Sign in with Apple

Getting advice
45

Hi everyone,

Let’s try to push this topic forward.

@sfitts : Regarding your 2 issues:

  1. Regarding the need to refresh JWT’s at least once every 6 months. You have 2 options for auto-renewing the JWT:

    1. You can write a little Keycloak extension that reads a file containing your private key and generating the JWT regularly. I did this as a POC. I’m using Keycloak on Spring Boot though, so I wrote it as a scheduled task that reaches into Keycloak once a week and updates the client secret. Not beautiful, but it works.
    2. You could try using BenjaminFavre’s apple social identity provider linked above. I haven’t tried it yet, but looking at the code, it expects your private key as the client secret and generates fresh JWTs for every request. I think this is a much better solution than mine.

  2. Regarding the styling of the “Sign In with Apple” button: Have you tried creating a custom theme? Keycloak is pretty flexible in that regard and it isn’t too difficult. Inheriting from the default theme and adding a bit of CSS might be enough to meet Apple’s expectations. I’ll try to have a look and maybe put together an example gist if I find the time.

ebiscardi : So it looks like as long as keycloak doesn’t implement response_mode=form_post for identity providers, my “generic OIDC identity provider” solution above won’t be usable / accepted by apple. That’s too bad. @BenjaminFavre’s apple social identity provider solution above might also be a solution here. Have you tried it?

@BenjaminFavre : Have you successfully submitted an app to Apple using your provider yet? If so (or once someone has), wouldn’t it be a good idea to submit your identity provider as a PR to Keycloak so it gets included by default?

Let’s try to make this work! :slight_smile: