Quasr
  • Introduction
    • Welcome to Quasr
    • Concepts
      • Flexible Authentication
      • User-Centric Privacy
      • Modern Development
    • Terminology
    • FAQs
  • Getting Started
    • Sign up with Quasr
    • Setup your tenant
      • Factor Configuration
      • Enrolling additional factors
      • Test with the Sample Client
      • Understanding Scopes & Scores
      • Setting up an API Client (M2M)
    • Connect your app
      • Hosted Login UI
      • Custom Login UI
      • Embedded Login UI
  • Account Administration
    • Introduction
    • Account & Billing
      • Metrics
    • Tenants
    • Usage & Statistics
    • Security
  • Tenant Administration
    • Introduction
    • Dashboard
    • Tenant Settings
    • Your Security
    • Accounts
      • Tenant Admins
    • Factors
      • Factors and Scoring
      • Username (ID)
      • Federation (OAuth2 / OIDC)
        • Apple
        • Facebook
        • GitHub
        • Google
        • LinkedIn
        • Slack
      • Time-based One-time Password (TOTP)
      • One-Time Password (OTP)
      • Password
      • Secret
    • Controls
      • Configuration
      • Permissions
      • Consents
      • Rules
    • Attributes
      • Capturing Claims
      • Sourcing Claims
      • Viewing Claims
      • Searching Claims / Users
      • Sharing Claims
    • Extensions
      • Synchronous
      • Asynchronous
    • Tokens
      • Session Token (OAuth 2.0)
      • Access Token (OAuth 2.0)
      • Refresh Token (OAuth 2.0)
      • ID Token (OIDC 1.0)
      • Consent Token
      • Authorization Code (OAuth 2.0)
    • Hosted Login Page
    • APIs
      • Authentication API
      • Management API (GraphQL)
  • Legal
    • Terms of Service
    • Acceptable Use Policy
    • DPA & Subprocessors
  • More Info
    • Standards
    • Security
      • Vulnerability Disclosure
      • Wall of Recognition
    • Support
    • Status
Powered by GitBook
On this page
  1. Tenant Administration
  2. Factors
  3. Federation (OAuth2 / OIDC)

Apple

PreviousFederation (OAuth2 / OIDC)NextFacebook

Last updated 1 year ago

The Apple factor requires a client ID and client secret, which is specific to your Apple developer account and application within the Apple Developer Portal.

How to register the application with Apple, retrieve client ID and create the client secret (JWT) is documented here:

In order to set up Sign In With Apple for your users, you need to be a member of Apple's Developer Program. Once you have access to the platform:

Create an App ID Identifier: the identifier can be freely chosen, the io.quasr.app (as visible in the screenshot) is only an example and actually cannot be used by anybody else anymore.

In the detail settings of this App ID identifier, make note of the "App ID Prefix" (Team ID), which you will need later.

In the list of Capabilities, enable Push Notifications and Sign In With Apple. Make "Sign in with Apple" the primary App ID.

Back in the Identifiers overview, select "Service IDs" in the drop down in the top-right, then create a new one. The identifier can be freely chosen, the io.quasr.login (as visible in the screenshot) is only an example and actually cannot be used by anybody else anymore.

This Identifier is the Client ID that you will use in the factor settings within the Quasr platform for the Apple factor.

Going into the detail settings of this identifier, make sure that "Sign In With Apple" is enabled. Then click "Configure".

In the upcoming dialog, click the "+" icon to add a website URL (redirect URL):

Enter the following (make sure to replace {tenant_id} with your own tenant ID):

  • Domains and Subdomains: {tenant_id}.api.quasr.io

  • Return URLs: https://{tenant_id}.api.quasr.io/factors/oauth2/callback

Back in the Apple Developer main menu, go to the "Keys" section. Create a new key.

Provide a Key Name, make sure that "APNs" and "Sign in With Apple" is enabled.

Once the key is created, make note of the Key ID (kid), and download the key.

The Apple Developer docs describe how to create the client secret, however it's a bit cumbersome to find the detailed instructions if you are new to this. The following Node.js script creates a client secret JWT based on the previously downloaded key.

const fs = require('fs')
const jwt = require('jsonwebtoken')

function createClientSecret() {
  const privateKey = fs.readFileSync('./AuthKey_<kid>.p8').toString()
  const jwtToken = jwt.sign(
    {},
    privateKey,
    {
      algorithm: 'ES256',
      expiresIn: '180d', // 180d is maximum possible, otherwise token endpoint fails with 400 error
      issuer: '<your_team_id>', // your Team ID
      audience: 'https://appleid.apple.com',
      subject: '<your_client_id>', // your Client ID
      header: {
        alg: 'ES256',
        kid: '<kid>', // the Key ID (kid)
        typ: 'JWT',
      },
    }
  )
  console.log(jwtToken)
}

createClientSecret()

Finally you can configure the client ID and secret for the Apple factor as follows:

  • Client ID = service ID (in our case it is io.quasr.login)

  • Client Secret = JWT as generated above

You will now need to create a Client Secret based off of this key. The Client Secret is a JSON Web Token (JWT) and will be used as the Client Secret for the Apple factor configuration within the Quasr platform. (section "Creating the Client Secret") describes the steps.

If you validate the JWT using it will indicate Invalid Signature. This is normal as the token is signed using a private certificate that isn't publicly available. No worries it should work as required.

https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens
jwt.io
https://developer.apple.com/sign-in-with-apple/get-started/
https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens
Appleconfiguration in the Quasr Tenant Admin UI
Final configuration of Apple factor in Quasr Tenant Admin UI.