# Apple login

Openfort Auth supports using [Sign in with Apple](https://developer.apple.com/sign-in-with-apple/) on the web and in native apps for iOS, macOS, watchOS, or tvOS.

## Overview

To support Sign in with Apple, configure the [Apple provider in the Openfort dashboard](https://dashboard.openfort.io/providers) for your project.

There are three general ways to use Sign in with Apple, depending on the application you're trying to build:

* Sign in on the web or in web-based apps using an OAuth flow initiated by Openfort Auth using the [Sign in with Apple REST API](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api)
* Sign in natively inside iOS, macOS, watchOS, or tvOS apps using [Apple's Authentication Services](https://developer.apple.com/documentation/authenticationservices)

In some cases you can use the OAuth flow within web-based native apps such as with [React Native](https://reactnative.dev), [Expo](https://expo.dev), or other similar frameworks. It is best practice to use native Sign in with Apple capabilities on those platforms instead.

When developing with Expo, you can test Sign in with Apple via the Expo Go app. In all other cases you need an [Apple Developer](https://developer.apple.com) account to enable the capability.

## Using the OAuth flow for web

Sign in with Apple's OAuth flow is designed for web or browser-based sign in methods. It can be used on web-based apps as well as websites, though some users can benefit by using Sign in with Apple JS directly.

Behind the scenes, Openfort Auth uses the [REST APIs](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api) provided by Apple.

### Configuration

You need the following information:

1. Your Apple Developer account's **Team ID**, which is an alphanumeric string of 10 characters that uniquely identifies the developer of the app. It's often accessible in the upper right-side menu on the Apple Developer Console.
2. Register email sources for **Sign in with Apple for Email Communication** which can be found in the [Services](https://developer.apple.com/account/resources/services/list) section of the Apple Developer Console.
3. An **App ID** which uniquely identifies the app you are building. You can create a new App ID from the [Identifiers](https://developer.apple.com/account/resources/identifiers/list/bundleId) section in the Apple Developer Console (use the filter menu in the upper right side to see all App IDs). These usually are a reverse domain name string, for example `com.example.app`. Make sure you configure Sign in with Apple once you create an App ID in the Capabilities list. At this time Openfort Auth does not support Server-to-Server notification endpoints, so you should leave that setting blank.
4. A **Services ID** which uniquely identifies the web services provided by the app you registered in the previous step. You can create a new Services ID from the [Identifiers](https://developer.apple.com/account/resources/identifiers/list/serviceId) section in the Apple Developer Console (use the filter menu in the upper right side to see all Services IDs). These usually are a reverse domain name string, for example `com.example.app.web`.
5. Configure Website URLs for the newly created **Services ID**. The web domain you should use is the domain your Openfort project is hosted on. The redirect URL is `https://api.openfort.io/iam/v2/auth/callback/apple`.
6. Create a signing **Key** in the [Keys](https://developer.apple.com/account/resources/authkeys/list) section of the Apple Developer Console. You can use this key to generate a secret key using the tool below, which is added to your Openfort project's Auth configuration. Make sure you safely store the `AuthKey_XXXXXXXXXX.p8` file. If you ever lose access to it, or make it public accidentally, revoke it from the Apple Developer Console and create a new one immediately. You have to generate a new secret key using this file every six months, so schedule a recurring reminder.
7. Add the information you configured above to the [Apple provider configuration in the Openfort dashboard](https://dashboard.openfort.io/providers).

:::note
To generate your Apple client secret, you need:

* Your Apple Developer Team ID
* Your Services ID (Client ID)
* Your private key file (.p8) downloaded from Apple Developer Console

You can use online JWT generators or create the secret programmatically using the Apple Developer documentation. The secret must be regenerated every six months.

For detailed instructions, refer to [Apple's Sign in with Apple REST API documentation](https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens).
:::

## Using native sign in with Apple in Expo

When working with Expo, you can use the [Expo AppleAuthentication](https://docs.expo.dev/versions/latest/sdk/apple-authentication/) library to obtain an ID token that you can pass to openfort-js `authenticateThirdParty` method.

:::tip
When testing with Expo Go, the Expo App ID `host.exp.Exponent` is used. Make sure to add this to the **Client IDs** list in your [Openfort dashboard Apple provider configuration](https://dashboard.openfort.io/providers).

Make sure you set up **Apple Native** under third party authentication providers.
:::

1. Have an **App ID** which uniquely identifies the app you are building. You can create a new App ID from the [Identifiers](https://developer.apple.com/account/resources/identifiers/list/bundleId) section in the Apple Developer Console (use the filter menu in the upper right side to see all App IDs). These usually are a reverse domain name string, for example `com.example.app`. Make sure you configure Sign in with Apple for the App ID you created or already have, in the Capabilities list. At this time Openfort Auth does not support Server-to-Server notification endpoints, so you should leave that setting blank.
2. Register all of the App IDs that use your Openfort project in the [Apple provider configuration in the Openfort dashboard](https://dashboard.openfort.io/providers) under **Client IDs**.

:::tip
If you're building a native app only, you do not need to configure the OAuth settings.
:::