AppleID Social Login

This section describes how to configure AppleID application to login in OpenIAM.

1 Configuring authentication using an AppleID

1.1 Create Identifier

Sign in to the Apple Developer Portal and click Certificates, Identifiers and Profiles line in menu. From the sidebar, choose Identifiers then click the blue plus icon. Select App IDs, then App, click Continue. In the next screen, populate fields description and Bundle ID. Down below there is a the list of capabilities. Find and check the box next to Sign In with Apple. Confirm this step by clicking Continue and then Register. apple-Identifier

1.2 Create a Services ID

The Services ID is identifier for the instance of your app, and is used as the OAuth client_id. Description defines the name of the app that the user will see during the login flow, as well as define the identifier which becomes the OAuth client_id. Check the Sign In with Apple checkbox. Enter Services ID information Click the Configure button next to 'Sign In with Apple'. This is where you’ll define the domain your app is running on, as well as define the redirect URLs used during the OAuth flow. example: domain: redirect: Server must have SSL connection. apple-redirect

Make sure your associated App ID is chosen as the Primary App ID. Click Save and then Continue and Register until this step is completed. Now we have an App ID container to hold everything, and a Services ID which you’ll use as OAuth client_id. apple-Services

1.3 Create a Private Key for Client Authentication

Apple has decided to use a public/private key pair, where the client secret is actually a signed JWT. Next step involves registering a new private key with Apple.

Back in the main Certificates, Identifiers & Profiles screen, choose Keys from the side navigation. Click the blue plus icon to register a new key. Give your key a name, and check the Sign In with Apple checkbox. Click the Configure button and select your primary App ID you created earlier. Select the primary App ID Apple will generate a new private key for you and let you download it only once. You will need to upload this file later in OpenIAM configuration. apple-keys

2 Configure OpenIAM

Create new authentication provider - AppleID provider. Fill TeamID, KeyId, ClientID and other required fields (managed system, login module and password policy). Other fields has default values, do not change them, these are standard Apple values. Save configuration, in reloaded page you will find field to upload key, go ahead and do it. Key is stored in Vault, you can be sure it is secured as other sensitive data in Vault. After few minutes you will be able to see the 'Sing in with Apple' button. End user, who tries to sign in with Apple, must have an same identity as their Apple email address.

3 Test feature

Now on login page you can see red button 'Sign in with Apple', if you click it Apple will ask you to share your info with the app and if Apple credentials are valid and your email matches the IAM identity, it is not locked or disabled you will be logged in.

The example of correct redirection after hitting 'Sign in with Apple' button can be found here.