-
Notifications
You must be signed in to change notification settings - Fork 29
Configuration within Apple Developer portal
The configuration within the Apple Developer portal can be cumbersome.
Using this guide you should be able to configure all necessary settings in the portal properly by sticking to three simple steps.
In the following sections SIWA refers to Sign-In-With-Apple
Create a new App ID
that has SIWA enabled.
👉 If you already have an
App ID
you want to re-use, make sure that SIWA is enabled on thisApp ID
.
Create a new Service ID with SIWA enabled and related to the App ID you just created/updated.
Make sure to enter the website URLs for your Keycloak realm.
Domain: auth.example.com
Return Urls: https://auth.example.com/realms/test/broker/apple/endpoint
Create a new Key with SIWA enabled and related to the App ID you just created/updated.
Download the p8 Key file and keep it in a safe place.
Following the three steps above you should have Team ID, Service ID, Key ID and p8 Key.
Go ahead an paste these values in the Keycloak configuration and try to login using SIWA on your realm via Keycloak's built-in account-console (https://auth.example.com/realms/test/account
).
-
invalid_client
error from Apple: consult this guide to find out whether the configuration within your Apple Developer portal is valid. You likely need to repeat steps 1-3 of this guide. -
Invalid redirect_uri
: Check the URLs in your Service ID in the Apple Developer portal. These need to match your Keycloak realm. -
Confusing Bundle ID and Service ID
: The ID that started the auth-flow should be used throughout the whole login flow, otherwise you will receiveinvalid_client
errors from Apple.
This is mostly relevant when testing the configuration manually using this guide.
When the authorization_code/id_token was requested using the Bundle ID of your iOS/macOS app, then you have to use the Bundle ID as Service ID (to generate the client_secret).
On the other hand, not requesting authorization_code/id_token on your own and therefore not performing a token_exchange, Keycloak does the job for you and uses the Service ID.