Apple Sign In With Keycloak: How To Setup With Ease

“Sign In with Apple” is a new feature that enables users to sign in with their Apple ID to apps. This feature improves security and privacy for users’ accounts in apps.

As well as most iOS and macOS users already have an Apple ID, “Sign In with Apple” allows them to use their Apple ID to sign in to other websites and apps.

For now, Keycloak does not provide a ready-to-use identity provider for Apple like Google or Facebook. Sign In with Apple is obligatory to publish apps in the App store. Integration this feature with Keycloak is not a rocket science, however, it has some non-obvious issues that are hard to implement from the first try. Sign In with Apple guidelines do not cover all questions in practice.

Our FreySoft team implemented Sign In with Apple for our recruitment app. In this post, we will provide you with a step-by-step plan for how to integrate Apple Sign In with Keycloak.

Configure Sign In with Apple in 4 Steps

Step 1

The first step is to sign in to Account on developers.apple.com. Then go to Identifiers, select App IDs in the upper right corner, and click on the Plus icon in Identifiers.

You have the list of new identifiers that looks like this:

Configure Sign In with Apple in 4 Steps: Choose App IDs — Image source: FreySoft

Choose App IDs, press Continue, and select the type “App”.

Apple Sign In: Step 1 — Image source: FreySoft

After pressing Continue you need to insert the Description name. You have to indicate something descriptive connected to your application. Also, insert Bundle ID (we entered our reverse domain name). Make sure Explicit is on here!

Apple Sign In With Keycloak — Image source: FreySoft

Put a checkmark in front of Sign in with Apple and press Edit.

Sign In with Apple: A checkmark — Image source: FreySoft

Then, select Enable as a primary Apple ID. In “Server to Server Notification Endpoint” insert URL to Keycloak and press Save.

Go to Identifiers again. In the upper right corner, select Services IDs instead of Apple IDs. And press the icon Plus.

Put a checkmark on Services IDs. Press Continue.

Type the description as the following: Service for authorization through website. Also, insert your Identifier and press Continue.

Here you can see your services created. Press Configure.

Integrate Apple Sign In with Keycloak — Image source: FreySoft

Select Primary App ID that you have already created previously.

Check out Website URLs and make sure the domain and subdomain are correct. Press Next if everything is ok.

You need to insert Keycloak domain and URL redirect address.

Step 3

After that, we need to create Keys. Press the Plus icon near Keys.

Select Sign in with Apple and press Configure.

Select the name of Primary App ID and press Save.

Choose your key name and press Continue.

Press Register.

Register A New Key — Image source: FreySoft

After that, you have two options – Download and Done. If choose Download, you will able to do it only once. So, you need to save Key ID. If choose Done, you will be able to download your key later.

Press Download.

Step 4

After you download Key, go to the Keycloack Admin Console. In Identity providers, choose provider Apple and fill in all the following fields.

To do it the right way, you need to generate the Client Secret from your private key.

1. Use the Ruby JWT library because Apple uses the JWT standard for the client secret. So, install Ruby and the JWT gem by running this command

gem install jwt

Once the jwt gen is available, you can fill in the missing values in the Add Apple provider form.

2. Take Client ID value from the previous step.

3. Take your Apple Team ID from the top right corner of the screen below your Account Name.

Take your Apple Team ID — Image source: FreySoft

4. Use the Key ID you already saved when you configured Keys.
5. Then, do some coding:

 require 'jwt'
 key_file = ' ___PATH_TO_KEY_FILE___'
team_id = ' ___TEAM_ID___ ' 
client_id = ' ___CLIENT_ID___ ' 
key_id = '8TA662P2FW'
ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file
headers = {
'kid' => key_id
}
claims = {
   'iss' => team_id,
   'iat' => Time.now.to_i,
   'exp' => Time.now.to_i + 86400*180,
   'aud' => 'https://appleid.apple.com',
   'sub' => client_id,
}
token = JWT.encode claims, ecdsa_key, 'ES256', headers
puts token

This code generates a JWT using the ES256 algorithm which includes a handful of claims.

Importantly, this JWT expires in 6 months maximum. In case you generate a new client secret every time a user authenticates, you have to use not 6 months but much shorter expiration date. this allows us to generate the secret once and use it in our sample apps easily.

Now you can run this from the command line and it will output a JWT.

ruby client_secret.rb
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

6. Copy the modified base64 content and paste it as the Client Secret in Keycloak

You should save the configurations and then test them.
Keep in mind before publishing apps to App Store that the Apple Sign In Button in Keycloak Theme should match the styles of Apple.

That’s it. Hope our detailed instructions will help you manage the Sign in with Apple feature for your app.

What’s next? Specify scope? Then, go to Advanced settings.

You might also be interested in:

Our custom software blog

“Omnichannel Solutions For Banks And Their Clients”

“Why Should Fintech Businesses Outsource Their Tech Needs?”

“Payment Orchestration Platform: How It Works and Why So Important”