Apple

The Apple factor requires a client ID and client secret, which is specific to your Apple developer account and application within the Apple Developer Portal.

How to register the application with Apple, retrieve client ID and create the client secret (JWT) is documented here:

In order to set up Sign In With Apple for your users, you need to be a member of Apple's Developer Program. Once you have access to the platform:

Create an App ID Identifier: the identifier can be freely chosen, the io.quasr.app (as visible in the screenshot) is only an example and actually cannot be used by anybody else anymore.

In the detail settings of this App ID identifier, make note of the "App ID Prefix" (Team ID), which you will need later.

In the list of Capabilities, enable Push Notifications and Sign In With Apple. Make "Sign in with Apple" the primary App ID.

Back in the Identifiers overview, select "Service IDs" in the drop down in the top-right, then create a new one. The identifier can be freely chosen, the io.quasr.login (as visible in the screenshot) is only an example and actually cannot be used by anybody else anymore.

This Identifier is the Client ID that you will use in the factor settings within the Quasr platform for the Apple factor.

Going into the detail settings of this identifier, make sure that "Sign In With Apple" is enabled. Then click "Configure".

In the upcoming dialog, click the "+" icon to add a website URL (redirect URL):

Enter the following (make sure to replace {tenant_id} with your own tenant ID):

Domains and Subdomains: {tenant_id}.api.quasr.io
Return URLs: https://{tenant_id}.api.quasr.io/factors/oauth2/callback

Back in the Apple Developer main menu, go to the "Keys" section. Create a new key.

Provide a Key Name, make sure that "APNs" and "Sign in With Apple" is enabled.

Once the key is created, make note of the Key ID (kid), and download the key.

You will now need to create a Client Secret based off of this key. The Client Secret is a JSON Web Token (JWT) and will be used as the Client Secret for the Apple factor configuration within the Quasr platform. https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens (section "Creating the Client Secret") describes the steps.

The Apple Developer docs describe how to create the client secret, however it's a bit cumbersome to find the detailed instructions if you are new to this. The following Node.js script creates a client secret JWT based on the previously downloaded key.

const fs = require('fs')
const jwt = require('jsonwebtoken')

function createClientSecret() {
  const privateKey = fs.readFileSync('./AuthKey_<kid>.p8').toString()
  const jwtToken = jwt.sign(
    {},
    privateKey,
    {
      algorithm: 'ES256',
      expiresIn: '180d', // 180d is maximum possible, otherwise token endpoint fails with 400 error
      issuer: '<your_team_id>', // your Team ID
      audience: 'https://appleid.apple.com',
      subject: '<your_client_id>', // your Client ID
      header: {
        alg: 'ES256',
        kid: '<kid>', // the Key ID (kid)
        typ: 'JWT',
      },
    }
  )
  console.log(jwtToken)
}

createClientSecret()

If you validate the JWT using jwt.io it will indicate Invalid Signature. This is normal as the token is signed using a private certificate that isn't publicly available. No worries it should work as required.

Finally you can configure the client ID and secret for the Apple factor as follows:

Client ID = service ID (in our case it is io.quasr.login)
Client Secret = JWT as generated above

PreviousIdentity Provider (IDP)NextFacebook

Last updated 1 year ago