Apple Social Provider

Sign In with Apple is Apple's authentication method, allowing users to sign in to LoginRadius-powered apps and websites using their Apple ID. This method enables users to opt for a randomly generated, unique email address instead of sharing their actual email address, enhancing privacy. Sign In with Apple leverages OAuth and OIDC protocols for authentication, returning an authorization code and an id_token to the configured LoginRadius callback URL.

To integrate Sign In with Apple with LoginRadius, you need to configure the Social Provider settings in the LoginRadius Console. This configuration allows LoginRadius to validate the id_token provided by Apple and grant access to the user within your applications.

To enable this feature, the following steps are required:

Configure your Apple Developer account to enable the Sign In with Apple functionality.
Set up the necessary provider configurations in the LoginRadius Console under Social Provider Settings.

Here are the detailed, step-by-step instructions for setting up Sign In with Apple in LoginRadius:

With Sign In with Apple, you can include LoginRadius Apple authentication for your native Apple applications, web applications, or applications that run on other platforms (such as Android).

Prerequisites

Apple Developer account(https://developer.apple.com/programs/), which is a paid account with Apple. (There is no free trial available unless you are part of their iOS Developer University Program.)
Configure LoginRadius Registration

Note: This document presumes that you have worked through the client-side implementation to setup your LoginRadius User Registration interfaces that will actually serve the initial registration and login process. Details on this can be found in the getting started guide.

Apple Developer account configuration

Go to https://developer.apple.com/account.
Sign in with Apple ID and password for your developer account.
After login, you need to create the following keys.
- Identifiers
- Service ID(Only for Websites), Keys.

Create Identifiers

Click Certificates, Identifiers & Profiles section from the Apple developer dashboard -> Side Panel or you can click this via the quick link.
Now, click Identifiers from the sidebar on the next screen and click (+) button next to Identifiers to add an App.
Enter any value for Description and Bundle ID. The Bundle ID represents the app's unique identifier. Example Bundle ID:- com.loginradius.AppleSignIn

Note: In case of Native Apple Sign In (iOS) the value of the bundle identifier in the apple developer account configuration should be the same as the value of bundle identifiers in your Xcode app project.

Scroll down under the Capabilities section and click the check-box next to Sign In with Apple.
Click the Continue and then Register button on the next screen.
Create a Service ID(Only for Websites)

If you also want to implement apple sign in on the website then you will be required to configure the additional web configuration in the apple account.

Now, click Identifiers from the sidebar on the next screen and click (+) button next to Identifiers to add an App.
Select Services IDs under Register a New Identifier and click the Continue button.
Enter any value for the Description and the Identifier (see screenshot below). The customer will see the value of the Description as the name of the app during the login flow. The value of the Identifier will be used as the client_id in OAuth workflow.
Select the checkbox next to Sign In with Apple (as given in above screenshot) and click Configure, a pop box will appear as below.
In this page select the App ID (which you have created in the last section) from the Primary App ID dropdown option
Enter your Web Domain value and enter https://<sitename>.hub.loginradius.com:443/socialauth/validate.sauth in the Return URLs. After a successful login, Apple will send the OIDC scope Id_token to this URL.
Click the Save button and once the detail is saved, click Continue (see below).
$Continue$
In the next window review your configuration and click the Register button.

Create Keys

In Certificates, Identifiers & Profiles, select Keys from the sidebar, then click the Add button (+) in the upper-left corner.
In Key Name, register a New Key, enter a unique name for the key.
Under Capabilities, select the checkbox next to Sign In with Apple and click the Configure button
Select the primary App ID you have created earlier(Identifiers) in the Choose a Primary App ID dropdown and click Save Button
Click the Register button.
Apple will generate a new private key for your app. Click Download to download the key. Save this file in a secure place because the key is not saved in your developer account and you won’t be able to download it again. If you download the key, it will be saved as a text file with a .p8 file extension on your computer.

Download

Configuration in LoginRadius Admin Console

After configuring an Apple developer account, to integrate Sign in with Apple on your site, you need to add all the required information in the social provider section for the Apple provider.

Step 1: Log in to your Admin Console account and navigate to the Social Provider Section

Step 2: Click on Apple Social ID Provider and follow the step-by-step guide for configuration.

Step 3: Add the following information to the Apple App configuration section in LoginRadius Admin Console, which you obtained while following Step 2.

Services ID Identifier(Client ID)
Bundle ID
Team ID
key ID
Client Secret SignIn Key

How to obtain the Configuration fields

As there are multiple required configuration fields from Apple Developer Account, we have explained the complete steps to obtain each of them below.

Service ID
Bundle ID
Team ID
Key ID
Client Secret

To obtain the service ID, you can open the link https://developer.apple.com/account/resources/identifiers/list/serviceId and find the service id that you created for your web application. After that click on the selected id and copy the Identifier value.

service

Troubleshooting

After the configuration in apple developer console and LoginRadius, If you face any of the following errors, it may be returned from Apple. LoginRadius will relay both status codes and error messages from Apple for any request that fails. Below you can find some general errors and their related troubleshooting steps/actions.

invalid_client: Apple was unable to successfully authenticate with the credentials and this is directly related to the invalid credentials. Open all the related consoles and double-check the provided credentials if they are correct or not.
invalid_grant: The authorization code presented to the Apple IdP is not valid. This error generally occurs during the implementation of Apple Sign In in iOS Native Devices. So before calling LoginRadius token exchange API, please make sure the "CODE" parameter value is correct.
Note: In case of Native Apple Sign In (iOS) the value of the bundle identifier in the apple developer account configuration should be the same as the value of bundle identifiers in your Xcode app project.
Please see below screenshot for bundle identifier in apple developer account and Xcode project respectively
invalid redirect_uri: For the website login process, failure occurs if you are either using blank or wrong "Return URL" while configuring Service ID. To resolve this enter your Web Domain value and enter https://<sitename>.hub.loginradius.com:443/socialauth/validate.sauthsocialauth/validate.sauth in the Return URLs. After a successful login, Apple will send the OIDC scope Id_token to this URL. Click the Save button.

Implement Sign in with Apple