Register with Apple utilizing Vapor 4

An entire tutorial for rookies about the right way to implement the Register with Apple authentication service to your web site.


Apple developer portal setup

As a way to make the Register with Apple work to your web site you may want a payed developer account. That’ll value you $99 / 12 months in case you are a person developer. You possibly can examine varied membership choices or simply merely enroll utilizing this hyperlink, however you may want an present Apple ID.

I assume that you just made it up to now and you’ve got a working Apple developer account by now. A standard misbelief about Register with Apple (SiwA) is that you just want an present iOS utility publised to the App Retailer to make it work, however that is not the case. It really works and not using a companion app, nevertheless you may want an utility identifier registered within the dev portal.

App identifier

Choose the Identifiers menu merchandise from the record on the left, press the plus (+) button, choose the App IDs possibility and press the Proceed button. Fill out the outline subject and enter a customized bunde indentifier that you just’d like to make use of (e.g. Scroll down the Capabilities record till you discover the Register With Apple possibility, mark the checkbox (the Allow as major App ID ought to seem proper subsequent to an edit button) and press the Proceed button on the highest proper nook. Register the appliance identifier utilizing the highest proper button, after you discover every thing all proper.

You need to see the newly created AppID within the record, if not there’s a search icon on the suitable facet of the display. Choose the AppIDs possibility and the appliance identifer merchandise ought to seem. πŸ”

Service identifier

Subsequent we’d like a service identifier for SiwA. Press the add button once more and now choose the Companies IDs possibility. Enter an outline and fill out the identifier utilizing the identical reverse-domain identify model. I favor to make use of my area identify with a suffix, that may be one thing like com.instance.siwa.service. Press the Proceed and the Register buttons, we’re nearly prepared with the configuration half.

Filter the record of identifiers by Service IDs and click on on the newly created one. There’s a Configure button, that it’s best to press. Now affiliate the Major App ID to this service identifier by deciding on the appliance id that we made beforehand from the choice record. Press the plus button subsequent to the Web site URLs textual content and enter the given area that you just’d like to make use of (e.g.

You may even have so as to add at the least one Return URL, which is mainly a redirect URL that the service can use after an auth request. You need to at all times use HTTPS, however other than this constraint the redirect URL might be something (e.g. #notrailingslash

You possibly can add or take away URLs at any time utilizing this display, fortunately there’s a take away possibility for each area and redirect URL. Press Subsequent to save lots of the URLs and Accomplished when you’re prepared with the Register with Apple service configuration course of.


The very last thing that we have to create on the dev portal is a personal key for shopper authentication. Choose the Keys menu merchandise on the left and press the add new button. Identify the important thing as you need, choose the Register with Apple possibility from the record. Within the Configure menu choose the Major App ID, it ought to be related with the appliance identifier we made earlier. Click on Save to return to the earlier display and press Proceed. Assessment the information and at last press the Register button.

Now that is your solely probability to get the registered personal key, should you pressed the executed button with out downloading it, you’ll lose the important thing eternally, it’s important to make a brand new one, however don’t be concerned an excessive amount of should you messed it up you possibly can click on on the important thing, press the large pink Revoke button to delete it and begin the method once more. This comes useful if the important thing will get compromised, so do not share it with anyone else in any other case you may need to make a brand new one. πŸ”‘

Workforce & JWK identifier

I nearly neglect that you will want your workforce identifier and the JWK identifier for the check in course of. The JWK id might be discovered below the beforehand generated key particulars web page. When you click on on the identify of the important thing you possibly can view the main points. The Key ID is on that web page alongside with the revoke button and the Register with Apple configuration part the place you may get the workforce identifier too, because the service bundle identifier is prefixed with that. Alternatively you possibly can copy the workforce id from the very prime proper nook of the dev portal, it is proper subsequent to your identify.

Implementing Register With Apple

Earlier than we write a single line of Swift code let me clarify a simplified model of your entire course of.

All the login circulation has 3 major elements:

  • Provoke an online auth request utilizing the SiwA button (begin the OAuth circulation)
  • Validate the returned consumer id token utilizing Apple’s JWK service
  • Trade the consumer id token for an entry token

A number of the tutorials overcomplicate this, however you may see how straightforward is to put in writing your entire circulation utilizing Vapor 4. We do not even want further scripts that generate tokens we are able to do every thing in pure Swift, which is sweet. Lets begin a brand new Vapor mission. You may want the JWT package deal as properly.

import PackageDescription

let package deal = Bundle(
    identify: "binarybirds",
    platforms: [
    dependencies: [
        .package(url: "", from: "4.4.0"),
        .package(url: "", from: "4.0.0-rc"),
        .package(url: "", from: "4.0.0-rc"),
    targets: [
        .target(name: "App", dependencies: [
            .product(name: "Vapor", package: "vapor"),
            .product(name: "Leaf", package: "leaf"),
            .product(name: "JWT", package: "jwt"),
        .goal(identify: "Run", dependencies: ["App"]),

If you do not know the right way to construct the mission it’s best to learn my rookies information about Vapor 4.

The Register with Apple button

We will use the Leaf template engine to render our views, it is fairly easy to make it work, I will present you the configuration file in a second. We will use only one easy template this time. We will name it index.leaf and save the file into the Sources/Views listing.

<!DOCTYPE html>
        <meta charset="utf-8">
        <meta identify="viewport" content material="width=device-width, initial-scale=1">
            .signin-button {
                width: 240px;
                top: 40px;
            .signin-button > div > div > svg {
                width: 100%;
                top: 100%;
                shade: pink;
            .signin-button:hover {
                cursor: pointer;
            .signin-button > div {
                define: none;
        <script sort="textual content/javascript" src=""></script>
        <div id="appleid-signin" data-color="black" data-border="false" data-type="check in" class="signin-button"></div>
        <script sort="textual content/javascript">
                clientId : '#(clientId)',
                scope : '#(scope)',
                redirectURI: '#(redirectUrl)',
                state : '#(state)',
                usePopup : #(popup),

The Register with Apple JS framework can be utilized to render the login button on the web site. There’s a comparable factor for iOS known as AuthenticationServices, however this time we’re solely going to focus on the internet. Sadly the check in button is kind of buggy so we have now so as to add some additional CSS hack to repair the underlying points. Come on Apple, why do we have now to hack these items? πŸ˜…

Beginning the AppleID auth course of is actually easy you simply need to configure a number of parameters. The shopper id is service the bundle identifier that we entered on the developer portal. The scope might be both identify or electronic mail, however you should utilize each if you need. The redirect URI is the redirect URL that we registered on the dev portal, and the state ought to be one thing distinctive that you should utilize to establish the request. Apple will ship this state again to you within the response.

Noone talks concerning the usePopup parameter, so we’ll go away it that approach too… πŸ€”

Alternatively you should utilize meta tags to configure the authorization object, you possibly can learn extra about this within the Configuring your webpage for Register with Apple documentation.

Vapor configuration

It is time to configure our Vapor utility so we are able to render this Leaf template file and use the signing key that we aquired from Apple utilizing the dev portal. We’re coping with some secret data right here, so it’s best to by no means retailer it within the repository, however you should utilize Vapor’s surroundings for this objective. I favor to have an extension for the obtainable surroundings variables.

extension Atmosphere {
    static var siwaId = Atmosphere.get("SIWA_ID")!
    static let siwaRedirectUrl = Atmosphere.get("SIWA_REDIRECT_URL")!
    static var siwaTeamId = Atmosphere.get("SIWA_TEAM_ID")!
    static var siwaJWKId = Atmosphere.get("SIWA_JWK_ID")!
    static var siwaKey = Atmosphere.get("SIWA_KEY")!

In Vapor 4 you possibly can setup a customized JWT signer that may signal the payload with the correct keys and different values primarily based on the configuration. This JWT signer can be utilized to confirm the token within the response. It really works like magic. JWT & JWTKit is an official Vapor package deal, there’s positively no must implement your individual answer. On this first instance we’ll simply put together the signer for later use and render the index web page so we are able to initalize the OAuth request utilizing the web site.

import Vapor
import Leaf
import JWT

extension JWKIdentifier {
    static let apple = JWKIdentifier(string: Atmosphere.siwaJWKId)

extension String {
    var bytes: [UInt8] {
        return .init(self.utf8)

public func configure(_ app: Utility) throws {

    app.middleware.use(SessionsMiddleware(session: app.classes.driver)) = Atmosphere.siwaId
    let signer = strive JWTSigner.es256(key: .personal(pem: Atmosphere.siwaKey.bytes))
    app.jwt.signers.use(signer, child: .apple, isDefault: false)

    app.get { req -> EventLoopFuture<View> in
        struct ViewContext: Encodable {
            var clientId: String
            var scope: String = "identify electronic mail"
            var redirectUrl: String
            var state: String
            var popup: Bool = false

        let state = [UInt8].random(depend: 16).base64
        req.session.information["state"] = state
        let context = ViewContext(clientId: Atmosphere.siwaId,
                                  redirectUrl: Atmosphere.siwaRedirectUrl,
                                  state: state)
        return req.view.render("index", context)

The session middleware is used to switch a random generated code between the index web page and the redirect handler. Now should you run the app and click on on the Register with Apple button you may see that the circulation begins, nevertheless it’ll fail after you recognized your self. That is okay, the 1st step is accomplished. βœ…

The redirect handler

Apple will attempt to ship a POST request with an object that accommodates the Apple ID token to the registered redirect URI after you have recognized your self utilizing their login field. We will mannequin this response object as an AppleAuthResponse struct within the following approach:

import Basis

struct AppleAuthResponse: Decodable {

    enum CodingKeys: String, CodingKey {
        case code
        case state
        case idToken = "id_token"
        case consumer

    let code: String
    let state: String
    let idToken: String
    let consumer: String

The authorization code is the primary parameter, the state shuld be equal together with your state worth that you just ship as a parameter once you press the login button, if they do not match do not belief the response any person is attempting to hack you. The idToken is the Apple ID token, we have now to validate that utilizing the JWKS validation endpoint. The consumer string is the e-mail handle of the consumer.

app.publish("siwa-redirect") { req in
    let state = req.session.information["state"] ?? ""
    let auth = strive req.content material.decode(AppleAuthResponse.self)
    guard !state.isEmpty, state == auth.state else {
        return req.eventLoop.future("Invalid state")

    return, applicationIdentifier: Atmosphere.siwaId)
    .flatMap { token in

The code above will deal with the incoming response. First it’s going to attempt to decode the AppleAuthResponse object from the physique, subsequent it’s going to name the Apple verification service utilizing your personal key and the idToken worth from the response. This validation service returns an AppleIdentityToken object. That is a part of the JWTKit package deal. We have simply accomplished Step 2. ☺️

Exchanging the entry token

The AppleIdentityToken solely lives for a brief time period so we have now to trade it for an entry token that can be utilized for for much longer. Now we have to assemble a request, we’re going to use the next request physique to trade tokens:

struct AppleTokenRequestBody: Encodable {
    enum CodingKeys: String, CodingKey {
        case clientId = "client_id"
        case clientSecret = "client_secret"
        case code
        case grantType = "grant_type"
        case redirectUri = "redirect_uri"
    let clientId: String

    let clientSecret: String

    let code: String
    let redirectUri: String
    let grantType: String = "authorization_code"

We’ll additionally must generate the shopper secret, primarily based on the response we’re going to make a brand new AppleAuthToken object for this that may be signed utilizing the already configured JWT service.

struct AppleAuthToken: JWTPayload {
    let iss: String
    let iat = Int(Date().timeIntervalSince1970)
    let exp: Int
    let aud = ""
    let sub: String

    init(clientId: String, teamId: String, expirationSeconds: Int = 86400 * 180) {
        sub = clientId
        iss = teamId
        exp = self.iat + expirationSeconds

    func confirm(utilizing signer: JWTSigner) throws {
        guard iss.depend == 10 else {
            throw JWTError.claimVerificationFailure(identify: "iss", purpose: "TeamId have to be your 10-character Workforce ID from the developer portal")

        let lifetime = exp - iat
        guard 0...15777000 ~= lifetime else {
            throw JWTError.claimVerificationFailure(identify: "exp", purpose: "Expiration have to be between 0 and 15777000")

Since we have now to make a brand new request we are able to use the built-in AysncHTTPClient service. I’ve made a bit extension across the HTTPClient object to simplify the request creation course of.

extension HTTPClient {
    static func appleAuthTokenRequest(_ physique: AppleTokenRequestBody) throws -> HTTPClient.Request {
        var request = strive HTTPClient.Request(url: "", methodology: .POST)
        request.headers.add(identify: "Person-Agent", worth: "Mozilla/5.0 (Home windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6'")
        request.headers.add(identify: "Settle for", worth: "utility/json")
        request.headers.add(identify: "Content material-Kind", worth: "utility/x-www-form-urlencoded")
        request.physique = .string(strive URLEncodedFormEncoder().encode(physique))
        return request

The humorous factor right here is should you do not add the Person-Agent header the SiwA service will return with an error, the issue was talked about in this text additionally mentioned on the Apple Developer Fourms.

Anyway, let me present you the entire redirect handler. πŸ€“

app.publish("siwa-redirect") { req -> EventLoopFuture<String> in
    let state = req.session.information["state"] ?? ""
    let auth = strive req.content material.decode(AppleAuthResponse.self)
    guard !state.isEmpty, state == auth.state else {
        return req.eventLoop.future("Invalid state")

    return, applicationIdentifier: Atmosphere.siwaId)
    .flatMap { token -> EventLoopFuture<HTTPClient.Response> in
        do {
            let secret = AppleAuthToken(clientId: Atmosphere.siwaId, teamId: Atmosphere.siwaTeamId)
            let secretJwtToken = strive app.jwt.signers.signal(secret, child: .apple)

            let physique = AppleTokenRequestBody(clientId: Atmosphere.siwaId,
                                             clientSecret: secretJwtToken,
                                             code: auth.code,
                                             redirectUri: Atmosphere.siwaRedirectUrl)

            let request = strive HTTPClient.appleAuthTokenRequest(physique)
            return app.http.shopper.shared.execute(request: request)
        catch {
            return req.eventLoop.future(error: error)
    .map { response -> String in
        guard var physique = response.physique else {
            return "n/a"
        return physique.readString(size: physique.readableBytes) ?? "n/a"

As you possibly can see I am simply sending the trade request and map the ultimate response to a string. From this level it’s very easy to implement a decoder, the response is one thing like this:

struct AppleAccessToken: Decodable {

    enum CodingKeys: String, CodingKey {
        case accessToken = "access_token"
        case tokenType = "token_type"
        case expiresIn = "expires_in"
        case refreshToken = "refresh_token"
        case idToken = "id_token"

    let accessToken: String
    let tokenType: String
    let expiresIn: Int
    let refreshToken: String
    let idToken: String

You should utilize this response to authenticate your customers, however that is up-to-you primarily based by yourself enterprise logic & necessities. You should utilize the identical authTokenRequest methodology to refresh the token, you simply need to set the grant sort to refresh_token as an alternative of authorization_code

I do know that there’s nonetheless room for enhancements, the code is way from good, nevertheless it’s a working proof of idea. The article is getting actually lengthy, so possibly that is the suitable time cease. πŸ˜…

In case you are searching for an excellent place to study extra about SiwA, it’s best to test this hyperlink.


You possibly can have a working Register with Apple implementation inside an hour in case you are utilizing Vapor 4. The toughest half right here is that it’s important to determine each single little element by your self, different folks’s supply code. I am attempting to elucidate issues as straightforward as attainable however hey, I am nonetheless placing collectively the items for myself too.

That is a particularly enjoyable journey for me. Shifting again to the server facet after nearly a decade of iOS improvement is a refreshing expertise. I can solely hope you may take pleasure in my upcoming ebook known as Sensible Server Aspect Swift, as a lot as I take pleasure in studying and writing concerning the Vapor. ❀️