Sign in with Apple using WSO2 Identity Server

In my previous post, I briefly explained an approach to support “Sign in with Apple” using an IAM provider instead of modifying our app.

In this post, I will be taking the WSO2 Identity Provider as my IAM provider and explaining how we can support “Sign in with Apple” without going through the hassle of modifying your apps.

In order to try this with me, you need,

1. Access to an Apple Developer Account. Unfortunately, you need to pay Apple to get access to a developer account. If you already, have access to one with sufficient permissions to create App IDs we are good to go.
2. The latest WSO2 Identity Server binary. You can download this from here. Unzip the .zip file and we are ready.
3. Install Java 8 and set the JAVA_HOME variable. If you are familiar with Java you would already have these setup. We need Java to run the WSO2 Identity Server.
4. A browser and CURL. We will be using CURL to send HTTP requests to simulate an app.

So this is what we finally want to set up,

Step 1: Setup WSO2 Identity Server for Sign in with Apple

The first step would be to create an application at the Apple Developer portal. Basically, we need three things for WSO2 Identity Server to be able to talk to Apple for the Sign in Flow

1. A client_id to identify that the request is sent from WSO2 Identity Server
2. A client_secret to authenticate requests sent from WSO2 Identity Server
3. Register a callback URI, which Apple will use to sent response back to after authenticating the user.

So let’s do this.

• Head over to your Apple developer account, and click on “Certificates, Identifiers & Profiles” section

• Select Identifiers and click on add (+)

• Register an App ID

• Fill in the details to create the App ID

• Select the “Sign in with Apple” option under capabilities.

• Once again come back to the Identifiers page. Click on (+) to add a new Identifier. This time we will be creating a Services ID.

• Fill in an identifier for the Services ID. This would be the client_id that we will require later for configuration on the WSO2 Identity Server side.

• Enable “Sign In with Apple” and select the App ID you created in our previous step as the Primary App ID. Next, it’s time to configure the Callback URI. This is where Apple would redirect back after the user completes authentication. This URL should be in the form <IDENTITY_SERVER_HOST>:<PORT>/commonauth. In our example, this would be https://idp.demologin.com:9443/commonauth

Ideally, we should verify the domain “idp.demologin.com” to show that we own the domain. But for the moment you can skip and proceed. Add “idp.demologin.com” as the web domain.

• Finally, we need to generate the client_secret. Usually, the federated IDP such as Google generates the client_secret for us. But Apple wants the application to create its own client_secret. Check the Apple Developer docs for more details.

In short, we need to create a JSON with some details and sign it using a key. So let’s first generate a key for our app.

Head over to “Keys” section and click on (+)

• Give the key a name and select “Sign in with Apple”. Click on the Configure button.

• Select the App ID we created at the beginning.

• The Private key for your app will be ready to be downloaded. You can download it only once :). So download it and we are one step away from generating the secret.

• Generating the client secret

In order to generate the client_secret, you need the below information

> Your team ID (10 character Apple team ID)

> You services ID (This was the client_id that we generated above)

> Key ID value of the private key

• We are going to use a Ruby script to generate the client secret using a script borrowed from Aaron Parecki from his repo

Copy the script and change the ‘kid’, ‘iss’, and ‘sub’ values to match your actual ones. Copy the private key we generated and name it as “key.txt”

Make sure you have Ruby installed. And install the ‘jwt’ gem (library :)) and then run the script to generate the secret.

sudo gem install jwt 
ruby client_secret.rb

This should generate the client secret in the form

eyJraWQiOiJKUTI0Wk5ZWVFMIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJRSDhEVlI0NDQzIiwiaWF0IjoxNTYwMTgzNTMxLCJleHAiOjE1NjI3NzU1MzEsImF1ZCI6Imh0dHBzOi8vYXBwbGVpZC5hcHBsZS5jb20iLCJzdWIiOiJpZHAuZGVtb2dsb2dpbi5jb20ifQ.eX9z………uUw8–7285sA

(Of course, I have redacted the signature ;))

Phew! Now we have,

1. client_id (which is also the service id “idp.demologin.com”)
2. client_secret which we generated above
3. registered callback URI (https://idp.demologin.com:9443/commonauth)

Step 2: Setup Apple as an Identity Provider in WSO2 Identity Server

Now we need to configure the WSO2 Identity Server to talk to Apple for authentication. To do this,

• We need to run the identity server in “idp.demologin.com” domain.

Since I do not have a domain with the name “demologin.com” I will be using a /etc/hosts entry to point my server running locally. Add the below entry to /etc/hosts

127.0.0.1 idp.demologin.com

• Assuming you have the WSO2 Identity Server installed and unzipped. Edit the WSO2_HOME/repository/conf/carbon.xml file and change the hostnames using below tags

<HostName>idp.demologin.com</HostName>
<MgtHostName>idp.demologin.com</MgtHostName>

• Startup the identity server. Head over to the bin directory and run from a terminal (command line),

sh wso2server.sh

• Once the server is up you should see logs like below which means you are ready to go. Click on the Management Console URL “https://idp.demologin.com:9443/carbon”. You can login using default credentials username=admin, password=admin

• Go to “Identity Providers” and click on Add

• Next, we fill in the details we obtained from Apple.

1. Client ID
2. Client Secret
3. Authorization Endpoint — https://appleid.apple.com/auth/authorize
4. Token Endpoint — https://appleid.apple.com/auth/token
5. Additional Query Params — “scope=openid email&response_mode=form_post”

Click On “Update” and you have successfully added Apple as a trusted Identity Provider in WSO2 Identity Server

Testing Apple Sign In

Now we have Apple added a trusted identity provider. In order to test, we need an application. Instead of an application, we can use the browser + CURL combination to simulate an application that does login using OpenID Connect.

• To register an OAuth Application. Click on “Add” under Service Providers

• You can download the file (This is an app created and exported). And import it to create the app.

• So app created will have

> client_id = pAlTjf4hEdBsxtIjaeZBnoBQRzoa

> client_secret = PAb_jH_efJNcL6XNOz0rkcgcUAoa

> redirect_uri = https://localhost/callback

• Now let’s engage “Sign in With Apple” to the application’s login flow. To do this, edit the App and head over to “Local & Outbound Authentication Configuration” section. Select the “Federated Authentication” option. Since we have only the “AppleSignIn” identity provider we created you don’t have to do anything else. Otherwise, you might have to pick the correct identity provider from the drop-down.

• Click on update.

Let’s start the login flow.

Typically and OpenID connect app would send a request like the one below to start the login flow. Open the below URL in the browser.

https://idp.demologin.com:9443/oauth2/authorize?response_type=code&client_id=pAlTjf4hEdBsxtIjaeZBnoBQRzoa&redirect_uri=https://localhost/callback&scope=openid

If you have followed the steps from above carefully, we should end up at the login page of Apple

Step 1: Authenticate with username, password

Now we have to complete the authentication at Apple. Import to note that you need to have two-factor authentication enabled for your Apple ID. Otherwise, you will not be able to complete your login.

Step 2: Authenticate with OTP sent to a trusted device

Step 2: Authenticate with OTP sent to a trusted device

Step 3: Provide consent to share personal information

• Once you complete the authentication steps you will be prompted for consent at the WSO2 Identity Server. You need to approve and consent and continue.

• Next, you will be redirected the redirect_uri “https://localhost/callback” with the code issue by WSO2 Identity Server.

• Copy the code and send a token request.

curl -k -X POST --user <client_id>:<client_secret> https://idp.demologin.com:9443/oauth2/token -d 'grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>' -v

Sample Request.

curl -k -X POST —-user pAlTjf4hEdBsxtIjaeZBnoBQRzoa:PAb_jH_efJNcL6XNOz0rkcgcUAoa https://idp.demologin.com:9443/oauth2/token -d 'grant_type=authorization_code&code=a392fd72–226d-391f-a37c-4c61df2deb74&redirect_uri=https://localhost/callback' -v

• You will get an id_token in the response containing the user information. Decoding the token you should be able to see the user information.

{
  "at_hash": "EEC0TCIvfNoQnXEZ-ufHqQ",
  "http://wso2.org/claims/username": "001126.d3c6971f4faa4ccd80027e3654fa404a.1616",
  "aud": "pAlTjf4hEdBsxtIjaeZBnoBQRzoa",
  "c_hash": "26sWPxvGrWJKsL5e5a8W5g",
  "sub": "001126.d3c6971f4faa4ccd80027e3654fa404a.1616",
  "nbf": 1560246904,
  "azp": "pAlTjf4hEdBsxtIjaeZBnoBQRzoa",
  "amr": [
    "OpenIDConnectAuthenticator"
  ],
  "iss": "https://idp.demologin.com:9443/oauth2/token",
  "exp": 1560250504,
  "iat": 1560246904,
  "sid": "9ebb0ad5-a380-4da0-99b3-f4ae247c98c5"
}

“sub” claim has the identifier sent from Apple.