freysoft logo
contact us


Apple Sign In With Keycloak: How To Setup With Ease

“Sign In with Apple” is a new feature that enables users to sign in with their Apple ID to apps. This feature improves security and privacy for users’ accounts in apps.

As well as most iOS and macOS users already have an Apple ID, “Sign In with Apple” allows them to use their Apple ID to sign in to other websites and apps.

For now, Keycloak does not provide a ready-to-use identity provider for Apple like Google or Facebook. Sign In with Apple is obligatory to publish apps in the App store. Integration this feature with Keycloak is not a rocket science, however, it has some non-obvious issues that are hard to implement from the first try. Sign In with Apple guidelines do not cover all questions in practice. 

Our FreySoft team implemented Sign In with Apple for our recruitment app. In this post, we will provide you with a step-by-step plan for how to integrate Apple Sign In with Keycloak.

Configure Sign In with Apple in 4 Steps

Step 1

The first step is to sign in to Account on Then go to Identifiers, select App IDs in the upper right corner, and click on the Plus icon in Identifiers. 

You have the list of new identifiers that looks like this:

Configure Sign In with Apple in 4 Steps: Choose App IDs
Image source: FreySoft

Choose App IDs, press Continue, and select the type “App”.

Apple Sign In: Step 1
Image source: FreySoft

After pressing Continue you need to insert the Description name. You have to indicate something descriptive connected to your application. Also, insert Bundle ID (we entered our reverse domain name). Make sure Explicit is on here!

Apple Sign In With Keycloak
Image source: FreySoft

Put a checkmark in front of Sign in with Apple and press Edit.

 Sign In with Apple: A checkmark
Image source: FreySoft

Then, select Enable as a primary Apple ID. In “Server to Server Notification Endpoint” insert URL to Keycloak and press Save.

Enable as a primary Apple ID
Image source: FreySoft

Go to Identifiers again. In the upper right corner, select Services IDs instead of Apple IDs. And press the icon Plus.

Select Services IDs instead of Apple IDs
Image source: FreySoft

Put a checkmark on Services IDs. Press Continue.

Services IDs
Image source: FreySoft

Type the description as the following: Service for authorization through website. Also, insert your Identifier and press Continue.

Service for authorization through website
Image source: FreySoft

Here you can see your services created. Press Configure.

Integrate Apple Sign In with Keycloak
Image source: FreySoft

Select Primary App ID that you have already created previously.

Primary App ID
Image source: FreySoft

Check out Website URLs and make sure the domain and subdomain are correct. Press Next if everything is ok.

Check out Website URLs
Image source: FreySoft

You need to insert Keycloak domain and URL redirect address.

Keycloak domain and URL redirect address
Image source: FreySoft

Step 3

After that, we need to create Keys. Press the Plus icon near Keys.

Create Keys
Image source: FreySoft

Select Sign in with Apple and press Configure. 

Sign in with Apple
Image source: FreySoft

Select the name of Primary App ID and press Save.

The name of Primary App ID
Image source: FreySoft

Choose your key name and press Continue.

Choose your key name
Image source: FreySoft

Press Register.

Register A New Key
Image source: FreySoft

After that, you have two options – Download and Done. If choose Download, you will able to do it only once. So, you need to save Key ID. If choose Done, you will be able to download your key later. 

Press Download.

To save Key ID
Image source: FreySoft

Step 4

After you download Key, go to the Keycloack Admin Console. In Identity providers, choose provider Apple and fill in all the following fields.

The Keycloack Admin Console
Image source: FreySoft

To do it the right way, you need to generate the Client Secret from your private key.

  • 1. Use the Ruby JWT library because Apple uses the JWT standard for the client secret. So, install Ruby and the JWT gem by running this command
gem install jwt

Once the jwt gen is available, you can fill in the missing values in the Add Apple provider form.

  • 2. Take Client ID value from the previous step.
Client ID
Image source: FreySoft
  • 3. Take your Apple Team ID from the top right corner of the screen below your Account Name. 
Take your Apple Team ID
Image source: FreySoft
  • 4. Use the Key ID you already saved when you configured Keys. 
  • 5. Then, do some coding:
 require 'jwt'
 key_file = ' ___PATH_TO_KEY_FILE___'
team_id = ' ___TEAM_ID___ ' 
client_id = ' ___CLIENT_ID___ ' 
key_id = '8TA662P2FW'
ecdsa_key = key_file
headers = {
'kid' => key_id
claims = {
   'iss' => team_id,
   'iat' =>,
   'exp' => + 86400*180,
   'aud' => '',
   'sub' => client_id,
token = JWT.encode claims, ecdsa_key, 'ES256', headers
puts token

This code generates a JWT using the ES256 algorithm which includes a handful of claims. 

Importantly, this JWT expires in 6 months maximum. In case you generate a new client secret every time a user authenticates, you have to use not 6 months but much shorter expiration date. this allows us to generate the secret once and use it in our sample apps easily.

Now you can run this from the command line and it will output a JWT.

ruby client_secret.rb
  • 6. Copy the modified base64 content and paste it as the Client Secret in Keycloak

You should save the configurations and then test them.
Keep in mind before publishing apps to App Store that the Apple Sign In Button in Keycloak Theme should match the styles of Apple.

That’s it. Hope our detailed instructions will help you manage the Sign in with Apple feature for your app. 

What’s next? Specify scope? Then, go to Advanced settings.

You might also be interested in:

Our custom software blog

“Omnichannel Solutions For Banks And Their Clients”

“Why Should Fintech Businesses Outsource Their Tech Needs?”

“Payment Orchestration Platform: How It Works and Why So Important”

Select a perfect software outsource vendor

Download our guide with 3 easy steps and a checklist to select a perfect software development vendor for your business needs.

Username Password

More from Freysoft

Contact us

You journey to a remarkable product starts here! The first step is connecting.

Warsaw, Poland

8 Human`ska str.

+48 795 991 686

Kyiv, Ukraine

6 Olhynska Street

+38 063 252 22 21
Username Password

We will add your info to our CRM for contacting you regarding your request. For more info please consult our privacy policy.