Integrating Sign in with Apple into Your Asgardeo Applications
Do you ever find yourself hesitating to sign up for a new website or application because you have to create yet another username and password? Well. You’re not alone. Many people feel overwhelmed by the number of accounts that they need to manage. Fortunately social login offers a solution. Social login is a sign-on method that allows users to login to their websites and applications using an existing account from a social network such as Google, Facebook, Apple, etc. The rich user experience social login offers especially with the faster and easier single click login experience has influenced the wide adoption of social login in many end user facing business applications.
Similar to popular social login options like Google and Facebook, Apple offers a “Sign in with Apple” option which allows users to login to third party applications using their Apple IDs. Sign in with Apple works on iOS, macOS, tvOS or in any browser on any device. One key highlight of Apple login is that it shares as little information as possible. Apple only allows sharing user’s name and email address upon requesting the relevant claims. It even allows to hide the user’s real email address to the third party site by creating a proxy email address that forwards the incoming traffic to the real address. Of course the user’s name that will be shared too can be edited providing a great level of privacy.
Asgardeo is an IDaaS (Identity as a Service) that offers cloud based identity and access management which developers can use to implement secure authentication flows in their applications. Asgardeo has recently launched the Apple connection which allows developers to integrate Sign in with Apple into their applications. In this blog, I’ll guide you through the steps necessary to seamlessly incorporate this popular authentication option, allowing your users to quickly and easily access your applications with their Apple credentials.
How it Works
Sign in with Apple has adopted their terminology from the popular OAuth 2.0 and OIDC standards. However they don’t explicitly call out these terms in their documentation.
To begin with, the IDP needs to have a connection with the Apple server and an application registered to perform the user authentication. In Asgardeo the said connection can be established by creating a connection with the Apple connector template. After that, the Apple connection can be added as a sign in method to the business application registered in Asgardeo.
Now let’s dive into how you can configure and integrate Sign in with Apple into your Asgardeo applications.
Prerequisites
As prerequisites you are required to have an Apple developer account and an Asgardeo account. If you don’t already have an account in Asgardeo, sign up for a free account by visiting the Asgardeo signup page.
Register Asgardeo on Apple
Configuring the Apple side of things is not that straightforward and you are required to perform a set of actions to create few components. If you’re familiar with configuring other social signup options like Google and Facebook, you may remember that those services are providing you with a Client ID and a Client Secret to configure the connection with external IDPs. However, Apple uses a public/ private key client authentication method where their client secret is a JWT (Json Web Token). Apple expects the developers to generate the client secrets. But, don’t worry!!! Asgardeo has taken this responsibility and is capable of generating the client secret whenever required.
Step 1: Create an App ID
First of all we need to create an App ID. App ID is a sort of way to bundle things about the app.
Login to the apple developer portal and click on Identifiers in the “Certificates, Identifiers and Profiles” section under the Program resources. If you’re not already seeing Program resources on the redirected page, click on the Account tab.
Click on the + (plus) button and select App IDs. Click on Continue.
Select App as the type and click on Continue again. Enter the required details and select “Sign in with Apple” under the Capabilities tab.
Click on Continue and then click on Register.
Step 2: Register a Services ID
Now that we have created an App ID, the next step is to register a Services ID for the application. The Services ID is the identifier that we use as the client ID in traditional OAuth applications. This is used to identify the particular instance about the app.
Head back to the Identifiers section and click on the + (plus) button. This time select Services IDs and click on Continue. Enter the required details and click on Continue and then click on Register.
Note: The identifier you entered here will be required later on when configuring the Asgardeo connection.
Go back to the Identifiers section and click on the Services ID you just created. You can filter only the Services IDs by selecting Services IDs from the right side drop down. Enable “Sign in with Apple” and click on Configure.
Select the App ID that you created in the previous step for the Primary App ID and provide following values as the Domain and Return URL.
Domain: api.asgardeo.io
Return URL: https://api.asgardeo.io/t/{organization_name}/commonauth
Click on Continue and then click on Save.
Step 3: Register a new Key
As I have already mentioned, Apple follows a public/ private key client authentication method. Hence we need to register a new private key with Apple.
Go back to the “Certificates, Identifiers & Profiles” section and click on Keys. Click on the + (plus) button. Provide a name for the key and enable “Sign in with Apple”. Then click on Configure.
Select the App ID that you created previously and click on Save. Then click on Continue. Click on Register.
The Private key for your app will be ready to be downloaded. Download and save it in a secure place as you will not be able to download it again. Also take a note on the Key ID that is displayed on this page.
Note: The private key and Key ID will be required later on when configuring the Asgardeo connection.
Click on Done.
Also take a note on the 10 character Team ID that is displayed on the top right corner under your name. This can also be viewed by clicking on the Account tab in the home page and then clicking on the Membership details.
Configure the Asgardeo Apple Connection
Now that we have completed configuring the Apple side of things, we need to create an Apple connection in Asgardeo and enable it for an application.
Start off by login into the Asgardeo console and head over to the Develop section. Go to Connections and click on + Create Connection.
Select Apple as the template. Enter the required details and click on Finish.
+---------------+---------------------------------------------------------+
| Parameter | Description |
+---------------+---------------------------------------------------------+
| Name | A unique name for this Apple identity provider |
| Services ID | The services ID created at Apple |
| Team ID | Apple developer team ID |
| Key ID | Key identifier of the private key generated for the app |
| Private Key | Private key generated for the app |
+---------------+---------------------------------------------------------+Enable Apple Login in your Application
The final step is to enable Apple login in your application. If you don’t already have created an application in Asgardeo, follow the documentation to create an application.
On Asgardeo console, navigate to Develop -> Applications. Select the application that you need to add Apple login and head over to the Sign in Method tab. If you haven’t configured a sign in flow for the application previously, click on Add Apple login and then click on Update.
If a sign in flow is already configured, click on Add Authentication on the step, select your Apple identity provider, and click Add. Then click on Update.
Now that all the configurations are done, access your application URL and click Login. On the Asgardeo login page, the Sign In With Apple option will be displayed.
After authenticating successfully in the Apple login page, Apple will prompt you to create an account for the Apple IDP application. Here you have the option to edit the user’s name fields and share/ hide the email. Choosing Hide My Email will share a private relay address with Asgardeo instead of your personal email.
Important Points
Now that you have tried out the default flow, there are few more important points to note on the Asgardeo Apple connection.
💠️ By default the generated client secret will be valid for 6 months. Upon expiry, a new client secret will be generated and stored in the Asgardeo server. If you wish to configure the validity period of the client secret, head over to the created Apple connection and visit Settings tab.
💠 Apple provides two different scopes to obtain the user information for the IDP. Asgardeo connection is configured to request both of these scopes from the Apple server.
- email: Allows to view the user’s email address.
- name: Allows to view the user’s name fields. In particular, first name and last name.
💠 Apple requires sending response_mode as form_post when the scopes are requested. This is handled automatically by the Asgardeo server.
💠 By default, JIT user provisioning is enabled for the Apple connection. If required you can disable it by heading over to the created Apple connection and visiting the Advanced tab. However it is not recommended due to the following reason.
The user information is shared from the Apple server only during the first time the user uses Sign in with Apple. Subsequent login responses don’t contain the user’s first and last names. Hence if you have disabled JIT provisioning, the application will only receive the user’s email address. If you decide to enable JIT provisioning later on, the provisioned user profile will not contain the user’s first and last names for the previously logged in users.
💠 If you have removed a provisioned user from Asgardeo and needs to re-provision the profile, prior to login, that user needs to login to Apple ID and remove the created Sign in with Apple profile. Otherwise the user details will not get provisioned correctly.
💠 If a provisioned user needs to update his/ her details (un-share email, change shared user details, etc), they have to follow the same steps in the previous point.
