Create an Apple client
Sign up for an Apple developer account
You must enroll in the Apple Developer program.
Apple Developer Enterprise Program accounts are not able to configure Sign in with Apple. |
Set up application redirection
After Apple processes the initial authorization request and the user is successfully authenticated, Sign in with Apple sends an HTTP POST request to PingOne Advanced Identity Cloud or PingAM containing the authorization results.
For a web application (SPA) or an Android device, the POST request is sent to a dynamically created endpoint, specified in the Apple Sign In configuration as the redirect URL.
The redirect URL
To complete Apple client set up, you need the full redirect URL. This URL is not made available until you fully set up the provider in PingAM. If you have already set up your Apple provider, the redirect URL resembles the following:
https://<tenant-env-fqdn>/am/oauth2/<realm>/client/form_post/<secondary-configuration-name>
Set up Apple sign in
Create an app ID
-
Log in to your Apple developer account.
-
In the Program resources category, under Certificates, Identifiers & Profiles, click Identifiers.
-
Click the plus button () next to the Identifiers header.
-
Select App IDs, and click Continue.
-
Select App type, and click Continue.
-
Type a description of your app, and provide a
Bundle ID
usingreverse-domain name style
.For example
com.forgerock.ios.sdk.example
. -
Select
Sign in with Apple
, and click Continue. -
Review your entry, and click Register.
Create a service ID
-
On the Identifiers page, click the plus button () next to the Identifier header.
-
Select Service IDs, and click Continue.
-
Enter a description of your service.
-
Enter an
Identifier
that is similar to your app ID.For example,
<app-id>.service
. -
Click Continue.
-
Review your entry, and click Register.
Configure the Apple sign in service
-
On the Identifiers page, click the dropdown next to the magnifying glass icon, and then select Services IDs.
-
Select the service ID you created.
-
Next to
Sign in with Apple
, click Configure. -
Click the plus button next to the Website URLs header.
-
In Domains and Subdomains:
-
For JavaScript apps, enter the domains that host your app.
For example,
sdkapp.example.org
During testing, do not use the
example.com
domain to host your application. Apple treats this domain differently than other domains, which can cause unexpected issues.Using
example.org
or any other domain does not present these same difficulties. -
For native Android and iOS apps, enter the domain of your PingOne Advanced Identity Cloud or PingAM instance.
For example,
openam-forgerock-sdks.forgeblocks.com
-
-
In Return URLs, enter the URL that Apple redirects users to after authentication.
Users must be redirected back to PingOne Advanced Identity Cloud or PingAM to continue their authentication journey.
The URL to use is dynamically created by PingOne Advanced Identity Cloud or PingAM when you configure identity providers, and uses the following syntax:
- Advanced Identity Cloud
-
https://<tenant-env-fqdn>/am/oauth2/<realm>/client/form_post/<secondary-configuration-name>
- PingAM
-
https://<am-fqdn>/openam/oauth2/client/form_post/<secondary-configuration-name>
-
Click Next.
-
Review, and click Done.
Create a key
Store your key in a safe location. You cannot download keys more than once.
-
On the developer account page, in the left navigation panel, click Keys.
-
Click the plus button next to the Keys header.
-
Enter your key name, and select Sign in with Apple.
-
Click Configure, select your primary app ID, and click Save.
-
Click Continue.
-
Review, and click Register.
Generate a client secret
The client secret for Apple sign is a JSON Web token (JWT). The JWT is more complex than a simple string. A common way of generating the JWT is to use the jwt/ruby-jwt library.
Before you create the JWT, you need to understand certain requirements. To learn about these requirements, see Apple’s documentation about generating and validating tokens.
Configure the client ID
-
For Native iOS: The
client_id
should be theAppID
(bundle identifier) from the Apple Development portal. -
For Web or Android: The
client_id
should be theServiceID
from the Apple Development portal.
Example signing script:
require "jwt"
key_file = [Key file name]
team_id = [Team ID]
client_id = [AppID or Service ID]
key_id = [Key ID]
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.
private_key = OpenSSL::PKey::EC.new IO.read key_file
token = JWT.encode(
{
iss: team_id,
iat: Time.now.to_i,
exp: Time.now.to_i + 86400 * validity_period,
aud: "https://appleid.apple.com",
sub: client_id
},
private_key,
"ES256",
header_fields=
{
kid: key_id
}
)
puts token