Sign up with Apple utilizing Vapor 4


A whole tutorial for novices about easy methods to implement the Sign up with Apple authentication service on your web site.


Apple developer portal setup

To be able to make the Sign up with Apple work on your web site you will want a payed developer account. That’ll price you $99 / yr in case you are a person developer. You’ll be able to evaluate numerous membership choices or simply merely enroll utilizing this hyperlink, however you will want an present Apple ID.

I assume that you just made it up to now and you’ve got a working Apple developer account by now. A standard misbelief about Sign up with Apple (SiwA) is that you just want an present iOS software publised to the App Retailer to make it work, however that is not the case. It really works with no companion app, nonetheless you will want an software identifier registered within the dev portal.

App identifier

Choose the Identifiers menu merchandise from the listing on the left, press the plus (+) button, choose the App IDs choice and press the Proceed button. Fill out the outline subject and enter a customized bunde indentifier that you just’d like to make use of (e.g. Scroll down the Capabilities listing till you discover the Sign up With Apple choice, mark the checkbox (the Allow as main App ID ought to seem proper subsequent to an edit button) and press the Proceed button on the highest proper nook. Register the appliance identifier utilizing the highest proper button, after you discover every little thing all proper.

It is best to see the newly created AppID within the listing, if not there’s a search icon on the fitting aspect of the display. Decide the AppIDs choice and the appliance identifer merchandise ought to seem. ?

Service identifier

Subsequent we’d like a service identifier for SiwA. Press the add button once more and now choose the Companies IDs choice. Enter an outline and fill out the identifier utilizing the identical reverse-domain identify type. I desire to make use of my area identify with a suffix, that may be one thing like com.instance.siwa.service. Press the Proceed and the Register buttons, we’re nearly prepared with the configuration half.

Filter the listing of identifiers by Service IDs and click on on the newly created one. There’s a Configure button, that you must press. Now affiliate the Main App ID to this service identifier by choosing the appliance id that we made beforehand from the choice listing. Press the plus button subsequent to the Web site URLs textual content and enter the given area that you just’d like to make use of (e.g.

You will even have so as to add no less than one Return URL, which is principally a redirect URL that the service can use after an auth request. It is best to at all times use HTTPS, however aside from this constraint the redirect URL may be something (e.g. #notrailingslash

You’ll be able to add or take away URLs at any time utilizing this display, fortunately there’s a take away choice for each area and redirect URL. Press Subsequent to avoid wasting the URLs and Achieved when you find yourself prepared with the Sign up with Apple service configuration course of.


The very last thing that we have to create on the dev portal is a non-public key for shopper authentication. Choose the Keys menu merchandise on the left and press the add new button. Title the important thing as you need, choose the Sign up with Apple choice from the listing. Within the Configure menu choose the Main App ID, it must be related with the appliance identifier we made earlier. Click on Save to return to the earlier display and press Proceed. Evaluation the info and at last press the Register button.

Now that is your solely likelihood to get the registered non-public key, when you pressed the completed button with out downloading it, you’ll lose the important thing without end, it’s important to make a brand new one, however don’t fret an excessive amount of when you messed it up you may click on on the important thing, press the large pink Revoke button to delete it and begin the method once more. This comes useful if the important thing will get compromised, so do not share it with anyone else in any other case you will should make a brand new one. ?

Workforce & JWK identifier

I nearly overlook that you’re going to want your crew identifier and the JWK identifier for the sign up course of. The JWK id may be discovered underneath the beforehand generated key particulars web page. If you happen to click on on the identify of the important thing you may view the small print. The Key ID is on that web page alongside with the revoke button and the Sign up with Apple configuration part the place you may get the crew identifier too, because the service bundle identifier is prefixed with that. Alternatively you may copy the crew id from the very high proper nook of the dev portal, it is proper subsequent to your identify.

Implementing Sign up With Apple

Earlier than we write a single line of Swift code let me clarify a simplified model of all the course of.

Your entire login circulate has 3 predominant parts:

  • Provoke an online auth request utilizing the SiwA button (begin the OAuth circulate)
  • Validate the returned consumer id token utilizing Apple’s JWK service
  • Trade the consumer id token for an entry token

A few of the tutorials overcomplicate this, however you will see how straightforward is to jot down all the circulate utilizing Vapor 4. We do not even want further scripts that generate tokens we will do every little thing in pure Swift, which is nice. Lets begin a brand new Vapor undertaking. You will want the JWT bundle as properly.

import PackageDescription

let bundle = Bundle(
    identify: "binarybirds",
    platforms: [
    dependencies: [
        .package(url: "", from: "4.4.0"),
        .package(url: "", from: "4.0.0-rc"),
        .package(url: "", from: "4.0.0-rc"),
    targets: [
        .target(name: "App", dependencies: [
            .product(name: "Vapor", package: "vapor"),
            .product(name: "Leaf", package: "leaf"),
            .product(name: "JWT", package: "jwt"),
        .goal(identify: "Run", dependencies: ["App"]),

If you do not know easy methods to construct the undertaking you must learn my novices information about Vapor 4.

The Sign up with Apple button

We will use the Leaf template engine to render our views, it is fairly easy to make it work, I will present you the configuration file in a second. We will use only one easy template this time. We will name it index.leaf and save the file into the Sources/Views listing.

<!DOCTYPE html>
        <meta charset="utf-8">
        <meta identify="viewport" content material="width=device-width, initial-scale=1">
            .signin-button {
                width: 240px;
                peak: 40px;
            .signin-button > div > div > svg {
                width: 100%;
                peak: 100%;
                coloration: pink;
            .signin-button:hover {
                cursor: pointer;
            .signin-button > div {
                define: none;
        <script kind="textual content/javascript" src=""></script>
        <div id="appleid-signin" data-color="black" data-border="false" data-type="sign up" class="signin-button"></div>
        <script kind="textual content/javascript">
                clientId : '#(clientId)',
                scope : '#(scope)',
                redirectURI: '#(redirectUrl)',
                state : '#(state)',
                usePopup : #(popup),

The Sign up with Apple JS framework can be utilized to render the login button on the web site. There’s a comparable factor for iOS referred to as AuthenticationServices, however this time we’re solely going to focus on the net. Sadly the sign up button is sort of buggy so now we have so as to add some further CSS hack to repair the underlying points. Come on Apple, why do now we have to hack these items? ?

Beginning the AppleID auth course of is de facto easy you simply should configure just a few parameters. The shopper id is service the bundle identifier that we entered on the developer portal. The scope may be both identify or electronic mail, however you should use each in order for you. The redirect URI is the redirect URL that we registered on the dev portal, and the state must be one thing distinctive that you should use to establish the request. Apple will ship this state again to you within the response.

Noone talks in regards to the usePopup parameter, so we’ll go away it that means too… ?

Alternatively you should use meta tags to configure the authorization object, you may learn extra about this within the Configuring your webpage for Sign up with Apple documentation.

Vapor configuration

It is time to configure our Vapor software so we will render this Leaf template file and use the signing key that we aquired from Apple utilizing the dev portal. We’re coping with some secret information right here, so you must by no means retailer it within the repository, however you should use Vapor’s surroundings for this function. I desire to have an extension for the out there surroundings variables.

extension Surroundings {
    static var siwaId = Surroundings.get("SIWA_ID")!
    static let siwaRedirectUrl = Surroundings.get("SIWA_REDIRECT_URL")!
    static var siwaTeamId = Surroundings.get("SIWA_TEAM_ID")!
    static var siwaJWKId = Surroundings.get("SIWA_JWK_ID")!
    static var siwaKey = Surroundings.get("SIWA_KEY")!

In Vapor 4 you may setup a customized JWT signer that may signal the payload with the correct keys and different values based mostly on the configuration. This JWT signer can be utilized to confirm the token within the response. It really works like magic. JWT & JWTKit is an official Vapor bundle, there’s positively no have to implement your personal answer. On this first instance we’ll simply put together the signer for later use and render the index web page so we will initalize the OAuth request utilizing the web site.

import Vapor
import Leaf
import JWT

extension JWKIdentifier {
    static let apple = JWKIdentifier(string: Surroundings.siwaJWKId)

extension String {
    var bytes: [UInt8] {
        return .init(self.utf8)

public func configure(_ app: Utility) throws {

    app.middleware.use(SessionsMiddleware(session: app.classes.driver)) = Surroundings.siwaId
    let signer = strive JWTSigner.es256(key: .non-public(pem: Surroundings.siwaKey.bytes))
    app.jwt.signers.use(signer, child: .apple, isDefault: false)

    app.get { req -> EventLoopFuture<View> in
        struct ViewContext: Encodable {
            var clientId: String
            var scope: String = "identify electronic mail"
            var redirectUrl: String
            var state: String
            var popup: Bool = false

        let state = [UInt8].random(depend: 16).base64
        req.session.knowledge["state"] = state
        let context = ViewContext(clientId: Surroundings.siwaId,
                                  redirectUrl: Surroundings.siwaRedirectUrl,
                                  state: state)
        return req.view.render("index", context)

The session middleware is used to switch a random generated code between the index web page and the redirect handler. Now when you run the app and click on on the Sign up with Apple button you will see that the circulate begins, nevertheless it’ll fail after you recognized your self. That is okay, the first step is accomplished. ✅

The redirect handler

Apple will attempt to ship a POST request with an object that comprises the Apple ID token to the registered redirect URI after you have recognized your self utilizing their login field. We will mannequin this response object as an AppleAuthResponse struct within the following means:

import Basis

struct AppleAuthResponse: Decodable {

    enum CodingKeys: String, CodingKey {
        case code
        case state
        case idToken = "id_token"
        case consumer

    let code: String
    let state: String
    let idToken: String
    let consumer: String

The authorization code is the primary parameter, the state shuld be equal together with your state worth that you just ship as a parameter whenever you press the login button, if they do not match do not belief the response someone is making an attempt to hack you. The idToken is the Apple ID token, now we have to validate that utilizing the JWKS validation endpoint. The consumer string is the e-mail tackle of the consumer.

app.publish("siwa-redirect") { req in
    let state = req.session.knowledge["state"] ?? ""
    let auth = strive req.content material.decode(AppleAuthResponse.self)
    guard !state.isEmpty, state == auth.state else {
        return req.eventLoop.future("Invalid state")

    return, applicationIdentifier: Surroundings.siwaId)
    .flatMap { token in

The code above will deal with the incoming response. First it will attempt to decode the AppleAuthResponse object from the physique, subsequent it will name the Apple verification service utilizing your non-public key and the idToken worth from the response. This validation service returns an AppleIdentityToken object. That is a part of the JWTKit bundle. We have simply accomplished Step 2. ☺️

Exchanging the entry token

The AppleIdentityToken solely lives for a brief time frame so now we have to alternate it for an entry token that can be utilized for for much longer. We have now to assemble a request, we’re going to use the next request physique to alternate tokens:

struct AppleTokenRequestBody: Encodable {
    enum CodingKeys: String, CodingKey {
        case clientId = "client_id"
        case clientSecret = "client_secret"
        case code
        case grantType = "grant_type"
        case redirectUri = "redirect_uri"
    let clientId: String

    let clientSecret: String

    let code: String
    let redirectUri: String
    let grantType: String = "authorization_code"

We’ll additionally have to generate the shopper secret, based mostly on the response we’re going to make a brand new AppleAuthToken object for this that may be signed utilizing the already configured JWT service.

struct AppleAuthToken: JWTPayload {
    let iss: String
    let iat = Int(Date().timeIntervalSince1970)
    let exp: Int
    let aud = ""
    let sub: String

    init(clientId: String, teamId: String, expirationSeconds: Int = 86400 * 180) {
        sub = clientId
        iss = teamId
        exp = self.iat + expirationSeconds

    func confirm(utilizing signer: JWTSigner) throws {
        guard iss.depend == 10 else {
            throw JWTError.claimVerificationFailure(identify: "iss", motive: "TeamId have to be your 10-character Workforce ID from the developer portal")

        let lifetime = exp - iat
        guard 0...15777000 ~= lifetime else {
            throw JWTError.claimVerificationFailure(identify: "exp", motive: "Expiration have to be between 0 and 15777000")

Since now we have to make a brand new request we will use the built-in AysncHTTPClient service. I’ve made a bit extension across the HTTPClient object to simplify the request creation course of.

extension HTTPClient {
    static func appleAuthTokenRequest(_ physique: AppleTokenRequestBody) throws -> HTTPClient.Request {
        var request = strive HTTPClient.Request(url: "", methodology: .POST)
        request.headers.add(identify: "Consumer-Agent", worth: "Mozilla/5.0 (Home windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6'")
        request.headers.add(identify: "Settle for", worth: "software/json")
        request.headers.add(identify: "Content material-Sort", worth: "software/x-www-form-urlencoded")
        request.physique = .string(strive URLEncodedFormEncoder().encode(physique))
        return request

The humorous factor right here is when you do not add the Consumer-Agent header the SiwA service will return with an error, the issue was talked about in this text additionally mentioned on the Apple Developer Fourms.

Anyway, let me present you the entire redirect handler. ?

app.publish("siwa-redirect") { req -> EventLoopFuture<String> in
    let state = req.session.knowledge["state"] ?? ""
    let auth = strive req.content material.decode(AppleAuthResponse.self)
    guard !state.isEmpty, state == auth.state else {
        return req.eventLoop.future("Invalid state")

    return, applicationIdentifier: Surroundings.siwaId)
    .flatMap { token -> EventLoopFuture<HTTPClient.Response> in
        do {
            let secret = AppleAuthToken(clientId: Surroundings.siwaId, teamId: Surroundings.siwaTeamId)
            let secretJwtToken = strive app.jwt.signers.signal(secret, child: .apple)

            let physique = AppleTokenRequestBody(clientId: Surroundings.siwaId,
                                             clientSecret: secretJwtToken,
                                             code: auth.code,
                                             redirectUri: Surroundings.siwaRedirectUrl)

            let request = strive HTTPClient.appleAuthTokenRequest(physique)
            return app.http.shopper.shared.execute(request: request)
        catch {
            return req.eventLoop.future(error: error)
    .map { response -> String in
        guard var physique = response.physique else {
            return "n/a"
        return physique.readString(size: physique.readableBytes) ?? "n/a"

As you may see I am simply sending the alternate request and map the ultimate response to a string. From this level it’s very easy to implement a decoder, the response is one thing like this:

struct AppleAccessToken: Decodable {

    enum CodingKeys: String, CodingKey {
        case accessToken = "access_token"
        case tokenType = "token_type"
        case expiresIn = "expires_in"
        case refreshToken = "refresh_token"
        case idToken = "id_token"

    let accessToken: String
    let tokenType: String
    let expiresIn: Int
    let refreshToken: String
    let idToken: String

You should use this response to authenticate your customers, however that is up-to-you based mostly by yourself enterprise logic & necessities. You should use the identical authTokenRequest methodology to refresh the token, you simply should set the grant kind to refresh_token as a substitute of authorization_code

I do know that there’s nonetheless room for enhancements, the code is way from excellent, nevertheless it’s a working proof of idea. The article is getting actually lengthy, so perhaps that is the fitting time cease. ?

In case you are in search of a great place to be taught extra about SiwA, you must verify this hyperlink.


You’ll be able to have a working Sign up with Apple implementation inside an hour in case you are utilizing Vapor 4. The toughest half right here is that it’s important to work out each single little element by your self, taking a look at different folks’s supply code. I am making an attempt to clarify issues as straightforward as attainable however hey, I am nonetheless placing collectively the items for myself too.

That is an especially enjoyable journey for me. Shifting again to the server aspect after nearly a decade of iOS growth is a refreshing expertise. I can solely hope you will get pleasure from my upcoming guide referred to as Sensible Server Facet Swift, as a lot as I get pleasure from studying and writing in regards to the Vapor. ❤️


Please enter your comment!
Please enter your name here