Apple Login Setup
Configure Apple login via OpenID connect
1. Log in to your Apple developer account.
We will need to obtain an App Id with “Sign In with Apple” capabilities.
Go to Certificates, Identifiers & Profiles > Identifiers and click on the + sign in the upper left next to “Identifiers”.
Select App IDs and hit continue.
Here enter any Description and a Bundle ID (Apple recommends using a reverse-domain name style string ex: com.domainname.appname). Scroll down the Capabilities and make sure to tick on Sign In with Apple. And finally, click continue and in the next page verify the details and click Register.
2. Now we need to obtain a Services Id.
This will also serve as the cliend_id when you will be making API calls to authenticate the user.
Again go to Certificates, Identifiers & Profiles > Identifiers and click on the + sign in the upper left next to “Identifiers”.
This time select Services IDs and hit continue.
Here enter any Description and an Identifier (Apple recommends using a reverse-domain name style string ex: com.domainname.appname). Make sure to tick on Sign In with Apple. Here you will have to click on the Configure button next to “Sign In with Apple”.
Clicking the Configure button from the previous step will display a screen with Web Authentication Configuration. Make sure the App ID we obtained previously is selected as the Primary App ID. Next, you will have to add the Web Domain you will be using this service in (however I did not have to verify the domain to try out Sign In with Apple, but its best if you can get this done). I used http://example-app.com . Finally, add the Return URLs (you can add multiple) which will be the valid URLs to redirect the user after the user authenticates with Sign In with Apple (The redirect URI will be constructed by SSO in the format: https://<sso base url>/uas/return/<method name>/redirect .The <sso base url> must be accessible to the Sign in with Apple servers). Click Save.
Click on Continue and in the next page verify the details and click Register.
3. Now we need to create a secret key
Secret key will be used to get our client_secret which will also be needed to make a token request from the Apple.
Go to Certificates, Identifiers & Profiles > Keys and click on the + sign in the upper left next to “Keys”.
Give a Key Name and make sure to tick Sign In with Apple. Here also we will have to click on Configure. And in the screen that appears next(Configure Key) select the same App Id we used previously under Choose a Primary App ID and click Save.
Click on Continue and in the next page verify the details and click Register.
Download the key and keep it in a safe place as you will never be able to download it again. Click on Done after downloading the key.
4. Let's get the client_secret.
The client secret has to be a JWT and according to Apple documentation you would need to encrypt the token using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm. One of the easy ways to get this done is using ruby-jwt. Firstly check whether you already have Ruby setup if not you can get it from here.
After setting up Ruby run the command sudo gem install jwt
this will setup ruby-jwt.
Add the necessary details and save the following as secret_gen.rb
require "jwt"
key_file = "Path to the private key"
team_id = "Your Team ID"
client_id = "The Service ID of the service you created"
key_id = "The Key ID of the private key"
validity_period = 180 # In days. Max 180 (6 months) according to Apple docs.
private_key = OpenSSL::PKey::EC.new IO.read key_file
token = JWT.encode(
{
iss: team_id,
iat: Time.now.to_i,
exp: Time.now.to_i + 86400 * validity_period,
aud: "https://appleid.apple.com",
sub: client_id
},
private_key,
"ES256",
header_fields=
{
kid: key_id
}
)
puts token
You can run the secret_gen.rb file using the command ruby secret_gen.rb
from the terminal and it will give you the client_secret.
SSO Management console configurations
From Home, select the tab "Global Method Settings" and then click "New Method" at the bottom of the page. Choose OAuth 2.0 as method type. The method class will auto-fill and you don't have to edit it.
Choose a method name, for instance apple.oauth2.1 Remember to give the right name to the method as it is in the registered redirect URI setup in apple.
Press "OK" and the method will be created.
Go to Open ID Connect tab, and upload the Provider Metadata. Apple ID metadata can be found from here: https://appleid.apple.com/.well-known/openid-configuration
Upload the Provider Keys, which can be found from the
jwks_uri
in the provider metadata:
Upload Client Metadata, where you specify your client ID and secret, and define scope, based on the claims you want to receive from Apple ID (In the below example we have used scope as “openid email”, you can change it as per your requirements).
Edit below snippet with correct values (Update redirect_uris
,keys,
(Obtained from SSO server:https://login.portal.ubisecure.com/uas/oauth2/metadata.jwks )client_id
, client_secret
) and add to client metadata:
{
"redirect_uris": [
"https://<hostname>:<port>/uas/return/oidc.apple.1/redirect"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"jwks": {
"keys": [
{
"kid":"xxxxxx",
"kty": "RSA",
"n": "xxxxxxxxx",
"e": "AQAB"
}
]
},
"scope": "openid email",
"id_token_signed_response_alg": "RS256",
"id_token_max_lifetime": 86400,
"request_object_signing_alg": "none",
"token_endpoint_auth_method": "client_secret_post",
"client_id": "<value of Client ID>",
"client_secret": "<value of Client secret>",
"ubisecure_request_parameters": {
"response_mode":"form_post"
},
"ubisecure_request_object_query_parameters": [
"client_id",
"scope",
"response_type"
]
}
Upload the file as Registration Response or Client Metadata.
You should see your client ID as Client identifier and a new field Client secret (already set).
Press Update.
Go to Main tab, select Enabled box and add configuration strings:
Compatibility=AppleId
OperationMode=private
and press Update.
The configuration of the method is now done. Next you need to add it to your application.
User Driven Federation with Apple
1. Create LDIF and import to directory
Step 1: Create apple.ldif
# Modifying apple.oauth2.1 method to offer federation
dn: cn=apple.oauth2.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: modify
replace: ubiloginLDAPURLUserMappingTableDN
ubiloginLDAPURLUserMappingTableDN: cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=localhost
-
changetype: modify
replace: ubiloginDirectoryServiceDN
ubiloginDirectoryServiceDN: cn=CustomerID Directory,cn=Services,ou=System,cn=Ubilogin,dc=localhost
-
Step 2: Import settings to directory
Then we'll use import tool to read settings in apple.ldif file:
cd C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam
import.cmd ..\apple.ldif
2. Enable an external authentication method for CustomerID
Step 1: Enable Apple as authentication method in SSO Management Console
Open SSO Management Console with your administrator account.
Go to eIDM Services site.
On Site Methods, add apple.oauth2.1.
On Applications, you will see two applications: eidm2 and workflow.
For each of these two applications go to Allowed Methods and add apple.oauth2.1. It's important that you add apple.oauth2.1 as allowed method for both eidm2 and workflow.
Ensure to add Apple Authentication Method in ‘eIDM Users’--> 'Site Methods':
Step 2: Enable Apple as authentication method in CustomerID
Open eidm2.properties with your text editor.
Find the line that starts with "methods.protected" and add apple.oauth2.1 as shown below.
methods.protected = methods.password, apple.oauth2.1
Restart Wildfly.
Open CustomerID self-service login page https://localhost:7443/eidm2/wf/self-service
You will find Login with apple button under "Sign In Using a Provider"
Part 3: Link your accounts
Step 1: Link your accounts
Login to self-service. Click "Sign in with Apple" button and you will be redirected to Apple accounts login page.
Log in using some Apple account and you will see the screen below. You are informed that user federation is not enabled (in red letters) so in this step you must log in with your CustomerID account one last time.
After successful login, you're prompted to link your account. Tick the box "Remember this next time" and click "Continue"
You are now logged in and you can see the account linking settings at the bottom of the page under "Federated Accounts".
Now log out from CustomerID. Obs: You must logout from Apple account too.
Step 2: Verify that you can log in to CustomerID directly with a Apple account
Open self-service login page again https://localhost:7443/eidm2/wf/self-service
This time you will be able to log in directly using your Apple ID credentials.
Step 3: Unlink your account
In the future, any user can unlink her own account from self service interface.