Prerequisites:
- Apple Developer Account with paid membership
- Access to Apple Developer Console
- Your application's domain information
- Basic understanding of OAuth2 and OpenID Connect protocols
- Valid SSL certificate for your domain
⚠️ Important Note:
Apple SSO only supports OAuth2/OpenID Connect protocol. SAML is not supported by Apple's Sign in with Apple service.
OAuth2 Configuration for Apple SSO
Apple's Sign in with Apple is an OAuth2-based authentication service that allows users to sign in to your application using their Apple ID. This guide will help you configure OAuth2 integration with Apple.
Step 1: Access Apple Developer Console
1
Sign in to Apple Developer Console
Navigate to the Apple Developer Console and sign in with your Apple Developer account.
2
Navigate to Certificates, Identifiers & Profiles
In the Apple Developer Console, go to Certificates, Identifiers & Profiles from the main menu.
Step 2: Create App ID
3
Create New App ID
Click "Identifiers" → "+" to create a new App ID.
4
Configure App ID
Select "App IDs" and click "Continue". Then configure:
- Description: Your Application Name
- Bundle ID: com.yourcompany.yourapp (for web apps, use your domain)
5
Enable Sign in with Apple
Scroll down to "Capabilities" and check "Sign In with Apple". Click "Continue" and then "Register".
Step 3: Create Service ID
6
Create Service ID
Go back to "Identifiers" → "+" and select "Services IDs".
7
Configure Service ID
Enter the following details:
- Description: Your Application Web Service
- Identifier: com.yourcompany.yourapp.web (unique identifier)
8
Configure Sign in with Apple
Check "Sign In with Apple" and click "Configure".
Step 4: Configure Web Domain
9
Add Primary App ID
Select your App ID from the dropdown and click "Save".
10
Configure Domains and Subdomains
Add your domain information:
- Domains and Subdomains: yourdomain.com
- Return URLs: https://yourdomain.com/oauth/callback
Step 5: Create Private Key
11
Navigate to Keys
Go to "Keys" → "+" to create a new key.
12
Configure Key
Enter the following details:
- Key Name: Sign in with Apple Key
- Key ID: Will be generated automatically
13
Enable Sign in with Apple
Check "Sign In with Apple" and click "Configure". Select your Primary App ID and click "Save".
14
Download Private Key
Click "Register" and then "Download" to download the private key file (.p8). Important: This file can only be downloaded once.
Step 6: Note Configuration Values
15
Collect Required Information
Note the following values from your Apple Developer Console:
- Team ID: Found in the top-right corner of the developer console
- Service ID: The identifier you created (e.g., com.yourcompany.yourapp.web)
- Key ID: The key identifier from the private key you created
- Private Key: The contents of the downloaded .p8 file
Step 7: Configure Your Application
16
Enter Apple Configuration
In your application's SSO configuration, enter the following details:
OAuth2 Settings
Client ID: {your-service-id}
Client Secret: [Generated using your private key]
Authorization Endpoint: https://appleid.apple.com/auth/authorize
Token Endpoint: https://appleid.apple.com/auth/token
User Info Endpoint: https://appleid.apple.com/auth/userinfo
Redirect URI: https://yourdomain.com/oauth/callback
Scope: name email
Team ID: {your-team-id}
Key ID: {your-key-id}
Private Key: [Contents of your .p8 file]
Step 8: Generate Client Secret
17
Create JWT Token
Apple requires a JWT token as the client secret. You'll need to generate this using your private key. Here's an example using Node.js:
const jwt = require('jsonwebtoken');
const fs = require('fs');
const privateKey = fs.readFileSync('path/to/your/private-key.p8');
const teamId = 'YOUR_TEAM_ID';
const keyId = 'YOUR_KEY_ID';
const clientId = 'YOUR_SERVICE_ID';
const token = jwt.sign({}, privateKey, {
algorithm: 'ES256',
expiresIn: '180d',
audience: 'https://appleid.apple.com',
issuer: teamId,
subject: clientId,
keyid: keyId
});
console.log('Client Secret:', token);
Step 9: Test Configuration
18
Test Apple Sign In
Test the Apple Sign In configuration by attempting to sign in with an Apple ID.
Important Notes:
- Apple Sign In requires HTTPS for all domains
- The private key (.p8 file) can only be downloaded once
- Client secrets (JWT tokens) expire after 180 days
- Apple may take up to 24 hours to activate new configurations
Apple SSO Benefits:
- Enhanced privacy with Apple's privacy-focused approach
- Seamless integration with iOS, macOS, and web applications
- User-friendly authentication experience
- Support for two-factor authentication
- Compliance with Apple's App Store guidelines
Troubleshooting
Common Apple SSO Issues
- Invalid client error: Ensure your Service ID is correctly configured
- Invalid redirect URI: Verify the redirect URI matches exactly with Apple's configuration
- JWT token errors: Ensure your private key and JWT generation are correct
- Domain verification issues: Ensure your domain has a valid SSL certificate
- Team ID mismatch: Verify you're using the correct Team ID
Apple-Specific Issues
- Configuration not active: Apple may take up to 24 hours to activate new configurations
- Private key lost: If you lose your private key, you'll need to create a new one
- App Store compliance: Ensure your implementation follows Apple's guidelines
- User privacy: Respect user privacy choices and handle email relay addresses properly
Development vs Production
- Development: Use development certificates and test with sandbox Apple IDs
- Production: Use production certificates and real Apple IDs
- Testing: Test thoroughly with both personal and managed Apple IDs
Support
If you encounter any issues during configuration, please contact our support team with the following information:
- Error messages or screenshots
- Apple Developer Team ID and Service ID
- Configuration details (without sensitive information)
- Steps taken before the issue occurred
- Apple Developer Console logs (if available)
Apple Developer Resources:
© 2024 Your Company. All rights reserved. | This document is confidential and intended for authorized users only.