--- title: Notes on Sign In with Apple date: 2019-06-05T07:22:57+00:00 modified: 2019-06-10T05:18:19+00:00 image:: https://kaspars.net/wp-content/uploads/2019/06/sign-in-with-apple.jpg permalink: https://kaspars.net/blog/sign-in-with-apple post_type: post author: name: Kaspars avatar: https://reverse.kaspars.net/gravatar/avatar/92bfcd3a8c3a21a033a6484d32c25a40b113ec6891f674336081513d5c98ef76?s=96&d=mm&r=g post_tag: - Apple category: - Cryptography - Development - WordPress --- # Notes on Sign In with Apple [Sign In with Apple](https://developer.apple.com/sign-in-with-apple/) is an authentication service by Apple similar to [Facebook Login](https://developers.facebook.com/docs/facebook-login/) or [Google Sign-In](https://developers.google.com/identity/sign-in/web/). Here are my notes on integrating it with website sign-in while working on [a WordPress specific implementation](https://github.com/kasparsd/signin-with-apple). Sign In with Apple is targeted at companies and services with existing iOS or macOS apps since the authentication flow uses the app icon from the primary App ID. While currently it appears to be working with new App IDs that don’t have a published app, that could change. At core it uses standards such as OAuth and JWT which is awesome! ## Requirements for Sign In with Apple I didn’t have an Apple Developer membership until yesterday so I had to create and configure everything from scratch and it took a while. Here it is step by step: - [Apple Developer membership](https://developer.apple.com/programs/enroll/) which costs $99 per year. - [App ID identifier](https://developer.apple.com/account/resources/identifiers/list/bundleId) for an iOS or macOS app ([view documentation](https://help.apple.com/developer-account/#/dev04f3e1cfc)). All of the items below will be associated with this App ID. - [Service ID](https://developer.apple.com/account/resources/identifiers/list/serviceId) for the App ID with “Sign In with Apple” enabled and configured for a specific domain name and “Return URL”. Used as Client ID during the authentication flow. - [Authentication key](https://developer.apple.com/account/resources/authkeys/list) with “Sign In with Apple” service enabled ([view documentation](https://help.apple.com/developer-account/#/dev77c875b7e)). Used for signing the JSON Web Token (JWT) payload or `client_secret` during the [token validation](https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens). - [Configured domain names and email addresses](https://developer.apple.com/account/resources/services/configure) to enable Apple to respond to the authentication requests for your domain name (documentation [for domain](https://help.apple.com/developer-account/#/dev1c0e25352) and [email relay configuration](https://help.apple.com/developer-account/#/devf822fb8fc)). Note that the authentication flow uses the app icon from your main App ID so I’m not sure how Apple intends this to work with sites that don’t have an associated app. Here is the authentication prompt: ![Sign In with Apple login page after clicking on the Sign In button](https://kaspars.net/wp-content/uploads/2019/06/sign-in-with-apple-prompt.png?strip=all&quality=90&resize=1007,704)Sign In with Apple authentication prompt with missing app icon.## Two-Factor Authentication Apple users accounts must have two-factor authentication enabled to actually sign-in with their Apple ID. Visit [your Apple ID account](https://support.apple.com/en-us/HT203993) on your device or [on the web](https://appleid.apple.com/account/manage) to enable the Two-Factor authentication. ## Sign In with Apple JS [Sign In with Apple JS](https://developer.apple.com/documentation/signinwithapplejs) is a simple integration for adding the actual Sign In with Apple button or link to the page. All it does is generates the authentication link based on the Service ID and the return URL specified in the `` tags in the page ``. The official JS library will also enable native Sign In experience on Safari (from 30 minute mark of [this Apple video](https://developer.apple.com/videos/play/wwdc2019/706/)): [![Native Sign In with Apple dialog in Safari on macOS.](https://kaspars.net/wp-content/uploads/2019/06/safari-sign-in-with-apple-native-experience.png?strip=all&quality=90&resize=1024,576)](https://kaspars.net/wp-content/uploads/2019/06/safari-sign-in-with-apple-native-experience.png)Native Sign In with Apple dialog in Safari on macOS.Your website or app will still have to include custom logic to capture the authentication responses from Apple and create users or sign-in users based on the response data. ## Sign In with Apple REST API [Sign In with Apple REST API](https://developer.apple.com/documentation/signinwithapplerestapi) is used for fetching the Apple’s public key for validating the authentication responses. ## How to Review and Delete Authenticated Websites Websites using your Apple ID for sign-in can be reviewed and removed under the Security section of your [Apple ID profile](https://appleid.apple.com/account/manage): ![](https://kaspars.net/wp-content/uploads/2019/06/apps-using-apple-id-settings-account.png?strip=all&quality=90&resize=1024,414)List of apps and websites using your Apple ID. ## Related Research and Links - [Notes on IndieWeb](https://indieweb.org/Sign_In_with_Apple). - [Simple integration example](https://github.com/aaronpk/sign-in-with-apple-example) with [documentation](https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple) by [Aaron Parecki](https://aaronparecki.com/). ## Open Questions ### How to Access User Name and Email? Currently the `id_token` in JWT response includes only subject or `sub` field with a unique user identifier. The JWT reponse doesn’t include user’s name or email even when they’re requested in `scope`. ``` { "iss": "https://appleid.apple.com", "aud": "net.kaspars.mycustomid", "exp": 1559646675, "iat": 1559646075, "sub": "001111.532aa1f2229d4b70985bdbf913bb1ca1.2222" } ``` Normally the authenticated name and email would be included as separate fields in the decoded `id_token`.