Sign in with Apple

I’m glad to see things moving forward and I hope to see real soon the long awaited support of Apple by Keycloak. Special thanks to ebondu for that.

For those in need of a temporary solution until an official support is released, I developed some times ago a little extension to Keycloak that enables a smooth integration with Apple. But beware it’s just a quick dev I made for amusement during a rainy weekend : I haven’t tested but the main typical use cases. Yet, the approach I chose was to extend and override the generic OIDC provider as little as possible as to make it work with Apple. Thus if Apple does not depart too much from the OIDC standard except from the minor aspects addressed by my extension, then the extension should behave well in most situations. Feel free to use it and give some feeback.

https://github.com/BenjaminFavre/keycloak-apple-social-identity-provider

I see that the PR has been pending for a while with no recent updates, is there any estimate as to when this will be available. A bug fix release of our iOS application is currently being rejected due to the lack of support for “Sign in with Apple”.

BTW – we followed the steps in Sign in with Apple (thanks for those) on one of our installations, but that was insufficient for 2 reasons. The first is that we’ll have to deploy it on all of our installations (which is a fair amount of work given the need to renew the key every 6 months). In addition, it was also rejected due to styling – they have very strict guidelines regarding what the button must look like (which the default Keycloak styling does not match).

Apple rejected me a release for this reason.

Your app requires users to input their name and/or email address after using Sign in with Apple.

They saying that these personal information are not relevant to the app’s core functionality

Hi everyone,

Let’s try to push this topic forward.

@sfitts : Regarding your 2 issues:

1. Regarding the need to refresh JWT’s at least once every 6 months. You have 2 options for auto-renewing the JWT:

   1. You can write a little Keycloak extension that reads a file containing your private key and generating the JWT regularly. I did this as a POC. I’m using Keycloak on Spring Boot though, so I wrote it as a scheduled task that reaches into Keycloak once a week and updates the client secret. Not beautiful, but it works.
   2. You could try using BenjaminFavre’s apple social identity provider linked above. I haven’t tried it yet, but looking at the code, it expects your private key as the client secret and generates fresh JWTs for every request. I think this is a much better solution than mine.

2. Regarding the styling of the “Sign In with Apple” button: Have you tried creating a custom theme? Keycloak is pretty flexible in that regard and it isn’t too difficult. Inheriting from the default theme and adding a bit of CSS might be enough to meet Apple’s expectations. I’ll try to have a look and maybe put together an example gist if I find the time.

ebiscardi : So it looks like as long as keycloak doesn’t implement response_mode=form_post for identity providers, my “generic OIDC identity provider” solution above won’t be usable / accepted by apple. That’s too bad. @BenjaminFavre’s apple social identity provider solution above might also be a solution here. Have you tried it?

@BenjaminFavre : Have you successfully submitted an app to Apple using your provider yet? If so (or once someone has), wouldn’t it be a good idea to submit your identity provider as a PR to Keycloak so it gets included by default?

Let’s try to make this work!

I tried to use @BenjaminFavre’s apple social identity provider solution, and seems to work fine!
I had to add a dependency to make it work (here the PR: https://github.com/BenjaminFavre/keycloak-apple-social-identity-provider/pull/1)

EDIT:
Sorry, I forgot a thing: i had also to copy manually the two html files from src/main/resources/theme-resources/resources/partials in KEYCLOAK_DIR/themes/base/admin/resources/partials directory, and merge the file src/main/resources/theme-resources/messages/admin-messages_en.properties with the keycloak file in src/main/resources/theme-resources/messages

@netmikey

Thanks for the info – I was more noting that if/when there is an “official” version from the Keycloak team (which I hope there will be), it needs to address these issues (IMO). For now we are using the instructions you sent (which work fine) and we’ve incorporated Apple’s required styling into our existing custom theme. As you say, it wasn’t that hard (just a bit of CSS attached to the “.zsocial-apple” class).
For our application, that appears to be sufficient, though Apple is more than a bit capricious about this stuff.

Moving forward, there is already a PR open against Keycloak for this issue which has been making slow progress. Not sure if there is anything we can do to push it along. I’m not sure submitting another one is the answer.

Anyway, thanks again and good luck to the others out there struggling with this.

@sfitts: My extension is mostly identical to the generic OIDC provider and can be used exactly as suggested by netmikey but it saves yourself from the need to reset secret every 6 months. Styling is another topic, your can easily override Keycloak themes as suggested by netmikey too.
And I agree, no need for two PR. For now, I don’t have the time to work on the PR for Keycloak, it’s much more work. But anybody with enough interest can work on ebondu PR and use my work freely if it helps somehow

@ebiscardi & netmikey: My extension works with form_post method. But, any user coming back from Apple Connect has the choice not to share its firstname and lastname: in this case, Keycloak will automatically prompt a form to get the info directly from the user. Also, Apple sends user info only the first time the user log in to the application. So, for example, if after a first sign up the user deletes his account on Keycloak, and then do sign up again, Keycloak won’t receive the firstname and lastname anymore (even if user accepted the first time), and Keycloak will prompt the form.

So, my extension prevents Keycloak from asking firstname and lastname only during the first user sign up and if user accepted to share info.

It’s the standard flow for all other identity providers. Is it enough to pass AppStore validation ? I don’t know…

Also, I pushed a new release on Github built for Keycloak 11.0.2, and with improved readme for installation and configuration.

@BenjaminFavre: Your last modifications prevent having to add dependency in jboss-deployment-structure file. Unfortunately, Apple rejected me again the application, with this motivation:

The  Sign in with Apple says Apple but should use the following localized version:  Sign in with Apple.

Linking these guidelines: Sign in with Apple | Apple Developer Documentation

As a quick walkaround, I added a css rule to substitute text in Apple button login, and re-send the application for Apple validation. If that’s enough to pass, we can think to modify the extension to fix this.
I keep you updated.

Thank you

Hi everyone.
The css hack didn’t work because, due to cache, the tester still saw the previous version of the button. So i added this code in realm-identity-provider-apple-ext.html:

<div class="form-group clearfix">
   <label class="col-md-2 control-label" for="displayName"> {{:: 'display-name' | translate}}</label>
    <div class="col-md-6">
        <input class="form-control" id="displayName" type="text" ng-model="identityProvider.displayName">
    </div>
    <kc-tooltip>{{:: 'identity-provider.display-name.tooltip' | translate}}</kc-tooltip>
</div>

In this way, we add a field in the Apple configuration page that allows to set a custom text in the button.
The underlying model already contains the field to store this value, so you don’t need to make changes to java code.

Hi @BenjaminFavre

In README you say that “Client secret” should be filled with content of “your private key”

What key is that? Should that key be stored somewhere on Keycloak server? Is that some key that is known to Apple?

Maybe it will help somebody else, I found out that this private key is key generated by Apple and downloadable from apple developer portal.

Recently, Apple introduced middleName field in JSON returned, so a brilliant work @BenjaminFavre had to have fix on User inner class.

Good to know regarding the middleName field. FYI, our app has finally been accepted by Apple by using the apple provider KEYCLOAK-13171.

@ivankovalenko fixed, thank you for notice! New release: https://github.com/BenjaminFavre/keycloak-apple-social-identity-provider/releases/tag/v1.0.2

Hi! I am quite new to KeyCloak. As an iOS dev I am struggling with configuring a JAVA based service.

I did add the jar file to standalon/deployments after adding the mising dependency. In the deployments folder a new file appeared with the extension jar.deployed. Guess it means, the deployment was successful. (Server version 11.0.3)

But the admin does not list Apple as provider.

What did I miss? There was a link on Benjamin’s extension’s page. But did not detail which steps are required in order to make it work.

Could someone please provide more detailed instructions? Thanks!

OK, this was caused by running an older JAVA version on our backend, so the class’s version was newer.

I think it is not such secure because Keycloak doesn’t check JWT aud and I can use any tokens from others apps for any users

We are also in same trouble.
we are building an insurance app which needs an account in our system. But we use login with Facebook and login with google as additional features. But for the first time we create new account in our system by collecting missing information.
First name, Last name,Email,Phone number and Terms and condition accept are mandatory
If its missing we prompt a form to fill missing details.

Does this comes under exclusion of apple login?
Sign in with Apple is not required if:

• Your app exclusively uses your company’s own account setup and sign-in systems.
• Your app is an education, enterprise, or business app that requires the user to sign in with an existing education or enterprise account.directly to access their content.