Create an Apple client

Sign up for an Apple developer account

You must enroll in the Apple Developer program.

Apple Developer Enterprise Program accounts do not support Sign in with Apple.

Set up application redirection

After Apple processes the initial authorization request (GET https://appleid.apple.com/auth/authorize), and the user is successfully authenticated, Sign in with Apple requires handling an HTTP POST request that contains the authorization results.

For a web application (SPA) or an Android device, the POST request requires use of a special Identity Cloud endpoint. The endpoint is the redirect URL. You must add the endpoint to your Apple Sign In configuration.

The redirect URL

To complete Apple client set up, you need the full redirect URL. This URL is not available until you fully set up the provider in AM. If you have already set up your Apple provider, the redirect URL should look like:

https://<forgerock-id-cloud>/am/oauth2/<realm>/client/form_post/<provider-config>

Set up Apple sign in

Create an app ID

Log in to your developer account.
In the left navigation panel, click Certificates, IDs & Profiles.
In the left navigation panel, click Identifiers.
Click the plus button () next to the Identifier header.
Select App IDs, and click Continue.
Select App type, and click Continue.
Type a description of your app, and provide a Bundle ID using reverse-domain name style.
Enable Sign in with Apple, and click Continue.
Review your entry, and click Register.

Create a service ID

On the Identifiers page, click the plus button () next to the Identifier header.
Select Service IDs, and click Continue.
Enter a description of your service.
Enter an Identifier that is similar to your app ID.

For example, <app-id>.service.
Click Continue.
Review your entry, and click Register.

Configure the Apple sign in service

On the Identifiers page, click the dropdown next to the magnifying glass icon.
Select the service ID you created.
Next to Sign in with Apple, click Configure.
Click the plus button next to the Website URLs header.
Enter the domains (subdomains) for Apple sign in support.
Enter the return URLs that Apple redirects to after successful sign in.

If you use the special ForgeRock endpoint for the POST redirect, enter the endpoint URL.
Click Next.
Review, and click Done.

Create a key

Store your key in a safe location. You cannot download keys twice.

On the developer account page, in the left navigation panel, click Keys.
Click the plus button next to the Keys header.
Enter your key name, and select Sign in with Apple.
Click Configure, select your primary app ID, and click Save.
Click Continue.
Review, and click Register.

Generate a client secret

The client secret for Apple sign is a JSON Web token (JWT). The JWT is more complex than a simple string. A common way of generating the JWT is to use the jwt/ruby-jwt library.

Before you create the JWT, you need to understand certain requirements. To learn about these requirements, see Apple’s documentation about generating and validating tokens.

Configure the client ID

For Native iOS: The client_id should be the AppID (bundle identifier) from the Apple Development portal.
For Web or Android: The client_id should be the ServiceID from the Apple Development portal.

Example signing script:

require "jwt"

key_file = [Key file name]
team_id = [Team ID]
client_id = [AppID or Service ID]
key_id = [Key ID]
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.

private_key = OpenSSL::PKey::EC.new IO.read key_file

token = JWT.encode(
    {
        iss: team_id,
        iat: Time.now.to_i,
        exp: Time.now.to_i + 86400 * validity_period,
        aud: "https://appleid.apple.com",
        sub: client_id
    },
    private_key,
    "ES256",
    header_fields=
    {
        kid: key_id
    }
)
puts token

ForgeRock SDKs