Sign in with Apple

Posted May 25, 202011 min read

1 Overview

This article is a summary of AppleID login access, I hope it can be helpful to others.

Apple put forward the concept of "Sign In with Apple" at its WWDC19 conference, similar to WeChat one-click login, but there are some differences:

  • WeChat has the concepts of UnionID and OpenID. Apple has only one AppleID. All applications under the same developer account have the same AppleID
  • WeChat can get user information directly through the API. Apple s Oauth2 Code verification interface does not return user information, and the client needs to report to the server
  • The authentication interface of OAuth2 Code provided by Apple returns a JWT Token, and the user ID is hidden in JWT Token . Secondary analysis
  • Apple provides a total of two interfaces and supports both OAuth2 and JWT authentication schemes. Considering the versatility, we chose the OAuth2 scheme this time
  1. Application Resources

Before initiating a request, you need to prepare three parameters and a certificate(apply to the person in charge of the IOS client):

  • Team ID, a 10-byte string, which can be seen in the background of the Apple account, located in the upper right corner
  • Key ID, a 10-byte string, can be configured in the background of Apple account, refer to the link:[Create Private Key]( https://developer.okta.com/blog/2019/06/04/what-the- heck-is-sign-in-with-apple # create-a-private-key-for-client-authentication)
  • Client ID is the bundle id of the App
  • Private Key, a .p8 file, can only be downloaded once from Apple s official website, [Create Private Key]( https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign -in-with-apple # create-a-private-key-for-client-authentication)

Example parameters:

apple \ _login \ _team \ _id = "89XXXX8FZF"

apple \ _login \ _key \ _id = "QPFXXXXW67"

apple \ _login \ _client \ _id = "com.gdinke.soulmatch"

Certificate example:

----- BEGIN PRIVATE KEY -----

MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgfYVD9vw6h2aa + 69n

JkrymACzR04hck6lOsXXXXXXyBagCgYIKoZIzjXXXXXXRANCAARQdXt9y2lmGY2P

v + 5pzghXhKDcIVBizOfEj1IVT7BUXXXXXXXXXXXXXXXXX/WCxDGCOO4dfVU1l3hL

g1Ah7rzS
----- END PRIVATE KEY -----
  1. Certification process and timing diagram

Certification process:

  1. The client calls the IOS system API to start the authentication process and needs to initiate a request to Apple
  2. Apple returns the user's Oauth2 authentication code and user information, such as nickname and email
  3. The client sends the auth code to the server, the interface https://service.hnyapu.cn/user/account/apple_login
  4. The server parses the auth code in the client request and requests Apple to verify the validity of the client auth code. Interface:[ https://appleid.apple.com/auth/token] ( https://appleid.apple .com/auth/token)
  5. Apple verifies that the code is valid
  6. Apple returns the user s AppleID
  7. The server returns the user's UID and Session ID

Timing diagram(generated by Typora + markdown + mermaid):

sequenceDiagram

APP client->> Apple:1. Request auth code

Apple->> APP client:2. Return auth code

APP client->> + APP server:3 send auth code

APP server->> Apple:4. Request authentication auth code

Apple->> Apple:5. Verify auth code

Apple->> APP server:6. Return user AppleID

APP server->>-APP client:7. Return uid and sid to the client

  1. Documentation and code

For project code permissions, please contact Fang Chuwei Lin Xuping Yang Xiongjun to open

  1. Reference materials

  1. Apple ID server acceleration proxy

During the testing phase, we observed occasional high delays in accessing Apple's services from the mainland computer room. We suspect that it was caused by GFW interference. SRE has helped optimize and provided a 4-layer proxy server(Tencent Beijing->(Tencent Cloud Networking)- > Tencent Hong Kong-> Public Network-> Apple Server),

The test report of the acceleration effect of the proxy server is organized into WIKI:Voice coil Apple server connection proxy test

Modify/etc/hosts and add the following line to take effect(before use, you need to verify in the test environment and confirm that the proxy server is reachable at the network level):

10.213.0.4 appleid.apple.com

  1. Apple background operation steps

In iOS13, if the app provides third-party login, you must add the Apple Sign in with Apple option, and require all developers to complete the update of the existing application by April 2020, otherwise the review will not be passed.

iOS Apple Authorized Login(Sign in with Apple) series of Apple Developer configuration articles

Native Apple Authorized Login(Sign in with Apple) series

iOS app authorized sign in(Sign in with Apple) series of uniapp articles

iOS Apple Authorized Login(Sign in with Apple) series of service articles

The Apple Developer Configuration in the iOS Sign in with Apple series is mainly written for non-iOS developers(such as uniapp developers).

Log in to Apple Developer

  1. Open and log in to the Apple Developer website

https://developer.apple.com

  1. Click the Certificates, Identifiers & Profiles button

Configure Sign in with Apple

Open an existing app Sign in with Apple
  1. Select the Identifier column on the left, select the Identifiers on the right to open the Sign in with Apple, and click Open.

\ [
]([ http://www.wangquanwei.com/wp ...]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576749462-1F91EBA8-DC36-4E94-8FC8- BB6C02157FE6.jpeg))

  1. Scroll down and find Sign In with Apple

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576752807-CD80D3D4-8FE8-424D-A1EC -1CC13681FE58.jpg)

Edit on the right will open the prompt

  1. If you're enabling an App ID for the first time or for a new app, enable the App ID as a primary. You can use primary App IDs on their own or to enable identifiers for related apps and websites through grouping. To enable an App ID for a related app,(for example, an App ID for the iOS version of your Mac app), group it with the existing primary. This will also ensure that users only need to provide consent to share their information with you once for each group of apps and websites.
  2. If you enable the application ID for the first time or enable the application ID for a new application, use the application ID as the main application. You can use the main application id yourself, or use groups to enable identifiers for related applications and websites. To enable the application ID of the relevant application(for example, the application ID of the iOS version of the Mac application), please group it with the existing main application. This will also ensure that users only need to provide consent to share information with you once for each set of applications and websites.

Then click Save in the upper right corner and the Modify App Capabilities pop-up window will appear. Click Confirm

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/10/1571102938-E467EC71-3592-460C-9B9A -B99AA99E7731.jpeg)

  1. Modify App Capabilities
  2. Adding or removing any capabilities will invalidate any provisioning profiles that include this App ID and they must be regenerated for future use.
  3. Modify application functions
  4. Adding or deleting any function will invalidate any setting configuration files containing this application ID, and these configuration files must be regenerated for future use.

Note:After opening, the profile will be invalid. You need to edit the profile file again

Create a new app and open Sign in with Apple
  1. Create Identifiers

  1. Select App IDs and click Continue in the upper right corner

  1. In Register an App ID, follow the sequence shown below

  1. Drop down and check Sign In with Apple in Capabilities

  1. After clicking Continue in the upper right corner, the button will be displayed as Register.

Profiles

Open an existing app Sign in with Apple

Existing apps will display Invalid in the EXPIRATION column of Profiles after sign in with Apple is turned on

Click on this column-Generate a Provisioning Profile page-Edit-click Save

Just download the new profile

Create a new app and open Sign in with Apple
  1. Click the plus sign on the right side of the Profiles column

  1. Register a New Provisioning Profile Choose according to the actual situation, here as a demonstration choice iOS App Development, after selecting click Continue

  1. Select the App ID you just created and click Continue

  1. Select the developer certificate. If there is For use in Xcode 11 or later, select this. After selecting, click Continue.

  1. Select the device that allows the App to be installed. If it is not checked, the App cannot be installed(Ignore the App Store). After selecting, click Continue.

  1. Fill in the name of the description file, click on Generate after completing

7, download download download

Create a key

  1. Select the "Keys" column on the left to create a private key for client authentication, click Create a Key

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576759358-2A7437FA-37BB-4B77-82FF -C4ED7F449EEE.jpeg)

  1. Follow the steps below

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576759666-B5F9BDFE-DCE1-4835-89FF -3B1FF81A0ED9.jpeg)

  1. Select the App ID and save

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576759819-EDC01C7B-A080-4DA8-9223 -C4EC4125E867.jpeg)

  1. Click Continue on the Register a New Key page

That's right! No picture here

  1. Click Register

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576759986-2E328EE5-5BA5-4199-9651 -84332B9133A9.jpeg)

  1. The key can only be downloaded once. The downloaded file will end in .p8. It is recommended to rename it to key.txt for easier use in the next steps

  2. After downloading your key, it cannot be re-downloaded as the server copy isremoved. If you are not prepared to download your key at this time, click Doneand download it at a later time. Be sure to save a backup of your key in a secure place.

  3. After downloading the key, the server copy cannot be downloaded again because it has been deleted. If you are not ready to download the key at this time, click Done and download it later. Be sure to keep a backup of your key in a safe place.

\ [
]([ http://www.wangquanwei.com/wp ...]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1576760081-1DB749DD-666C-48F7-B32B- 3E4ACAAF93A4.jpeg))

Key ID will be used in the verification based on authorization code. For details, see iOS Apple Authorized Login(Sign in with Apple) series of service articles

  1. Apple Authorized Login Sign in with apple of PHP

In iOS13, if the app provides third-party login, you must add the Apple Sign in with Apple option, and require all developers to complete the update of the existing application before April 2020, otherwise the review will not pass.

iOS Apple Authorized Login(Sign in with Apple) series of Apple Developer configuration articles

Native Apple Authorized Login(Sign in with Apple) series

iOS app authorized sign in(Sign in with Apple) series of uniapp articles

iOS Apple Authorized Login(Sign in with Apple) series of service articles

The example is developed based on PHP's Laravel framework. The Java platform can refer to https://blog.csdn.net/wpf199402076118/article/details/99677412

Apple provides two verification methods, one is based on JWT algorithm verification, and the other is based on authorization code verification. Here, a third "trick" verification method is also provided, which is "no verification mode".

No verification mode

The backend only needs to receive the following parameters submitted by the App(user and email are the parameter names returned to the App by Apple)

user:The unique identifier of the authorized user. This value is the same in all apps under the same developer account. Developers can use this unique identifier to bind to their own back-end system account system

email:mailbox, only the first time Apple authorizes will return the email information to the app, after logging in, it will not return

fullName:User information, only the first authorizing Apple will return the user information to the App, after logging in, it will not return

As long as the developer judges whether the user(authorized user unique identifier) exists in the database, it returns the login success information. If it does not exist, it inserts user, email, fullName and other information in the database(the business logic is adjusted according to specific needs)

This is the end of the tutorial, no need to read it later

Verification mode

Sign in with Apple backend verification
Verification based on JWT

Sign in with Apple backend JWT verification document:

https://developer.apple.com/documentation/signinwithapplerestapi/fetch_apple_s_public_key_for_verifying_token_signature

Food Guide

The backend only needs to receive the following parameters submitted by the App(user and email are the parameter names that Apple returns to the App)

userID:The unique identifier of the authorized user. This value is the same in all apps under the same developer account. Developers can use this unique identifier to bind with their back-end system account system

email:mailbox, only the first time Apple authorizes will return the email information to the app, after logging in, it will not return

fullName:User information, only the first authorizing Apple will return the user information to the App, after logging in, it will not return

authorizationCode:authorization code(not used)

identityToken:JWT credentials of authorized users

How to verify

  1. Install the php-apple-signin library

  2. composer require griffinledingham/php-apple-signin

Requires php7.2 and above, if it is lower than this version, modify the source code, source code address

  1. https:// github.com/GriffinLedingham/php-apple-signin

  2. Verify JWT

  3. public function jwtApple(Request $request) {

  4. //The unique identifier of the authorized user

  5. $user \ = $request-> input('user');

  6. //Email

  7. $email \ = $request-> input('email');

  8. //User information

  9. $fullName \ = $request-> input('fullName');

  10. //Authorization code is not used

  11. $authorizationCode \ = $request-> input('authorizationCode');

  12. //JWT credentials for authorized users

  13. $identityToken \ = $request-> input('identityToken');

  14. $appleSignInPayload \ = ASDecoder ::getAppleSignInPayload($identityToken);

  15. $isValid \ = $appleSignInPayload-> verifyUser($user);

  16. //When $isValid is true, the verification is passed, and the subsequent logic is written according to the requirements

  17. dd($isValid);

  18. }

Verification based on authorization code

Sign in with Apple backend authorization code verification document:

https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

Among them, the way to get theiss and kid

[ ]( http://www.wangquanwei.com/wp-content/uploads/2019/12/1577189724-936E5DF2-1D57-4D45-A430 -285FD33F1A5C.jpeg)

I can't run it, I don't know what is wrong, wait for the research and update it

  1. {
  2. "error":"invalid \ _client"
  3. }

Demo

https://github.com/quanweiwang/sign-in-with-apple-server