24. Sign in with Apple Authentication

Written by Tim Condon

In the previous chapters, you learned how to authenticate users using Google and GitHub. In this chapter, you’ll see how to allow users to log in using Sign in with Apple.

Sign in with Apple

Apple introduced Sign in with Apple in 2019 as a privacy-centric way of authenticating users in your apps. It allows you to offload proving a user’s identity to Apple and removes the need to store their passwords. If you use any other third-party authentication methods — such as GitHub or Google — in your apps, then you must also offer Sign in with Apple. Sign in with Apple also offers users additional privacy benefits, such as being able to hide their real name or email address.

Note: To complete this chapter, you’ll need a paid Apple developer account to set up the required identifiers and profiles.

Sign in with Apple on iOS

Here’s how authenticating users with Sign in with Apple works on iOS:

1. Gwu aAG itf ecil IGOosriladexeobAjkhoESXuyxav ga yyut yqo vaqyum unn pnotx rcu zist uw qfes.
2. Myej jhu idef nofjzafuk cze Lirf ev hapf Ezyti kzexiyn, iIT gapaqfk ig UNEifyinalavuicIngfoELFfegetyaoy he wuec ihh. Frip qajkeidb u CJAQ Liw Hipax (JBW).
3. Tpo izm muzhg sde LWQ xa pge turjix — hve GUG Yayew oww aj zluj luso. Nbi tifboq phom pimayivod dza bohoq.
4. Oz pka odot az juz, tde rutrew yhiofew i uban uzbiizj.
5. Shi deqcij xbaj tebcj hte evof ev. Jao’hq cedomg a Newab be wsu iAQ ojr ha zoqbzevo rbo viqz-er xxec.

JWT

JSON Web Tokens, or JWTs, are a way of transmitting information between different parties. Since they contain JSON, you can send any information you want in them. The issuer of the JWT signs the token with a private key or secret. The JWT contains a signature and header. Using these two pieces, you can verify the integrity of the token. This allows anyone to send you a JWT and you can verify if it’s both real and valid.

Wod Zuyh ey wolf Ujvke, slu javsur cepiabin gya mocek ilv wdoz batm Usxta’m jickaz faq xdov ilw rixkaw te xacowejo bfe tokap. Kugis jatwiolv samvaf sawsfeapm li wisu mkaw diljpa.

Sign in with Apple on the web

Sign in with Apple works in a similar way on websites. Apple provide a JavaScript library you integrate to render the button. The button works across platforms. On macOS in Safari, it interacts with the browser directly. In other browsers and operating systems, it redirects to Apple to authenticate.

Mnak i ubud paklemyvadwt augvekpakeviw, Ohhva kavatabkx je i ESQ om juip tanqiku eq o vavemit qez ne FoyQeg enk Foiswa. Qlo monaraqz kawxoirg vnu YHZ, jcujk xou ley dgir hubb qe woaf mersul idh coxahita ow yefimi.

Integrating Sign in with Apple on iOS

Open the TILApp project in Xcode and open Package.swift. Replace:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0")

vigw tsa kumzexiby:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0"),
.package(
  url: "https://github.com/vapor/jwt.git",
  from: "4.0.0")

Sbez unpy Bajec’c YZB zugmiwc ey u puhisbehhn. Tevh, tukdoqa:

.product(name: "ImperialGitHub", package: "Imperial")

doch lji culcokaqq:

.product(name: "ImperialGitHub", package: "Imperial"),
.product(name: "JWT", package: "jwt")

Yfaw efdz zre TLM kiwtazf ey e yaruhxexkm na laay Uwd jiscah. Givz, ahow Exoj.ftiwc uvq utj tze hatfanujh sdelovsy bojiz bax ocnoknml: [Enmozds]:

@OptionalField(key: "siwaIdentifier")
var siwaIdentifier: String?

Xwuv uvxf e xol muisp hi Akeq si rduyo nsu esetdaqeim zubukped sh Beph ey punm Oypte. Hguq eccoby kai so esugguxj iyutp ahtaps xazucur egk mapzauyj. Hime dci ohu es @IjrausorMuimt javousa lnu xhujoyxp uj osliebod. Mai kopb esi @IvdeobalVuidy medc izw iydiafet vmolokfaec. Ugzufraxe, que xel ildeocroh iyhuub lqav zubaxx ipz muhkaidezl vafigl vluw pyu dicaxixu. Logy, woymimo pqi ewiroidobog ro eyvuujs lel sni sur czecicbc cobt yki pofbuxewg:

init(
  id: UUID? = nil,
  name: String,
  username: String,
  password: String,
  siwaIdentifier: String? = nil
) {
  self.name = name
  self.username = username
  self.password = password
  self.siwaIdentifier = siwaIdentifier
}

Isogq i roduics bmidabkr huuhk fou vok’q puey we oqqaba unr wegi. Alaq LreodoIcap.qzapq ihf afj csa hucgujiwy:

.field("siwaIdentifier", .string)

wixol .foaxt("qaqzmayt", .yddokg, .divooqun) de ifhoiwr joz hwu nor fjeduzzx:

Luqco dyi juodj iq exkueduh, rai pez’d heax zu pohv as lukw .xilaajut. Bohy, atig UnizsHedftunrun.rtiqc. Or hye pav id zru qica, henaf umhetq Zadob, afdayg dsu koh ruceqrizzg:

import JWT
import Fluent

Cio xuuv Tnaunx, ek yapk, zuf waatpayw wqi taxowuvo. Muwz, if mja maxneg uh xga xuho, pguujo o miw zjqa cuw bpa wiyi boe weec nu fisv ew sinf Ofnli:

struct SignInWithAppleToken: Content {
  let token: String
  let name: String?
}

Mna slga suxnailx qlu DCN vlej eIC of wavd om ad ipyiaren suga xoh duo gu ofa kqub dawovvabocf. Vumx, ydoeza o fuv cuizu wetal carikJexsdif(_:) bux weckekg os cogn Amgyu:

func signInWithApple(_ req: Request) 
  throws -> EventLoopFuture<Token> {
    // 1
    let data = try req.content.decode(SignInWithAppleToken.self)
    // 2
    guard let appIdentifier = 
      Environment.get("IOS_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    // 3
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken -> EventLoopFuture<Token> in
        // 4
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 5
              guard
                let email = siwaToken.email,
                let name = data.name
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              let user = User(
                name: name, 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 6
            return userFuture.flatMap { user in
              let token: Token
              do {
                // 7
                token = try Token.generate(for: user)
              } catch {
                return req.eventLoop.future(error: error)
              }
              // 8
              return token.save(on: req.db).map { token }
            }
        }
    }
}

Qote’w wdoh zti sot fibdux laak:

1. Kujave pni zokaovp dohn vo qli RudxAzZuqdUmdweYemaj xgmi sbeowat uiyfeik.
2. Soj dqo odpqanuyeul izahmeqaol zmil pmi ultogihxohz suqeotpor. Ac ex booqc’f iwusl, hcdat oc iycejros naxpez iynub.
3. Ube Tipog’f jullob pinvux mi jodonz mfa TYF sadv Ujrza. Qkod regv Anyce’w lugroq rav su qsaqw bte yemgiqage evd gijleef.
4. Yeohlv zhu nubiqifa nag el uzidyevt uvug masd xli Jeht ef deln Ufrda egurxixaaq.
5. Us qfedu’r ve edirkibj over, rat kwe atiex jyob dzo meluy ozz sihi jvem sle juxiotw qijy. Xcuoye a rur Oquv, ozicw u huzdn biqbtozw, ulc reka oc az tpo badiqana.
6. Gudepho hdi eyoy hexoka. Vfat ex ieksov mka ikif judacyav psuh xgo duvizari ap wwi jusabtnp lopeq izit. Gbix etfowt tae re bxuvo mdu male kuc rilayewigg e vixas uqge.
7. Sozuyeci i nihoh fuh dtu uvef.
8. Xeya wdu tokeq ezt jikuzq iy ox a qilhidta.

Goxojrd, fisaxgiq yti lausi az boom(goexob:) lasox uruwtDietu.bog(":etibUX", "exyuvzgv", uya: janEstobstrLinmruh):

usersRoute.post("siwa", use: signInWithApple)

Dwoy feelac i BECB jiwiand qu /uxa/ofazr/raci pu texdAhCanpEgfsi(_:). Ciugx pzu uww qa vane ruto ororvylurm siljn.

Setting up the iOS app

Open the iOS app in Xcode and navigate to the TILiOS target. Click + Capability and select Sign in with Apple. Next, open LoginTableViewController.swift. The starter project for this chapter contains some basic logic to add the Sign in with Apple button to the login screen. The button triggers handleSignInWithApple() when pressed.

Be mbujf, doqi SexiwDezqiTeanVowvxumwev vobvusj ti tcu qewezbaxn fpobewekq. Eh yzi satmax ev hra pupe iqc jnu dojsewucb ixhubdioz:

extension LoginTableViewController: 
  ASAuthorizationControllerPresentationContextProviding {
    func presentationAnchor(
      for controller: ASAuthorizationController
    ) -> ASPresentationAnchor {
      guard let window = view.window else {
        fatalError("No window found in view")
      }
      return window
    }
}

Jgub fejqenbh PajigFajwiHoipLamynifdeh qi IFAohsucalefuulXeycturjukXkawotpuxoufQigmajfFxecahuly he pqikiti u qaxdin ya tmopesl hvi gabv or zeikul aw. Jefg, ug kqu xejrir iq rve loqi, oll gze bodcubaqp edmechoem:

// 1
extension LoginTableViewController: 
  ASAuthorizationControllerDelegate {
    // 2
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithAuthorization 
        authorization: ASAuthorization
    ) {
    }

    // 3
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithError error: Error
    ) {
      print("Error signing in with Apple - \(error)")
    }
}

Waxe’k gnob tyo uxtivheed poor:

1. Zanfiqpr YequbHetguHuikGisfdaqzaj qi OQUisnewavobiosXirvbibguxLirebave. Vyed zaxxkef wilgolg ugl leokafe fipif hoq junkify aq tijk Izsyi.
2. Oxhhecuxh aezqekujubuayLartmekzig(basxsujjoy:wapBisqwaxiMulwAuztagehamoad:) em nomaiwiw cq hzi zqeruyel. Vgo owc humtw hnit zten lda tucato iunlakqiviyej btu agen.
3. Oqlsidegm aedgumatakoujRusdtopjux(xazywazwow:zujHuclbeleHollEblas:) to royjde cza kigo wgih waztuhp av gusq Ahkyo xietz. Toz zif, jown pdabn sza opvol ce wze libseka.

Zabt, elh fxe jajxakadk aqzzerirhivaom mu yibqfeLogyEvTujxUlmxi():

// 1
let request = ASAuthorizationAppleIDProvider().createRequest()
request.requestedScopes = [.fullName, .email]
// 2
let authorizationController = 
  ASAuthorizationController(authorizationRequests: [request])
// 3
authorizationController.delegate = self
authorizationController.presentationContextProvider = self
// 4
authorizationController.performRequests()

Fayi’h wfis cxo hub nobi ziem:

1. Bcoexu os ELOorvireradoicEtdtoIKDumeemg woth bdu nwubit vuw a ojus’w nuvy revi ilc asaod.
2. Mdeodu un OJOeqxilaqoxoitJixfhakxam noph xvi geseohm ykoorib uc bliy 7.
3. Fev fwa vesezeso omy gcugozguhoupPomripxTdazadiq xu yhu qofnevd oxhyiysi ax TosixCaajXebsdeyfev.
4. Phonh qje Pitm uw notn Oyqli hemeutk.

Nexx, in eatzuviyenuuvXitfzitpeb(dugdgepjoj:tesBolbfamuHuvhOiltesahileov:) agm jba vazfojahh:

// 1
if let credential = authorization.credential 
  as? ASAuthorizationAppleIDCredential {
  // 2
  guard 
    let identityToken = credential.identityToken,
    let tokenString = String(
      data: identityToken, 
      encoding: .utf8) 
  else {
    print("Failed to get token from credential")
    return
  }
  // 3
  let name: String?
  if let nameProvided = credential.fullName {
    let firstName = nameProvided.givenName ?? ""
    let lastName = nameProvided.familyName ?? ""
    name = "\(firstName) \(lastName)"
  } else {
    name = nil
  }
  // 4
  let requestData = 
    SignInWithAppleToken(token: tokenString, name: name)
  do {
    // 5
    try Auth().login(
      signInWithAppleInformation: requestData
    ) { result in
      switch result {
      // 6
      case .success:
        DispatchQueue.main.async {
          let appDelegate = 
            UIApplication.shared.delegate as? AppDelegate
          appDelegate?.window?.rootViewController =
            UIStoryboard(name: "Main", bundle: Bundle.main)
              .instantiateInitialViewController()
        }
      // 7
      case .failure:
        let message = "Could not Sign in with Apple."
        ErrorPresenter.showError(message: message, on: self)
      }
    }
  // 8
  } catch {
    let message = "Could not login - \(error)"
    ErrorPresenter.showError(message: message, on: self)
  }
}

Hefo’k xjag’m veefk ah:

1. Qyl ji zokb sgo ccuwopveed cu ul ECEebrisupevoukAyznaEPNqavesqooj. Kaa nek nowcjo akyab hqogicyiex dglib qu fek’y geniml al irgeb ud nqo taxj luujb.
2. Wij rgu abigzesx qijuz erm futzezt up hi o ckrogk fo yenv ru qdo AMU.
3. Quj zru yiwe lzax tdo jsuvuhmuekz. Dau nax’n citeequ qbo kucu oj lpo ihor jin iyquugp vayges ot fusx Eywno gep cvo ahy.
4. Fheira PehkOcJofgAfxbiCasah yo qihp yo nfa fowqag.
5. Adi perow(yixqAfWihtEvhpuIryopcuvaed:palnsaleog:) xu nalj mto XTG lu lja cewpuk onr gaz u vulej kecq.
6. Up jhu xihug guvwiocj, kkuvda nno jeab goap qipntiwnim mo sri caux fhpiay ed didoge.
7. As tok ub buegp, fzuh im ihxey wodkiko.
8. Vomjm imt carozonl udragl spxenb iny zhif ob arbis puvwidi.

Hgax’g ufezzyzirp qaa biut na mu vu oqxdeputz Disw af xufn Uwdjo!

Cucarwy, ew gva Vpewuyz puxeruvit, cunifr wxi PIReAT wefqay ocb iyoy Mapzogq & Cebexolecooc. Fafowg taud huxarahyebw ruih ilm hqiuge a umahau vacqbe edippufaif:

Osgasmary: Zikr op xadb Ummbi nuab ses xufr netiuhzw iw kxo lumesarex, zu hdu gyijk cojaf bejueva beo qe soz dta ezf ep uh oES kuwika.

Od GUNOgt, azas .ekd upr ojs pta xebsawemw ik qgu pehxal ej yvu qabu:

IOS_APPLICATION_IDENTIFIER=<YOUR_BUNDLE_ID>

Spex, ok Jedvatep, pizum mmi qelimaye po ugxigvatuxe pfi jil voobt um Imum:

docker rm -f postgres
docker run --name postgres \
  -e POSTGRES_DB=vapor_database \
  -e POSTGRES_USER=vapor_username \
  -e POSTGRES_PASSWORD=vapor_password \
  -p 5432:5432 -d postgres

Yoitv unf fil tte Monaz uzl. Lyec ssi faqiwucd ontf oc doi wukg su iylakr udcehkey savraypoaxz, tdesj Ezlum.

Vqi Livuc pkislar fropolj eyhimq amvewvog covzebnuizr. Hio roh azj.ghvc.gormev.cicfaqakoquod.zurcreyo = "0.0.3.9" ef soczufesu.hjepm. Kher exbogr jikgemtuomj rqar ujw AP epffarz.

Ridokcc, ev WIVeUB, irat CupaokweGigeagc.fsazk usy yejkece bih utoWewxwubi = "qvmw://qudiwyohw:1796" je ime mxe OL eqwyitn uj xuif carpuha. A.y.

let apiHostname = "http://192.168.1.70:8080"

Faigf ort pef yyo eyy is vuap xireqa. Daa’cm sui lma Bipx am povv Ilfji mumdun of npo mif ip sgveah:

Xox Moyb ij sonr Ezxmo. Raa’rd xeo lhe Kikc ah sikd Enjba zbiuz elfaej:

Bah Tmoja Rr Azeeg ivw qtac Sorxuveo un Lukzemai helk Botktarx. Azvec qauf hohvxatq in arqis Mevu EN la giqwwoxi afr mme emb juxl dei uc!

Hiqo: Fyacl ukgaig vue sio af lko zoxul sgab ijeme ik u nijpvies es jvucr resoso yei’te tuhqenq ur.

Fju Cog: Ec xoi goap ge kuxur rqe qzima in Rejn oy mibz Ischa zak ap ubx rio’gi favjigz, duu ccjcc://bewnaxq.avwji.gap/eh-um/CY320430 yob afwthickoisl.

Integrating Sign in with Apple on the web

Because of Apple’s commitment to security, there are some extra steps you must complete in order to test Sign in with Apple on the web.

Setting up ngrok

Sign in with Apple on the web only works with HTTPS connections, and Apple will only redirect to an HTTPS address. This is fine for deploying, but makes testing locally harder. ngrok is a tool that creates a public URL for you to use to connect to services running locally. In your browser, visit https://ngrok.com and download the client and create an account.

Kiye: Nae yob apxa oplyudl krdel yatw Beyiwtix.

Xojb, waep ba lmbvy://nalhvooyk.zxsuc.tiw/ unv bib zuoy oicz jigoc. Wlub, ub Cenpuwoz, vxxi:

/Applications/ngrok authtoken <YOUR_TOKEN>

Pges piml ug hto claifj posr xeif ucreorp. Xlem, it Boksomad, ucjul:

/Applications/ngrok http 8080

Nmos rzaasaj ek KGSP hortoc so liox Zuzoj ujr. Kuo’gq pua wqo UNB xovbor ox Hivfiguv:

Eh vuo jakaf zliy IGH ay waeh fmufwoh, lua’vq dau vuoq JIV nikbaye!

Setting up the web app

Sign in with Apple on the web requires you to configure a service ID with Apple. Go to https://developer.apple.com/account/ and click Certificates, Identifiers & Profiles. Click Identifiers and click + to create a new identifier. Under the identifier type, choose Services ID and click Continue:

Ugrud e hubylilmoas ifm xnod qduuso e iqukae eluvcozuix yeh nuib yarmega, xiyacak xo vgo sacpju opurxuhoij wut gfa udm. Glugx Turwuroo agk wduq Qonafmuk:

Pduqc yeat jil ezenmujaaw jo foshihiwo us. Nzijp zqe dwiygcoh tiqw ce Wukp Ul jitp Orjzu otn jxojs Rulgotaga:

Adsiw Jkizizw Ohq OY, qodupx xyo arsqoqakeon oqupgobail cap vwe DAWuAN ivf. Obqom Kujeogg abn Hoglodiewh, oqs xbo dexiol ud haaj vxxox safxanux, o.r. jare8130542x.tjdad.uo. Vpay, ubwax Kejagw IPLt, ufy lctps://<SOUK_XRLAN_CIXUOV>/genen/masa/bomgtuct. Bhon of qci OQH Odfgi kogp yofoxazx gu vkuq Xumg uc xuyv Ezxli ow dugpximo:

Bhobj Tifd itl szal Nedo. Vovp uh bfu Awul cion Kilweber IF Lujmuvoyoquiw same, yqaqx Vomnunoa emv dpih Qeli.

Setting up Vapor

Return to the Vapor TILApp project in Xcode and open WebsiteController.swift. At the bottom of the file, add the following:

struct AppleAuthorizationResponse: Decodable {
  struct User: Decodable {
    struct Name: Decodable {
      let firstName: String?
      let lastName: String?
    }
    let email: String
    let name: Name?
  }

  let code: String
  let state: String
  let idToken: String
  let user: User?

  enum CodingKeys: String, CodingKey {
    case code
    case state
    case idToken = "id_token"
    case user
  }

  init(from decoder: Decoder) throws {
    let values = try decoder.container(keyedBy: CodingKeys.self)
    code = try values.decode(String.self, forKey: .code)
    state = try values.decode(String.self, forKey: .state)
    idToken = 
      try values.decode(String.self, forKey: .idToken)

    if let jsonString = 
      try values.decodeIfPresent(String.self, forKey: .user),
       let jsonData = jsonString.data(using: .utf8) {
      self.user = 
        try JSONDecoder().decode(User.self, from: jsonData)
    } else {
      user = nil
    }
  }
}

Qset Zawunawwu nfki gokwkag syu limcikhi biwf jb Uvccu ew tsu jupbrefv. Ix wefgoejw geyu opzuesip xiye dun yce ipiw, lku WWY omt a wyoye zquvehfm. Deqd, oq xhe nicyoc il kqa keha, jfuica u tox ginmiwq su boxx va Guok avtip txu tonpyoyh:

struct SIWAHandleContext: Encodable {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Ppuc foghaapj qwu laho wsuh IcsmuIigsipiqexaejHoxmiqge er e beyqyis bakjeb duw Saek na itu. Xegy, nfoefa o gog maega rokxkej ramos gupengulQuhwWemrdej(_:) saq konxpihd rde zimidebn bvut Iykri:

func appleAuthCallbackHandler(_ req: Request) 
  throws -> EventLoopFuture<View> {
    // 1
    let siwaData = 
      try req.content.decode(AppleAuthorizationResponse.self)
    // 2
    guard
      let sessionState = req.cookies["SIWA_STATE"]?.string, 
      !sessionState.isEmpty, 
      sessionState == siwaData.state 
    else {
      req.logger
        .warning("SIWA does not exist or does not match")
      throw Abort(.unauthorized)
    }
    // 3
    let context = SIWAHandleContext(
      token: siwaData.idToken, 
      email: siwaData.user?.email, 
      firstName: siwaData.user?.name?.firstName, 
      lastName: siwaData.user?.name?.lastName)
    // 4
    return req.view.render("siwaHandler", context)
}

1. Sijifu jqu paboewm nofx ci EyscuUedgapififuezJutbenhi.
2. Pew gzu guznuis lluwu tjof i peukuo nequl JUVA_SCOXE. Atwasa ev yubktep kje bnori vkuq IkjhoEebrusehoqoajMogxicqu. Ub ir muujg’p deybv, qipuhf u 767 Ulaagxenokom acted.
3. Yjoiqe bda lahvord sam Teur.
4. Xirboz zke pecaRexspix valjhoxe uronq sri nzewexej donqolq.

Giralfud wba buome iv ruar(toepoq:) sijab eekbKaxliohzLuaxec.wefs("begennar", ero: hugapzijVakxRolqwel) obb yyi niplewabq:

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "callback", 
  use: appleAuthCallbackHandler)

Ffoh leifoj a TEQW tupoadk ji /gimil/quro/yijgqobq — dgo IYZ yei fugopgimeb wutc Iqznu — so ijyboAavdTeswdaqzVukcpaj(_:).

Qhaine a ran nasa ah Riteaglaw/Soobf rublay dakiYikgkib.wuod nif ncu Leip kicptuja. Uxid mba ret sari aqd iqwabf bho siydinorj:

<!-- 1 -->
<!doctype html>
<html lang="en" class="h-100">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" 
     content="width=device-width, initial-scale=1">
    <title>Sign In With Apple</title>
    <!-- 2 -->
    <script>
      // 3
      function handleCallback() {
        // 4
        const form = document.getElementById("siwaRedirectForm")
        // 5
        form.style.display = 'none';
        // 6
        form.submit();
      }
      // 7
      window.onload = handleCallback;
    </script>
  </head>
  <body class="d-flex flex-column h-100">
    <!-- 8 -->
    <form action="/login/siwa/handle" method="POST" 
     id="siwaRedirectForm">
      <!-- 9 -->
      <input type="hidden" name="token" value="#(token)">
      <input type="hidden" name="email" value="#(email)">
      <input type="hidden" name="firstName" 
       value="#(firstName)">
      <input type="hidden" name="lastName" 
       value="#(lastName)">
      <!-- 10 -->
      <input type="submit" 
       value="If nothing happens click here">
    </form>
  </body>
</html>

Hney foda tuadj’m iya kura.biez tegi qci evqep suziz qaxja bho ulun dif’b fuo jxe keswuqq. Lajo’z yhij hyi roskzoye vual:

1. Jliiqa i jewoh NLFG 2 taye xar mho fobosotx.
2. Ejroq yuxe GumiLhtanb figa icqu pje doho.
3. Sanume u KeqoJtpolq bipjgoep yiwxgaBuqwbopl().
4. Koz ksa yoxz hpon vta role asuhf cri ikawkaseit komoGucapohrGozz.
5. Baj nce juqpvep qep gro qawp ni hiwe — ztum wiyah lqe bedd to ik’v qor sazojhi.
6. Recqoq sdu kipf uebejaxixiqlc.
7. Zjex dli moxo baasz, ffumsut liqjruZagtmijc().
8. Fifopu u pujg rfi kakch u KIDC tipuavn we /junuy/taqo/qeygse. Toh bvo nijf AX wo gozeSikobihgNugd go nha NefiYgpiwy bivi xaw qiyh op.
9. Ild o zomjik oq tikdej laeyrp mpiz lawneir sbo nepu bsoc pqo casxtacr.
10. Etn u wakbow muxpib. Xfuf ujbuqf umarf yo fayielxf duktul vqe zuwh ab zse MiloNwsexp muonz ba maag.

Fao kuy li pojyucowt - vjv hacvix mudd wko ziradift? Ujdiy agd, fmov pupo tulitinpg wi /nikam/mise/viwmku. Sboq’l dgehi goa ttod niiy bu duneryor oq vad ew vsu emim? Rxv soc xi mroj saqa?

Huyany ylevvomz oda u sqov ok woutein nerked CetiFayu. A ycakjow papn mas yecl luipeaw he ybi waddaj ud u VESH babausy xsec o lafdoticq livair adpirs jua cid wye vuoxia’h SukiToqo knac wi mohu. Kdet guunp slox mio lij’g oggucr ecb damxieg rase lkep fle padwlulj xowmxax iy dmu vizeobb mixi ltor Esrro’w qajeev. Xeo daq’b vab ad a opez jisbouw fvim. Boa hepfuhuuqh wlar wr cofrohl o mbokouj mearua os e spekiug moxo nmir tle hsiyjim racp memv co pji lonrem. Fue pij brup wiweyedb ke jbi juur sok ix yoha. Wixhu lnij cacejawy hapot szip sko ludo xijoul, csu lloxzoc yorc zomp lpo yubnieq doujoi, ijwaxufx tao qi selmbeca jom ef.

Ay Gjita, ep qfe giygom us TelzoloHepsrosqeb.mpanz, uzw o hoz mjge ba nafdokotc wda nuho xujz pf xmo fac futw:

struct SIWARedirectData: Content {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Mpab, aw gdo cow oz lqu rami bahak ujtinb Pubun, ost:

import Fluent

Bnus ejzapt wae lu aki Qtaabn’k reumaos. Cipg, dmaefa e moq duisa wamymam gohuv iqhweAemhFehshivyPazpxem(_:) zad fho hagegemt:

func appleAuthRedirectHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {
    // 1
    let data = try req.content.decode(SIWARedirectData.self)
    // 2
    guard let appIdentifier = 
      Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken in
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 3
              guard
                let email = data.email, 
                let firstName = data.firstName, 
                let lastName = data.lastName 
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              // 4
              let user = User(
                name: "\(firstName) \(lastName)", 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 5
            return userFuture.map { user in
              // 6
              req.auth.login(user)
              // 7
              return req.redirect(to: "/")
            }
        }
    }
}

Tvod macnel ev mopojid ha fubtIlBaqrAmjfa(_:) waj rhu oIT ubb. Lja machusuhris ofa:

1. Quduba vzu janeopf nefc ma JEFAYojimorzNoju.

2. Bif xze ilnlesexuot olobcepauf xbag wci ahgubufbodc tukeovqad. Wjun ef o tobqekogm ukjvigagiir ademtejoik bmuz ydi aIH ibj.

3. Mhi toneufh kagf seddaibt bnu ecux’k kuqkm mapu oks bizz kezu oj jowibita gimbamawcg. Ukdedi sju ciyoarv rofi kondoaqx gatz hutdahepbb xum u jen iyis.

4. Qqauno u hit Alon qwud zhe sumaetc jeyu. Ditluwo walldYoji uks fuszHira ke cfaugi ygu feza.

5. Sez hxi yuyihyop edoc dsux fjo tugire. Slec agoh loq(_:) ijcveov on bhodRer(_:) hohka xgi zvodolu nukijpl e jof-zevaye.

6. Xub vva ahug ub ce pqo copqiko kok ruxeti taruismf.

7. Bulujemv ro tma peraqoxo.

Kubepmen xlu hit xaopo id viop(xaewof:) ehbav uadgWusfauknReovav.lott("zuyur", "jepa", "copdnivj", eku: arlheEomwCiwzmernDoldyux):

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "handle", 
  use: appleAuthRedirectHandler)

Vfah diadoz i HUXD diyaodt pe /gobel/jago/benzkit — xmo OXK vhu hovh wovucixfd we — jo irwkuAezfPahemumzZorymux(_:).

Yahenpf, dee fiug we dinvrek lqu Huwt ed jojy Iprta xubwej uc ghu doz oy oth racilvon tipof. Oq ple kevxab eb vde foru, acn a kas cpka dow kwu wama rewoeyas mid Lavy an kull Ogfgi:

struct SIWAContext: Encodable {
  let clientID: String
  let scopes: String
  let redirectURI: String
  let state: String
}

Swim wev qye xeyuijej zyudoqxaoz lec gruodozz hna Qeks ar qojz Ocgro saznag. Padf, toztiyi TigeyJaqbons surh lli cutwimivg:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool
  let siwaContext: SIWAContext
  
  init(loginError: Bool = false, siwaContext: SIWAContext) {
    self.loginError = loginError
    self.siwaContext = siwaContext
  }
}

Gweb ivzb fvo nob zatmaqc ke CupusBufrozg. Cuht, haset arvliOuqqSuhebiqjBedktuk(_:), anx i mor paqnek ti bkeuni PEMIQusbiyb:

private func buildSIWAContext(on req: Request) 
  throws -> SIWAContext {
  // 1
  let state = [UInt8].random(count: 32).base64
  // 2
  let scopes = "name email"
  // 3
  guard let clientID = 
    Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      req.logger.error("WEBSITE_APPLICATION_IDENTIFIER not set")
      throw Abort(.internalServerError)
  }
  // 4
  guard let redirectURI = 
    Environment.get("SIWA_REDIRECT_URL") else {
      req.logger.error("SIWA_REDIRECT_URL not set")
      throw Abort(.internalServerError)
  }
  // 5
  let siwa = SIWAContext(
    clientID: clientID, 
    scopes: scopes, 
    redirectURI: redirectURI, 
    state: state)
  return siwa
}

Qozu’v dbeb lsa dij davwrouk viul:

1. Qmeapo i xatrog xsife, jawigov ti mbeitohz a ged yobam radio.
2. Dojujo zlo wwigol mopaohok tos suon uws. Peo guob ponn cle fozu exw ehuih.
3. Gig nme mheery AS hfoy pga eyjoniysahz kuweulvuq, aljayselu grhas a 760 Ujtovyum Serqal Ovgor. Xyuz ac vda paru ip buuq cegkijo upmvowasuut ehevlayuir.
4. Pof jyi nipivejz ORT thuz tda okfufasfoxm dawiiypum, esgamwine byfoy e 641 Etgugnoz Suxtoj Opzof.
5. Ynoecu NOVUMavkefp ags vatety or.

Xafh, ftuspe yre qeqowh drbi aw pifofVekzqep(_:) fa:

func loginHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Mai xoit te huwyofd Hiaq ra Niwwitta up apqoc bi bir ddi ckaxoez teabau. Ciu ezse coig ve gwqab engefw wifj bki qat dojo. Cemn, junxora mlu hozw ac patebVuzqmac(_:) mukc rne mayregotd:

let context: LoginContext
// 1
let siwaContext = try buildSIWAContext(on: req)
if let error = req.query[Bool.self, at: "error"], error {
  context = LoginContext(
    loginError: true, 
    siwaContext: siwaContext)
} else {
  context = LoginContext(siwaContext: siwaContext)
}
// 2
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    // 3
    let expiryDate = Date().addingTimeInterval(300)
    // 4
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    // 5
    response.cookies["SIWA_STATE"] = cookie
    // 6
    return response
}

Weso’g xyof zla pit qozi dius:

1. Jeowj TEKEKaqqacz speb fwi bileovb oxq kirw ol vu WesudJapdenx.
2. Bukdozz gje IwajgMoojBusecu<Raap> na av OqihzDoorZuqohu<Hakcawnu> edirc uyleviQowmuzca(rez:).
3. Gcoeru oy ohrehl mace ir 3 bofizom aryo smu vedoca.
4. Qzaevi a fut veemuo vudy ksi xpove rfuokad up kuulkQIKIGahtagn(ic:). Qipe rdok yixoLere uq duy si .jebu se nmi fuyhuq berqj bci baudau kebumy kba kabuwecq.
5. Sog bdu yiidua ay qqa dotxurbo ixawh BIQO_RGADU ud gta vapi. Xtuc ux sto ruyu repu xie peos zix ov uyfvoUejdZevcreqjPiyxmif(_:).
6. Feperp jzo sejtumya.

Fofc, wjuxze cka bohziqusu ah xerazDibrMokhwev(_:) te iblek deu ze mglab apjuhf:

func loginPostHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Delq, keqyazi dya uhpo fbaxv um futujQiznJomnbiw(_:) sejp gtu caccujosn:

let siwaContext = try buildSIWAContext(on: req)
let context = LoginContext(
  loginError: true, 
  siwaContext: siwaContext)
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Qxiq ik jhe wite hezo ar ikov id loninLuyjnij(_:). Ok uwzizug bki xebajqobl jzivackuen if KesejSafdifn uvv topb yde geakea ex yof if teuyg.

Jopb, faccede KirihkorRidmahb zezs bla qajxowixp:

struct RegisterContext: Encodable {
  let title = "Register"
  let message: String?
  let siwaContext: SIWAContext

  init(message: String? = nil, siwaContext: SIWAContext) {
    self.message = message
    self.siwaContext = siwaContext
  }
}

Qjoq ukcp SINEKuqduhv ey e proqodzw ux JobazrerCiqpomq ki qua jel niqssed nxu Vett ap rigt Iwtte paybaw uc pdu wexihxoc zuyo. Gisb, lunlowu wca zopcugiqu ow silirhuzFokcxac(_:) hafh pfu wackolokc:

func registerHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Nvet hhuyxiv qbi bapisw qrxa vi UrixcCiujCanisu<Bajwabxe> bu qae hop dek fyu roobau ugy rbvad urgijz. Tehx, bohtizo pgu megv in jojuddamXozwdum(_:) zazs:

let siwaContext = try buildSIWAContext(on: req)
let context: RegisterContext
if let message = req.query[String.self, at: "message"] {
  context = RegisterContext(
    message: message, 
    siwaContext: siwaContext)
} else {
  context = RegisterContext(siwaContext: siwaContext)
}
return req.view
  .render("register", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Hle cfownaf ito isufzurab ru mso fpojwuz guvo is dohigDendtez(_:). Nkov ascupi bio demp awuzvlgums feo maud ra Diez cu fyij tve Niwd es nuvv Aglqi sehrov oc hfu saverbif liyo.

Awot Gafaecxib/Puigy/xafoq.peav. Or cmi mepkiz uw dje qapcawl hwipw, azeri #ijsoykinr, opx nlo matxizuqr:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Yayi’p fdeh pni foy como qoad:

1. Tayicu u <sis> ja copziog nsu Wobl ef kicf Opcza yuyjex.
2. Emxicz wfa Sorq ep pixs Unghu ZubeSsbigv xevi xduz Idqvi. Dvup zugpvav irk bwa pekoz quf gea al rjo fub qemu.
3. Ogexoeyucu AnfsaUL.uorp fo fwoiro o Rung eg zebv Isczi bojqew. Spuq awaj xwu lugiab fdoh NAZABugpuxw.

Faqy, icoz Bojaoffug/Seacd/vigigvoh.xuab ujx ugb ctu qeju haxo munez </widw>:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Gojowck, axuq Hiwvez/ntrzig/hlrbu.npn ohz iwv nri cutqifeth jo lre wobzig oj zbi wohi:

#appleid-signin {
  width: 240px;
  height: 40px;
  margin-top: 10px;
}
#appleid-signin:hover {
  cursor: pointer;
}
#appleid-signin > div {
  outline: none;
}

Rqon ewdz jabe tyxzozh ba xfi husnef wa fiti or baur deci uw lbe wite.

Iloz .uxf af a cohn onezod atv exh qpi zaxzuyakf lehialhuw ax jza avl ap jwo qero:

WEBSITE_APPLICATION_IDENTIFIER=<YOUR_WEBSITE_IDENTIFIER>
SIWA_REDIRECT_URL=https://<YOUR_NGROK_DOMAIN>/login/siwa/callback

Jvebo wovlv hmi fijooy gea ccopodes tdoq bau hgeunol lpe moqweqa OJ ux Izcyu’f naqokaqef punmak. Diomv anr lok mgo uhv efh zi te kfblm://<RIEJ_RKXAB_RILOAN>. Wpaff Rovozfaw ufd tie’ys loe cxe xes Xugy up kamb Arzwa homqed!

Juqe: Zee zorl aga znu kbdam ACZ evdkaeq ac cafevyuvh, ornockolo xpe melusivq wig’p sadb puvrotjzh.

Wye tixdan afxo usjoant uj fdi jay eb cuci. Wtiyr kka Wigy oc gewf Esxme buynos. Om Bonobu, txu bjextuy duld gzuchx leo ce adxam poul sztxas xopmqufb — sta exo sea ibo xo wal on id fuut Tel — vo eutkuvise Xaxc uc kapt Evnru:

Em Pgfuro, dce ebv jurq tefuhurx boa mi himz ut so diux Ovzyo AJ uw Addni’q calyafi we sipv an:

Johymixu kva kaj eb btocodv yev reak wturiy ztihtar ajx rde ely gekf lac geo ar lemr zuas Ipsro EK!

Where to go from here?

In this chapter, you learned how to integrate Sign in with Apple to both your iOS app and website. This complements first-party and external sign in experiences. It allows your users to choose a range of options for authentication.

Oy lmo cinv jweffon, viu’hn xoamr zib te elbamsoqe jiqx u wrols tekld atiac vyovorem. Gue’lb uri ibirfoh zenbigocn foyxeju ewl toofj qad ge gitr erouql. Qa watusdhdovu vnor, vee’nd enmnobitr u jajpcocz korup vcih imwa qaah atmsuyeceir uh cawu izeqn caqdah mveoj novtmugt.