Skip to content

Commit

Permalink
docs: add guide to configuration options (#54)
Browse files Browse the repository at this point in the history 
* docs: add guide to configuration options
  • Loading branch information
@klausbetz
klausbetz committed Sep 22, 2023
1 parent 4170bda commit 93516f9
Showing 1 changed file with 19 additions and 17 deletions.
36 changes: 19 additions & 17 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,19 @@ paper [Keycloak 19.0.0 release](https://www.keycloak.org/2022/07/keycloak-1900-r

Log into your Keycloak admin console and add `Apple` as new `Identity Provider` and get comfortable with the configuration options:

| Option | Description |
|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Client ID (= Service ID) | For web-clients this is usually the corresponding Service ID from Apple. For native clients (like iOS Apps, which just perform a token-exchange) this should be the app-identifier of the consuming native app. |
| Client Secret | (Ignored) Just use a dummy value. |
| Team ID | Your Team ID obtained from your Apple developer account. |
| Key ID | A key identifier obtained from your Apple developer account. |
| p8 Key | Raw content of p8 key file you get from your Apple developer account. |
| Default Scopes | Scopes to request from Apple (for web-based logins). Defaults to `name%20email` |
| Option | Description |
|--------------------------|---------------------------------------------------------------------------------|
| Client ID (= Service ID) | Your Service ID from your Apple Developer Account. |
| Client Secret | (Ignored) Just use a dummy value. |
| Team ID | Your Team ID obtained from your Apple Developer Account. |
| Key ID | A key identifier obtained from your Apple Developer Account. |
| p8 Key | Raw content of p8 key file you get from your Apple Developer Account. |
| Default Scopes | Scopes to request from Apple (for web-based logins). Defaults to `name%20email` |

:raising_hand: If you are unsure where you get these values from your Apple Developer Account you may want to check out this [guide](https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple#how-sign-in-with-apple-works-hint-it-uses-oauth-and-oidc).

:warning: Make sure to add the keycloak broker-URL (`https://<keycloak-url>/realms/<realm>/broker/apple/endpoint`) to your valid redirect
URLs in your Apple developer account.
URLs in your Apple Developer Account.

## Token exchange

Expand Down Expand Up @@ -95,12 +97,12 @@ Keycloak tokens.
`<keycloak server url>/realms/<realm>/protocol/openid-connect/token`
`application/x-www-form-urlencoded`

| Parameter | Description |
|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `client_id` | the client id of your Keycloak client |
| `grant_type` | `urn:ietf:params:oauth:grant-type:token-exchange` |
| `subject_token` | `authorizationCode` from Apple |
| `subject_issuer` | `apple` (the name of the social provider in keycloak) |
| `user_profile` | `{ "name": { "firstName": string, "lastName": string }, "email": string }` optional. The JSON string that Apple sends on the first login (only required for the first login if you want to store the user's name) |
| `app_identifier` | In case the configured Service ID doesn't match the app identifier of the native iOS app, this parameter can be used, so that Service ID is ignored and app_identifier is used instead (Apple might throw a client_id mismatch exception if not provided) |
| Parameter | Description |
|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `client_id` | the client id of your Keycloak client |
| `grant_type` | `urn:ietf:params:oauth:grant-type:token-exchange` |
| `subject_token` | `authorizationCode` from Apple |
| `subject_issuer` | `apple` (the name of the social provider in keycloak) |
| `user_profile` | `{ "name": { "firstName": string, "lastName": string }, "email": string }` optional. The JSON string that Apple sends on the first login (only required for the first login if you want to store the user's name) |
| `app_identifier` | In case the configured Service ID doesn't match the bundle-identifier of the native iOS app, this parameter can be used, so that Service ID is ignored and `app_identifier` is used instead (Apple might throw a client_id mismatch exception if not provided).<br>If the Service ID already matches your bundle-identifier you can omit this parameter. |

0 comments on commit 93516f9

Please sign in to comment.