Skip to content

Configuration within Apple Developer portal

Jump to bottom
Klaus Betz edited this page Oct 1, 2024 · 2 revisions

The configuration within the Apple Developer portal can be cumbersome.
Using this guide you should be able to configure all necessary settings in the portal properly by sticking to three simple steps.

In the following sections SIWA refers to Sign-In-With-Apple

Step 1 - App ID

Create a new App ID that has SIWA enabled.

👉 If you already have an App ID you want to re-use, make sure that SIWA is enabled on this App ID.

image

Step 2 - Service ID

Create a new Service ID with SIWA enabled and related to the App ID you just created/updated.

image

Make sure to enter the website URLs for your Keycloak realm.
Domain: auth.example.com
Return Urls: https://auth.example.com/realms/test/broker/apple/endpoint

image

Step 3 - p8 Key

Create a new Key with SIWA enabled and related to the App ID you just created/updated.

image

Download the p8 Key file and keep it in a safe place.

Summary

Following the three steps above you should have Team ID, Service ID, Key ID and p8 Key.
Go ahead an paste these values in the Keycloak configuration and try to login using SIWA on your realm via Keycloak's built-in account-console (https://auth.example.com/realms/test/account).

If you're interested, you can find a more detailed guide from Okta here.

Troubleshooting

  • invalid_client error from Apple: consult this guide to find out whether the configuration within your Apple Developer portal is valid. You likely need to repeat steps 1-3 of this guide.
  • Invalid redirect_uri: Check the URLs in your Service ID in the Apple Developer portal. These need to match your Keycloak realm.
  • Confusing Bundle ID and Service ID: The ID that started the auth-flow should be used throughout the whole login flow, otherwise you will receive invalid_client errors from Apple.
    This is mostly relevant when testing the configuration manually using this guide.
    When the authorization_code/id_token was requested using the Bundle ID of your iOS/macOS app, then you have to use the Bundle ID as Service ID (to generate the client_secret).
    On the other hand, not requesting authorization_code/id_token on your own and therefore not performing a token_exchange, Keycloak does the job for you and uses the Service ID.
Clone this wiki locally