Notes on Sign In with Apple

Sign In with Apple is an authentication service by Apple similar to Facebook Login or Google Sign-In. Here are my notes on integrating it with website sign-in while working on a WordPress specific implementation.

Sign In with Apple is targeted at companies and services with existing iOS or macOS apps since the authentication flow uses the app icon from the primary App ID. While currently it appears to be working with new App IDs that don’t have a published app, that could change.

At core it uses standards such as OAuth and JWT which is awesome!

Requirements for Sign In with Apple

I didn’t have an Apple Developer membership until yesterday so I had to create and configure everything from scratch and it took a while. Here it is step by step:

Note that the authentication flow uses the app icon from your main App ID so I’m not sure how Apple intends this to work with sites that don’t have an associated app. Here is the authentication prompt:

Sign In with Apple login page after clicking on the Sign In button
Sign In with Apple authentication prompt with missing app icon.

Two-Factor Authentication

Apple users accounts must have two-factor authentication enabled to actually sign-in with their Apple ID. Visit your Apple ID account on your device or on the web to enable the Two-Factor authentication.

Sign In with Apple JS

Sign In with Apple JS is a simple integration for adding the actual Sign In with Apple button or link to the page. All it does is generates the authentication link based on the Service ID and the return URL specified in the <meta> tags in the page <head>.

The official JS library will also enable native Sign In experience on Safari (from 30 minute mark of this Apple video):

Native Sign In with Apple dialog in Safari on macOS.
Native Sign In with Apple dialog in Safari on macOS.

Your website or app will still have to include custom logic to capture the authentication responses from Apple and create users or sign-in users based on the response data.

Sign In with Apple REST API

Sign In with Apple REST API is used for fetching the Apple’s public key for validating the authentication responses.

How to Review and Delete Authenticated Websites

Websites using your Apple ID for sign-in can be reviewed and removed under the Security section of your Apple ID profile:

List of apps and websites using your Apple ID.

Related Research and Links

Open Questions

How to Access User Name and Email?

Currently the id_token in JWT response includes only subject or sub field with a unique user identifier. The JWT reponse doesn’t include user’s name or email even when they’re requested in scope.

{
  "iss": "https://appleid.apple.com",
  "aud": "net.kaspars.mycustomid",
  "exp": 1559646675,
  "iat": 1559646075,
  "sub": "001111.532aa1f2229d4b70985bdbf913bb1ca1.2222"
}

Normally the authenticated name and email would be included as separate fields in the decoded id_token.

Use Contact Form 7 to collect business leads and enquiries? I created Storage for Contact Form 7 plugin which stores them safely in WordPress database.

Get it now for only $19 →

Leave a Reply