://www.macobserver.com

One of the interesting things Apple rolled out at their WWDC19 conference was “Sign In with Apple”. Which is an authentication service provided by Apple where developers can allow users to sign into their applications with an Apple Id.

Going through the Apple official docs and configuring this seems to be a tedious task atm. So here I will quickly guide you through the basic setup :)

Log in to your Apple developer account.

We will need to obtain an App Id with “Sign In with Apple” capabilities.

1. Go to Certificates, Identifiers & Profiles > Identifiers and click on the + sign in the upper left next to “Identifiers”.
2. Select App IDs and hit continue.
3. Here enter any Description and a Bundle ID (Apple recommends using a reverse-domain name style string ex: com.domainname.appname). Scroll down the Capabilities and make sure to tick on Sign In with Apple. And finally, click continue and in the next page verify the details and click Register.
4. Now we need to obtain a Services Id. This will also serve as the client_id when you will be making API calls to authenticate the user.
5. Again go to Certificates, Identifiers & Profiles > Identifiers and click on the + sign in the upper left next to “Identifiers”.
6. This time select Services IDs and hit continue.
7. Here enter any Description and an Identifier (Apple recommends using a reverse-domain name style string ex: com.domainname.appname). Make sure to tick on Sign In with Apple. Here you will have to click on the Configure button next to “Sign In with Apple”.
8. Clicking the Configure button from the previous step will display a screen with Web Authentication Configuration. Make sure the App ID we obtained previously is selected as the Primary App ID. Next, you will have to add the Web Domain you will be using this service in (however I did not have to verify the domain to try out Sign In with Apple, but its best if you can get this done). I used example-app.com. Finally, add the Return URLs (you can add multiple) which will be the valid URLs to redirect the user after the user authenticates with Sign In with Apple (for quick testing purposes I used https://example-app.com/redirect). Click Save.
9. Click on Continue and in the next page verify the details and click Register.

Now we need to create a secret key that will be used to get our client_secret which will also be needed to make a token request from the Apple.

1. Go to Certificates, Identifiers & Profiles > Keys and click on the + sign in the upper left next to “Keys”.
2. Give a Key Name and make sure to tick Sign In with Apple. Here also we will have to click on Configure. And in the screen that appears next(Configure Key) select the same App Id we used previously under Choose a Primary App ID and click Save.
3. Click on Continue and in the next page verify the details and click Register.
4. Download the key and keep it in a safe place as you will never be able to download it again. Click on Done after downloading the key.

Well, that's pretty much it with configurations.

We already have our client_id now we need one more thing to call the API; the client_secret which we will create using the private key we just downloaded.

The client secret has to be a JWT and according to Apple docs, we need to encrypt the token using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm. One of the easy ways to get this done is using ruby-jwt. Firstly check whether you already have Ruby setup if not you can get it from here.

Below are the details we will need to include in the JWT.

--Header--
alg - The encryption algorithm used to encrypt the token. This will be ES256.

kid - The 10 charachter Key ID of the private key you create. You can get it from 
Certificates, Identifiers & Profiles > Keys > (click on the key you created).

--Payload--
iss - 10 character Team ID give to you. You can find it here https://developer.apple.com/account/#/membership

iat - Indicates the time at which the token was generated, in terms of the number of seconds since Epoch, in UTC.

exp - Indicates the expiry time of the token expiration, in terms of the number of seconds since Epoch, in UTC. Accroding to the docs the value must not be greater than 15777000 (6 months in seconds) from the Current Unix Time on the server.

aud - The value of which identifies the recipient the JWT is intended for. Since this token is meant for Apple, use https://appleid.apple.com.

sub - The value of which identifies the principal that is the subject of the JWT. Use the same value as client_id as this token is meant for your application.

Let's get the client_secret.

After setting up Ruby run the command sudo gem install jwt this will setup ruby-jwt.

Add the necessary details and save the following as secret_gen.rb

You can run the secret_gen.rb file using the command ruby secret_gen.rb from the terminal and it will give you the client_secret.

Okay… Now we are ready to test Sign In with Apple :)

Add your redirect_uri(should be a Return URL we configured previously) and the client_id and paste this in your browser and hit enter.

https://appleid.apple.com/auth/authorize?response_type=code&redirect_uri=<redirect_uri>&client_id=<client_id>

You will be prompted to authenticate (I had to enable two-factor authentication for my Apple Id to continue). And in the end, you will be redirected to the redirect_uri and end up with a code.

Run the following cURL command in the terminal after replacing the code with the code you got performing the above, the redirect_uri and client_id as previously used and the client_secret obtained by running secret_gen.rb.

curl -X POST https://appleid.apple.com/auth/token -d 'grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>&client_id=<client_id>&client_secret=<client_secret>'

After running the above you should end up with an access token and an id token.

Some useful info like request details when using “Sign in with Apple” can be found in this document provided by apple.

If your wondering about the Sign In with Apple flow, it's somewhat based on the OIDC Authorization Code flow.

Also, did you know that using WSO2 Identity Server you can add Sign In with Apple to your app in under 5mins with ZERO code? You can find how it's done over here.

If your interested in learning more about “Sign In with Apple” join this free webinar on Apple Sign In: A Zero-Code Integration Approach Using WSO2 Identity Server.