ForgeRock SDKs

Create an Apple client

Sign up for an Apple developer account

You must enroll in the Apple Developer program.

Apple Developer Enterprise Program accounts are not able to configure Sign in with Apple.

Set up application redirection

After Apple processes the initial authorization request and the user is successfully authenticated, Sign in with Apple sends an HTTP POST request to Identity Cloud or AM containing the authorization results.

For a web application (SPA) or an Android device, the POST request is sent to a dynamically created endpoint, specified in the Apple Sign In configuration as the redirect URL.

The redirect URL

To complete Apple client set up, you need the full redirect URL. This URL is not made available until you fully set up the provider in AM. If you have already set up your Apple provider, the redirect URL resembles the following:

https://<tenant-env-fqdn>/am/oauth2/<realm>/client/form_post/<secondary-configuration-name>

Set up Apple sign in

Create an app ID

  1. Log in to your Apple developer account.

  2. In the Program resources category, under Certificates, Identifiers & Profiles, click Identifiers.

  3. Click the plus button () next to the Identifiers header.

  4. Select App IDs, and click Continue.

  5. Select App type, and click Continue.

  6. Type a description of your app, and provide a Bundle ID using reverse-domain name style.

    For example com.forgerock.ios.sdk.example.

  7. Select Sign in with Apple, and click Continue.

  8. Review your entry, and click Register.

Create a service ID

  1. On the Identifiers page, click the plus button () next to the Identifier header.

  2. Select Service IDs, and click Continue.

  3. Enter a description of your service.

  4. Enter an Identifier that is similar to your app ID.

    For example, <app-id>.service.

  5. Click Continue.

  6. Review your entry, and click Register.

Configure the Apple sign in service

  1. On the Identifiers page, click the dropdown next to the magnifying glass icon, and then select Services IDs.

  2. Select the service ID you created.

  3. Next to Sign in with Apple, click Configure.

  4. Click the plus button next to the Website URLs header.

  5. In Domains and Subdomains:

    • For JavaScript apps, enter the domains that host your app.

      For example, sdkapp.example.org

      During testing, do not use the example.com domain to host your application. Apple treats this domain differently than other domains, which can cause unexpected issues.

      Using example.org or any other domain does not present these same difficulties.

    • For native Android and iOS apps, enter the domain of your Identity Cloud or AM instance.

      For example, openam-forgerock-sdks.forgeblocks.com

  6. In Domains and Subdomains, enter the URL that Apple redirects users to after authentication.

    Users must be redirected back to Identity Cloud or AM to continue the authentication journey.

    The URL to use is dynamically created by Identity Cloud or AM when you configure identity providers, and uses the following syntax:

    Identity Cloud

    https://<tenant-env-fqdn>/am/oauth2/<realm>/client/form_post/<secondary-configuration-name>

    AM

    https://<am-fqdn>/openam/oauth2/client/form_post/<secondary-configuration-name>

  7. Click Next.

  8. Review, and click Done.

Create a key

Store your key in a safe location. You cannot download keys more than once.

  1. On the developer account page, in the left navigation panel, click Keys.

  2. Click the plus button next to the Keys header.

  3. Enter your key name, and select Sign in with Apple.

  4. Click Configure, select your primary app ID, and click Save.

  5. Click Continue.

  6. Review, and click Register.

Generate a client secret

The client secret for Apple sign is a JSON Web token (JWT). The JWT is more complex than a simple string. A common way of generating the JWT is to use the jwt/ruby-jwt library.

Before you create the JWT, you need to understand certain requirements. To learn about these requirements, see Apple’s documentation about generating and validating tokens.

Configure the client ID

  • For Native iOS: The client_id should be the AppID (bundle identifier) from the Apple Development portal.

  • For Web or Android: The client_id should be the ServiceID from the Apple Development portal.

Example signing script:

require "jwt"

key_file = [Key file name]
team_id = [Team ID]
client_id = [AppID or Service ID]
key_id = [Key ID]
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.

private_key = OpenSSL::PKey::EC.new IO.read key_file

token = JWT.encode(
    {
        iss: team_id,
        iat: Time.now.to_i,
        exp: Time.now.to_i + 86400 * validity_period,
        aud: "https://appleid.apple.com",
        sub: client_id
    },
    private_key,
    "ES256",
    header_fields=
    {
        kid: key_id
    }
)
puts token
Copyright © 2010-2023 ForgeRock, all rights reserved.