Skip to content

Getting Started

Steve Hannah edited this page Jan 23, 2020 · 1 revision

Getting Started with Sign-in With Apple

The Sign-in with Apple cn1lib uses iOS native libraries for authentication on iOS. If you want to use it on other platforms (e.g. Android, or in the simulator), it will fall back to Apple’s Oauth2 authentication service, which requires some setup. The following tutorial will show you how to set up sign-in with Apple in your app. The broad steps covered here include:

  1. Creating an App ID, with Sign-in with Apple support. This is required for all platforms.

  2. Creating a Service ID, with Sign-in with Apple support. Only required for non-iOS platforms.

  3. Creating a key for generating the client secret. Only required for non-iOS platforms.

  4. Setting up a Redirect page that will be shown after successful login. Only required for non-iOS platforms.

  5. Configuring the AppleLogin class to use Oauth2 login using the credentials generated in steps 1-3.

Things you will need

  1. Your own publicly accessible Web Server to be used for the Oauth2 Redirect URI.

  2. An Apple Developer Account

To begin, you’ll need to log into the Apple developer portal at

Step 1 Creating An App ID

This step is required for all iOS apps. The only thing different here is that you need to enable "Sign-in with Apple" for this App ID.

In the Apple developer portal, choose "Identifiers" from the left menu, then click the little blue "+" icon next to the "Identifiers" heading.


Choose "App IDs" and press "Continue"

Register a New Identifier

Fill in the Description with your app’s name. For the bundle ID, enter your app’s bundle ID. This will be the package name for your app (e.g. com.example.myapp).

Register an App ID

And under "Capabilities", scroll down and find "Sign-in with Apple", and check the box next to it.

Enable Sign-in with Apple

Press "Continue", then "Register" to confirm your App ID.

If you only wish to support sign-in on iOS devices, then you can stop here. The remaining steps are only necessary to support sign-in on other platforms, such as Android, Simulator, and desktop builds.

Step 2 Creating a Services ID

The Services ID will be used to associate your app with your website. The services ID will be used as the client_id for Oauth2 authentication.

You can now proceed to create a new identifier, and choose "Services ID" this time.

Register a new Identifier - Services ID

Enter the description and Identifier in the provided fields.

The identifier can be the same as your bundle ID, but it doesn’t need to be. This will be used as the Oauth2 client_id.
Register a Services ID

Now, make sure you check the "Sign-in with Apple" checkbox.

with apple checkbox

And click the "Configure" button.

This is where you specify your website’s domain, and the redirect URL for Oauth2 login.

Web Authentication configuration

Select your app from the drop-down menu, then enter the website domain.

You will have to prove ownership of your domain. Follow the instructions on this form to complete verification after setting up the Services ID. Basically you’ll just need to download a verification file from Apple, and copy it to your website.

The "Return URLs" field is where you enter the redirect URL for Oauth2 authentication. Have this point to a page on your site. We will need to add a script to serve this URL at a later step. Apple will be using HTTP Post to pass the Oauth2 code to this script during the login process, so it is important that you can handle POST requests at this URL. This tutorial uses a PHP script to process the POST request and copy the data into a GET request so that Codename One’s Oauth2 component can access them.

The settings for the demo app look like:

Web Authentication Configuration Settings for Sign-in with Apple Demo app
Apple doesn’t allow localhost URLs in this step. You must use a real domain. If you try to beat the system by using "", it will fail at a later step.

Click Save and then Continue and Register to complete the setup.

At this point you have an App ID and a Services ID configured for Sign-in with Apple.

Step 3 Creating a Key

Most Oauth2 providers provide you with a client secret that you can use to validate Oauth2 login codes. Apple, instead, provides with the means to generate your own client secret on demand. This is more secure, but it adds some up-front pain to our setup. The ultimate client secret, will be a signed JWT (JSON web token) - signed by the private key that we will generate in this step.

Return to the "Certificates, Identifiers, and Profiles" screen, and select "Keys" from the side menu.

Keys in side menu

Then click the blue "+" icon to create a new key. Enter a key name, and be sure to check the "Sign in with Apple" checkbox.

New Key form

Click "Configure" next to "Sign-in with Apple", and select your App ID.

Configure Key form

Press "Save".

Apple will generate a private key for you.

You only have one chance to download this key. Make sure you save it, because you won’t be able to download it later. The key file will have a .p8 extension but it just contains ASCII text.
Download private key

Once this is complete, go back and view the key details, as we’ll need them later.

Key details

We now have all the information we need to configure Oauth2 authentication in our app.

Step 4 Setting up a Redirect Page

As I mentioned previously, our redirect page needs to be able to receive POST requests and convert them into a GET request so that that the Codename One Oauth2 component can access the query parameters.

The following is a PHP script that can be used as the redirect page, which will do exactly this:

header('Cache-Control: no-cache');
if ($_POST) {
	//echo "<!doctype html>\n<html><body>Thank you!</body></html>";
	header('Location: '.$_SERVER['PHP_SELF'].'?'.http_build_query($_POST));
} else {
	echo "<!doctype html>\n<html><body>Thank you</body></html>";

Step 5 Configuring the AppleLogin class

Now that we’ve jumped through all of Apple’s hoops, we can proceed to enter our Oauth2 credentials into our app.

public static String AppleClientID = "com.example.myapp";
public static String AppleRedirectURI = "";
public static String ApplePrivateKey = "-----BEGIN PRIVATE KEY-----\n" +
        "XXXXXXXX\n" +
        "-----END PRIVATE KEY-----";
public static String AppleKeyID = "XXXXXXXX";
public static String AppleTeamID = "XXXXXXXX";
The AppleTeamID will be your App ID prefix. You can find this on the details page for your App ID.

And we set these values in our AppleLogin object as follows:

AppleLogin login = new AppleLogin();
In this example we are embedding our private key directly inside our app. This isn’t the most secure way to work. A more secure method would be to either pre-generate the client secret offline, and provide that, or use a web service to generate the client secret on demand. Pre-generating it isn’t practical as client secrets have a maximum life-span of 6 months. So you would at least need to provide a way for your app to acquire a new one when the old one expires.

For information on generating the client secret yourself, see Apple’s documentation.

If you pre-generate the client secret, you would set up the Apple login as follows:


If you want to use a web-service to generate the client-secret on demand, your setup would look like:

If you’re only deploying to iOS devices, then you don’t need to set any of these config options. It will just use the native libraries automatically.
Clone this wiki locally
You can’t perform that action at this time.