The Sign in with Apple Authenticator uses an OpenID Connect like protocol to federate their user accounts and allow the user to select what information to share with the relying party. Some configuration in the Apple Developer portal is necessary.
This authenticator requires an Apple Developer account to be able to configure a Sign in with Apple service.
To be able to use the Sign in with Apple feature, an App ID and a Service need to be added to your Apple developer account. To configure this, go to Apple Developer Portal.
In the menu option Certificates, Identifiers & Profiles, select Identifiers, and create a new identifier of the type App ID. This app is only needed to be used as the primary App ID in the Service identifier, if you already have one this step is unneccessary. If not, proceed to configure an App Identifier.
Now, create a new identifier of the type Services ID. In the setttings popup, add a description, and a create a unique identifier. Description will be visible for the end user while authenticating, and the identifier will be used in Curity config as the Client ID.
Go into your newly created service, and enable Sign in with Apple.
Select to configure the service. In the popup, select your App ID, and add the domain curity is running on, and add the redirect URI of your authenticator as the Return URL.
Your authenticator redirect URI can be found in the Admin UI, in the info pane of the authenticator configuration page. Since the authenticator is not created yet, the url follow the form of <base-url><authentication-endpoint>/<authenticator-id>/callback. This can be edited at a later stage, if you wish to change the authenticator id.
Press next and confirm your settings, and then save your Services ID Configuration.
The Sign in with Apple service requires a private key that signs JWTs to be used as a client secret. The key to use is also generated in the developer portal.
While still in the Certificates, Identifiers & Profiles page, select Keys.
If the key is lost after downloading, it is lost. But the Key ID can be retrieved from the developer portal at any time.
Now we are finished in the developer portal!
First we need to upload the key to use for client authentication.
In the Admin UI, select Facilities -> Signing Keys -> +New
In the popup, select the type asymetric and Upload Existing.
Upload the downloaded key, without password and alias.
Facilities -> Signing Keys -> +New
Now we’re ready to setup the authenticator. Go to Profiles –> <Authentication Profile> -> Authenticators. Create a new authenticator of the type Sign in with Apple.
In the authenticator, the following parameters are available:
Issuer: Should always be https://appleid.apple.com, unless another service is used for testing purposes. Apple does not have a test environment.
Team ID: Your Apple Team ID, can be found in the Apple Developer Portal <https://developer.apple.com/account>
Client ID: The identifier of your created service. For example: com.mygood.curity.integration
JWT Signing Key: Select the key that was uploaded in the previous step.
JWT Signing Key ID: This is the Key ID from the portal that we took note of earlier.
Scope: The scope to ask the end user to grant. This will affect the returned data. Default is openid email name, which will ask the user to share both the name and email. The user will get the chance to decide if it wants to share the real email or a relay email, and has the chance to not share the name.
HTTP Client: The http client to use in communication with the service. Select a client that is using https, and accepts the certificate of https://appleid.apple.com.
The first time an end user chooses to sign in with apple, the user will get to select what data to share with the requesting application. Depending on what the user decides, the result will be a bit different. But the authentication attributes will contain an id for the subject, which will be persistent for this user but not readable. If the email scope was requested, the email attribute will be present, and if the name scope was asked for there will be a user attribute, which is a map that contain the name the user selected to share.
Note that the user object will only be sent the first time this user authenticates. Next time, the subject will be the same, and the email will be only in the top level.