ForgeRock Developer Experience

Configure social login identity providers

Create an Apple client

Sign up for an Apple developer account

You must enroll in the Apple Developer program.

Apple Developer Enterprise Program accounts are not able to configure Sign in with Apple.

Set up application redirection

After Apple processes the initial authorization request and the user is successfully authenticated, Sign in with Apple sends an HTTP POST request to Identity Cloud or AM containing the authorization results.

For a web application (SPA) or an Android device, the POST request is sent to a dynamically created endpoint, specified in the Apple Sign In configuration as the redirect URL.

The redirect URL

To complete Apple client set up, you need the full redirect URL. This URL is not made available until you fully set up the provider in AM. If you have already set up your Apple provider, the redirect URL resembles the following:


Set up Apple sign in

Create an app ID

  1. Log in to your Apple developer account.

  2. In the Program resources category, under Certificates, Identifiers & Profiles, click Identifiers.

  3. Click the plus button () next to the Identifiers header.

  4. Select App IDs, and click Continue.

  5. Select App type, and click Continue.

  6. Type a description of your app, and provide a Bundle ID using reverse-domain name style.

    For example com.forgerock.ios.sdk.example.

  7. Select Sign in with Apple, and click Continue.

  8. Review your entry, and click Register.

Create a service ID

  1. On the Identifiers page, click the plus button () next to the Identifier header.

  2. Select Service IDs, and click Continue.

  3. Enter a description of your service.

  4. Enter an Identifier that is similar to your app ID.

    For example, <app-id>.service.

  5. Click Continue.

  6. Review your entry, and click Register.

Configure the Apple sign in service

  1. On the Identifiers page, click the dropdown next to the magnifying glass icon, and then select Services IDs.

  2. Select the service ID you created.

  3. Next to Sign in with Apple, click Configure.

  4. Click the plus button next to the Website URLs header.

  5. In Domains and Subdomains:

    • For JavaScript apps, enter the domains that host your app.

      For example,

      During testing, do not use the domain to host your application. Apple treats this domain differently than other domains, which can cause unexpected issues.

      Using or any other domain does not present these same difficulties.

    • For native Android and iOS apps, enter the domain of your Identity Cloud or AM instance.

      For example,

  6. In Return URLs, enter the URL that Apple redirects users to after authentication.

    Users must be redirected back to Identity Cloud or AM to continue their authentication journey.

    The URL to use is dynamically created by Identity Cloud or AM when you configure identity providers, and uses the following syntax:

    Identity Cloud




  7. Click Next.

  8. Review, and click Done.

Create a key

Store your key in a safe location. You cannot download keys more than once.

  1. On the developer account page, in the left navigation panel, click Keys.

  2. Click the plus button next to the Keys header.

  3. Enter your key name, and select Sign in with Apple.

  4. Click Configure, select your primary app ID, and click Save.

  5. Click Continue.

  6. Review, and click Register.

Generate a client secret

The client secret for Apple sign is a JSON Web token (JWT). The JWT is more complex than a simple string. A common way of generating the JWT is to use the jwt/ruby-jwt library.

Before you create the JWT, you need to understand certain requirements. To learn about these requirements, see Apple’s documentation about generating and validating tokens.

Configure the client ID

  • For Native iOS: The client_id should be the AppID (bundle identifier) from the Apple Development portal.

  • For Web or Android: The client_id should be the ServiceID from the Apple Development portal.

Example signing script:

require "jwt"

key_file = [Key file name]
team_id = [Team ID]
client_id = [AppID or Service ID]
key_id = [Key ID]
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.

private_key = key_file

token = JWT.encode(
        iss: team_id,
        exp: + 86400 * validity_period,
        aud: "",
        sub: client_id
        kid: key_id
puts token

Create a Facebook client

To use Facebook as an Identity Provider, visit the Facebook for Developers page, and follow these steps:

  1. Click the Create App button.

  2. Select Consumer for app type, and click Next.

  3. Enter your app’s display name and contact email.

  4. Click the Create app button.

  5. On the Add products to your app page, under Facebook Login, click Set up.

  6. In the left navigation panel, click Settings > Basic.

  7. Take note of the App ID and App secret values.

Generate a key hash

The default password for Android Studio is android.

  1. To generate a key hash value, in a terminal window, enter the following command:

    keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1 -binary | openssl base64
  2. Note the key hash value for later use.

Configure an Android app

  1. On the developer apps page, double-click an Android app.

  2. In the left navigation panel, select Settings > Basic.

  3. At the bottom of the page, click Add platform, select Android, and click Next.

  4. In the Select Android Store dialog, select a store.

    For example, Google Play.

  5. Click Next.

  6. Scroll down to the Android section.

  7. In the Key hashes field, enter the key hash value you generated earlier.

  8. In the Package Names field, enter your app’s Google Play Package Name.

    The name is often a reverse domain name, such as

  9. In the Class Name field, enter your app’s class name.

  10. Click Save changes.

Configure an iOS app

  1. On the developer apps page, select iOS.

  2. Click Next.

  3. Enter your Bundle ID.

    The name is often a reverse domain name, such as

  4. Click Save changes.

  5. In the left navigation panel, under Facebook Login, select Quickstart.

  6. Click iOS.

  7. Read the information, and select your package manager.

  8. Click Next.

  9. Enter your Bundle ID.

  10. Click Save.

  11. Click Continue.

  12. Select your single sign-on settings.

  13. When you get to Configure Your info.plist, configure your info.plist file with the XML snippet that contains data for your app.

Create a Google client

To use Google as an IdP, visit Google’s API Dashboard, and follow these steps:

  1. In the left navigation, click Credentials.

  2. Click CREATE CREDENTIALS > OAuth client ID.

    For an Android app
    1. Select Android as the value for Application Type.

    2. In the Name field, type a name for this application.

    3. Enter the package name from the AndroidManifest.xml file.

    4. Enter the SHA-1 certificate fingerprint.

      Use the following command to get the fingerprint:

      keytool -keystore path-to-debug-or-production-keystore -list -v
    5. Click Create.

    For an iOS app
    1. Select iOS as the value for Application Type.

    2. In the Name field, type a name for this application.

    3. Enter the bundle id as listed in the app’s Info.plist file.

    4. If the app is listed in the Apple App Store, enter the Apple ID of the app.

    5. Enter the Team ID that Apple assigned to your team.

    6. Click Create.

    For a JavaScript app
    1. Select Web application as the value for Application Type.

    2. In the Name field, type a name for this application.

    3. Under Authorized JavaScript Origins, add the origins of the apps that use Google as an IdP.

      Origins include scheme, domain, and port.

    4. Under Authorized redirect URIs, add the full redirect URLs of your apps that handle the redirection from Google after user login.

    5. Click Create.

Native Android social authentication

To enable native Android social authentication, you must create two OAuth 2.0 clients in the Google API console:

  1. Create an OAuth 2.0 client for the Android application.

  2. Create an OAuth 2.0 client for AM to communicate with the Google APIs.

Copyright © 2010-2024 ForgeRock, all rights reserved.