Server-Side Sign in with Apple
Nov 15 2022 Swift 5.6, macOS 12, iOS 15, Xcode 13.3
Part 1: Add Sign in with Apple to an iOS Project
1. Learn About Sign in with Apple
You’ll need the Vapor toolbox and Docker installed. You’ll also need an Apple Developer account to run the iOS app on a real device as Sign in with Apple does not work in the simulator.
Sign in with Apple is a mechanism to use Apple to authenticate and validate your users. It follows a similar pattern to many other third party authentication methods, like signing in with GitHub or Google. It allows you to offload the users authentication and avoid storing their passwords. It also gives your users choice on how to create an account with your app.
Sign in with Apple is not identical to other third party authentication systems, however. Most use the OAuth flow which can be complicated to implement. Sign in with Apple uses JSON Web Tokens, or JWTs instead.
JWTs are crytographically signed tokens used to carry data. They are made up of three parts. The header contains information about the algorithm used to sign the token.
The payload is a base64 URL encoded JSON blob containing the data for that token. It has some standard fields like the subject, expiry date and custom fields like the name.
The final part of the token contains the signature. With a Sign in with Apple JWT you can get Apple’s public key and use it to verify the token. Because only Apple knows their private key, you can verify they signed it by using their public key. If anyone tries to change the data in the payload the signature won’t match and it will fail to verify. This allows you to be sure that Apple sent you the token and no one has tampered with it.
Vapor takes care of most of this for you. You pass it the JWT and your app identifier and call the Sign in with Apple verify function. Vapor verifies the token and extracts the data for you.
You then know the user is who they say they are and can create an account for them or sign them in. Typically you’ll provide the user an authentication token for future API requests, in the same way that standard authentication flows work. Sign in with Apple simply replaces the username and password and allows users to use their Apple existing account.
Setting up the clients is the other aspect of implementing Sign in with Apple. On iOS, the OS handles most of it for you once you’ve displayed the Sign in with Apple button. When a user taps the button, you send the JWT to your Vapor app and continue from there. The web is similar but you need to add a few more things as the browser can’t do everything the OS does.