So this is our configuration, and just checked it, still working… We have created a cron job, that will generate a new client secret every month, and use keycloak api to set the client secret, as this JWT should be valid less then 6 month only. For Client Secret we had to generate a signed JWT with the method mentioned in, using a private key defined in Apple Developer portal. For Client ID, we had to create a Services ID in Apple Developer portal.
We need to accept only tokens for specific clients ( aud claim in id token). The server side of our application is responsible to validate the audience in the id token, as token exchange is not safe as is, because it will accept any valid token.The mobile app will send the id token to our server side component. (The name of the user is not in the id token, so it will be sent after the token exchange to our server). This is important, without email in the id token, token exchange did not work for us (if the user does not exist in keycloak). For the first call only, the received identityToken of ASAuthorizationAppleIDCredential will contain a JWT, which will contain the email claim.
Let request = appleIDProvider.createRequest() Let appleIDProvider = ASAuthorizationAppleIDProvider() Our iOS app uses ASAuthorizationAppleIDProvider, with email and fullName scopes:.This is how our login works with Apple ID and Keycloak 7.0.1:
0 kommentar(er)
