The original link

The author | Janak Amarasena

Knowledge translation | small set

Source | medium

At WWDC19, Apple introduced an interesting feature called “Sign In with Apple.” The authentication service, provided by Apple, allows developers to allow users to log in to their apps using their Apple Id.

Configuring this feature by browsing the Official Apple documentation [1] seems like a tedious task. So here I’ll quickly guide you through some basic setup 🙂

Log in to the Apple Developer account.

We need to get the App Id with the Sign In with Apple function.

• Go to Certificates, Identifiers & Profiles > Identifiers, then click the + sign in the top left corner next to Identifiers;

• Select App IDs and click Continue;

• enter any Description and Bundle ID here (Apple recommends using a reverse domainname style string, such as com.domainname.appname). Scroll down the Capabilities TAB and make sure you check Sign In with Apple. Finally, click Continue, verify the details on the next page, and then click Register.

Now we need to get a Services ID. This value will also act as cliend_id when you call the API to authenticate the user.

• Go into Certificates again, Identifiers & Profiles > Identifiers, then click the + sign in the top left corner next to Identifiers.

• Select Services IDs this time and click Continue.

• enter any Description and Bundle ID here (Apple recommends using a reverse domainname style string, such as com.domainname.appname). Be sure to check Sign In with Apple. Here, you must click the Configure button next to “Sign In with Apple.”

• Click the Configure button in the previous step to display a Web Authentication Configuration panel. Make sure that the App ID we obtained earlier is selected as the Primary App ID. Next, you’ll have to add the Web Domain that will use this service (although I didn’t verify the Sign In with Apple feature on my Domain, so I’d better if I can). I use example-app.com. Finally, add Return URLs (you can add more than one), which are valid URLs that the user redirects to after authenticating with Sign In with Apple (I used example-app.com/redirect for quick testing purposes). Single…

• Click Continue, then verify the details on the next page and click Register.

Now we need to create a key to get our client_secret, which is also required to make token requests from Apple.

• Go to Certificates, Identifiers & Profiles > Keys, then click the + sign in the top left corner next to Keys.

• Provide the key name and be sure to check Sign In with Apple. Here, we must also click Configure. In the Configure Key panel that appears next, select the App ID we used earlier under Choose a Primary App ID, and click Save.

• Click Continue, then verify the details on the next page and click Register.

• Download the key and store it in a secure place, as you can never download the key again. Click Done after downloading the key.

Well, that’s pretty much all the configuration.

Now that we have client_id, we need to call the API again; We will create client_secret using the private key we just downloaded.

The client key must be JWT. According to Apple documentation [2], we need to use the Elliptic Curve Digital Signature Algorithm (ECDSA) with p-256 curve and SHA-256 hash algorithm to encrypt the token. An easy way to do this is to use ruby-JWT [3]. Check first if you already have Ruby Settings, if not, you can get it here [4].

Here are the details we need to include in JWT.

--Header--
alg - The encryption algorithm used to encrypt the token. This will be ES256.
kid - The 10 charachter Key ID of the private key you create. You can get it from 
Certificates, Identifiers & Profiles > Keys > (click on the key you created).
--Payload--
iss - 10 character Team ID give to you. You can find it here https://developer.apple.com/account/#/membership
iat - Indicates the time at which the token was generated, in terms of the number of seconds since Epoch, in UTC.
exp - Indicates the expiry time of the token expiration, in terms of the number of seconds since Epoch, in UTC. Accroding to the docs the value must not be greater than 15777000 (6 months in seconds) from the Current Unix Time on the server.
aud - The value of which identifies the recipient the JWT is intended for. Since this token is meant for Apple, use https://appleid.apple.com.
sub - The value of which identifies the principal that is the subject of the JWT. Use the same value as client_id as this token is meant for your application.
Copy the code

Let’s get client_secret.

After setting up Ruby, run sudo gem install JWT to set ruby-jwt.

Add the necessary details and save the following as secret_gen.rb

require "jwt"

key_file = "Path to the private key"
team_id = "Your Team ID"
client_id = "The Service ID of the service you created"
key_id = "The Key ID of the private key"
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.

private_key = OpenSSL::PKey::EC.new IO.read key_file

token = JWT.encode(
	{
		iss: team_id,
		iat: Time.now.to_i,
		exp: Time.now.to_i + 86400 * validity_period,
		aud: "https://appleid.apple.com",
		sub: client_id
	},
	private_key,
	"ES256",
	header_fields=
	{
		kid: key_id 
	}
)
puts token
Copy the code

You can run the secret_gen.rb file from a terminal using the command ruby secret_gen.rb, which will provide you with client_secret.

Good…… Now we’re ready to test Sign In with Apple 🙂

Add your redirect_URI (which should be the Return URL we configured earlier) and client_id and paste them into your browser and press Enter.

https://appleid.apple.com/auth/authorize?response_type=code&redirect_uri=`<redirect_uri>`&client_id=`<client_id>`
Copy the code

You will be prompted to authenticate (I must enable two-factor authentication for my Apple ID to continue). Finally, you will be redirected to the redirect_URI and finally get the code.

Replace the following command with the obtained code by executing the code above, the redirect_uri and client_id previously used, and the client_secret obtained by running secret_gen.rb, and run the following cURL command on your terminal.

curl -X POST https://appleid.apple.com/auth/token -d 'grant_type=authorization_code&code=``&redirect_uri=`
       
        `&client_id=`
        
         `&client_secret=`
         
          `'
         
        
       
Copy the code

After running the above, you should finally get the access token and the ID token.

If you are confused about the Sign In with Apple process, check out the OIDC Authorization Code Flow [5].

If you are interested In learning more about Sign In with Apple, please join Apple Sign In: A Zero-code Integration Approach Using WSO2 Identity Server[6].

reference

[1]https://developer.apple.com/sign-in-with-apple/

[2]https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

[3]https://github.com/jwt/ruby-jwt

[4]https://www.ruby-lang.org/en/downloads/

[5]https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

[6]https://wso2.com/library/webinars/2019/07/apple-sign-in-a-zero-code-integration-approach-using-wso2-identity-server/

Pay attention to our

Welcome to follow our official account: Knowledge Set (ID: ZSXjtip), and also welcome to join our group to discuss issues. Add coldlight_HH/wSY9871 to our iOS/ FLUTTER wechat group.