Create an Apple client
Sign up for an Apple developer account
You must enroll in the Apple Developer program.
Apple Developer Enterprise Program accounts do not support Sign in with Apple. |
Set up application redirection
After Apple processes the initial authorization request (GET https://appleid.apple.com/auth/authorize
),
and the user is successfully authenticated, Sign in with Apple requires handling an HTTP POST request
that contains the authorization results.
For a web application (SPA) or an Android device, the POST request requires use of a special Identity Cloud endpoint. The endpoint is the redirect URL. You must add the endpoint to your Apple Sign In configuration.
The redirect URL
To complete Apple client set up, you need the full redirect URL. This URL is not available until you fully set up the provider in AM. If you have already set up your Apple provider, the redirect URL should look like:
https://<forgerock-id-cloud>/am/oauth2/<realm>/client/form_post/<provider-config>
Set up Apple sign in
Create an app ID
-
Log in to your developer account.
-
In the left navigation panel, click Certificates, IDs & Profiles.
-
In the left navigation panel, click Identifiers.
-
Click the plus button () next to the Identifier header.
-
Select App IDs, and click Continue.
-
Select App type, and click Continue.
-
Type a description of your app, and provide a
Bundle ID
usingreverse-domain name style
. -
Enable
Sign in with Apple
, and click Continue. -
Review your entry, and click Register.
Create a service ID
-
On the Identifiers page, click the plus button () next to the Identifier header.
-
Select Service IDs, and click Continue.
-
Enter a description of your service.
-
Enter an
Identifier
that is similar to your app ID.For example,
<app-id>.service
. -
Click Continue.
-
Review your entry, and click Register.
Configure the Apple sign in service
-
On the Identifiers page, click the dropdown next to the magnifying glass icon.
-
Select the service ID you created.
-
Next to
Sign in with Apple
, click Configure. -
Click the plus button next to the Website URLs header.
-
Enter the domains (subdomains) for Apple sign in support.
-
Enter the return URLs that Apple redirects to after successful sign in.
If you use the special ForgeRock endpoint for the POST redirect, enter the endpoint URL.
-
Click Next.
-
Review, and click Done.
Create a key
Store your key in a safe location. You cannot download keys twice.
-
On the developer account page, in the left navigation panel, click Keys.
-
Click the plus button next to the Keys header.
-
Enter your key name, and select Sign in with Apple.
-
Click Configure, select your primary app ID, and click Save.
-
Click Continue.
-
Review, and click Register.
Generate a client secret
The client secret for Apple sign is a JSON Web token (JWT). The JWT is more complex than a simple string. A common way of generating the JWT is to use the jwt/ruby-jwt library.
Before you create the JWT, you need to understand certain requirements. To learn about these requirements, see Apple’s documentation about generating and validating tokens.
Configure the client ID
-
For Native iOS: The
client_id
should be theAppID
(bundle identifier) from the Apple Development portal. -
For Web or Android: The
client_id
should be theServiceID
from the Apple Development portal.
Example signing script:
require "jwt"
key_file = [Key file name]
team_id = [Team ID]
client_id = [AppID or Service ID]
key_id = [Key ID]
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.
private_key = OpenSSL::PKey::EC.new IO.read key_file
token = JWT.encode(
{
iss: team_id,
iat: Time.now.to_i,
exp: Time.now.to_i + 86400 * validity_period,
aud: "https://appleid.apple.com",
sub: client_id
},
private_key,
"ES256",
header_fields=
{
kid: key_id
}
)
puts token