Apple Sign In Configuration
1. Overview
This guide explains how to configure the Registration Portal to authenticate users via Apple Sign In. Apple uses OIDC but has several non-standard requirements, particularly around client secret generation.
2. Prerequisites
-
An Apple Developer account (requires annual fee)
-
Access to the Apple Developer Portal > Certificates, Identifiers & Profiles
3. Apple Developer Portal Setup
3.1. App ID Configuration
-
Navigate to Identifiers > App IDs
-
Create or select an App ID
-
Enable the Sign In with Apple capability
3.2. Services ID (OAuth2 Client)
-
Navigate to Identifiers > Services IDs
-
Click + to register a new Services ID
-
Configure:
| Field | Value |
|---|---|
Description |
e.g., "Registration Portal" |
Identifier |
e.g., |
-
Enable Sign In with Apple
-
Click Configure:
| Field | Value |
|---|---|
Primary App ID |
Select the App ID from the previous step |
Domains and Subdomains |
Each tenant domain (e.g., |
Return URLs |
3.3. Key for Client Secret Generation
Apple does not use a static client secret. Instead, the client secret is a JWT signed with a private key.
-
Navigate to Keys
-
Create a new key with Sign In with Apple enabled
-
Download the
.p8private key file -
Note the Key ID
-
Note your Team ID (from the top-right of the developer portal)
|
The private key can only be downloaded once. Store it securely. |
4. Client Secret Generation
Apple requires a JWT-based client secret that must be regenerated periodically (maximum validity: 6 months).
The client secret JWT must contain:
| Claim | Value |
|---|---|
|
Team ID |
|
Current timestamp |
|
Expiry (max 6 months from |
|
|
|
Services ID (the |
The JWT is signed with the ES256 algorithm using the private key from the .p8 file.
|
The Registration Portal should generate the client secret at runtime from the stored private key, key ID, and team ID. This avoids manual rotation every 6 months. |
5. Registration Portal Configuration
Create a TenantIdentityProvider record with the following values:
| Field | Value |
|---|---|
|
|
|
"Sign in with Apple" |
|
Services ID identifier (e.g., |
|
Generated JWT client secret (or private key material for runtime generation) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Apple supports OIDC Discovery at |
6. Apple-Specific Behaviour
| Characteristic | Detail |
|---|---|
OIDC Compliance |
Mostly OIDC-compliant with some deviations |
Client Secret |
JWT signed with ES256 private key (max 6-month validity) |
ID Token |
Only returned on first authorization; subsequent logins may return only the authorization code |
User Info |
Name and email returned in the POST body of the first authorization callback only (not via userInfo endpoint) |
Subject Identifier |
Opaque string, unique per developer team, stable |
Email Relay |
Users can choose "Hide My Email" — Apple provides a relay address |
Scopes |
|
PKCE |
Supported and recommended |
7. Important Caveats
-
First-login-only user data: Apple only sends the user’s name in the initial authorization. The application must capture and store it during the first login. Subsequent logins do not include the name.
-
Private Relay Email: When users select "Hide My Email", Apple generates a unique relay address (e.g.,
[email protected]). The relay address is stable per app per user. -
Client Secret Rotation: The JWT client secret expires. Implement automated generation from the stored private key rather than manual rotation.
-
Form POST Response Mode: Apple’s authorization endpoint uses
response_mode=form_postby default, returning the authorization code via POST. Spring Security handles this, but custom configurations should be aware.