Apple Sign In

ezgif-3-194c6b1dd6b6.gif

Check out the new free Apple Sign In

https://marketplace.coronalabs.com/corona-plugins/apple-sign-in

1 Like

Is there any way to get the credentials passed from apple? ( https://developer.apple.com/documentation/authenticationservices/asauthorizationappleidcredential )

I’m trying to implement an authentication flow similar to what’s outlined at https://dev.to/michalrogowski/why-sign-in-with-apple-may-take-you-more-than-5-minutes-and-how-it-works-55p6

What do you mean by “credentials”? See docs
http://scotth.tech/plugin-appleSignIn

What I meant are the additional tokens Apple is passing on to the app after authenticating:

  • identityToken (JWT)
  • authorizationCode
  • email

When trying your plugin and checking out the docs, I only see references to name and user id.

PS: Is it possible to build the plugin from source or is only the demo on GitHub?

Added identityToken, authorizationCode to docs and plugin

will be returned as event.identityToken, event.authorizationCode

email is returned as event.email if you put in “email” or “nameAndEmail”

Great, thanks. I got it to work.

I was also confused by the fact that email/name aren’t returned every time (in case anybody is also affected, this is an apple thing: https://forums.developer.apple.com/thread/119826 )

It appears that we have until June 30, 2020 to implement Apple Sign In for iOS and Mac apps, that is, if you offer FB login or email login, we must support Apple Sign In.

Apps that authenticate or set up user accounts must support Sign in with Apple if required by guideline 4.8 of the App Store Review Guidelines. Article here: https://developer.apple.com/news/?id=03262020b

@Scott_Harrison I saw this note in your build.settings.

  1. Do we really need to add Apple Pay to our provisioning file for the app?

entitlements =
{
[“com.apple.developer.applesignin”] = {“Default”}, – make sure provisioning profile supports apple pay?
},

  1. I also only saw “name” and “user” in the online docs. If I want the name and email, do I use “nameAndEmail” as you wrote above?

  2. will it be the full name?

I have this ready to go in my code; but I just wanted to double-check the provisioning issue here before I try and create a new build.

  1. does it work in TestFlight before a release?
  1. yes read https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_applesignin

  2. yes use nameAndEmail

  3. yes

  4. yes

@Scott_Harrison I’m creating a detailed and nice example for your appleSignIn plugin, and just have a couple of issues to resolve.

  1. I’ve looked at the link you provided and Apple Pay is not mentioned anywhere. Are you sure?
  2. I’ve gotten it to work by adding AppleSignIn into the App Identifier. Have you tried this?
  3. Once I have it working on one app, the identical code is not working on the second app. This is the last issue to resolve. Both apps have their AppleSignIn configuration as a primary key. I’ll have to do some tinkering to get both to work, I suppose.

@Scott_Harrison or anyone, how can we check if the iOS version is >=13 before making AppleSignIn available?

This is some code to check if iOS version>=13 before calling AppleSignIn.

: local v=tonumber(system.getInfo(‘platformVersion’))
: if not v then
: --unknown version
: elseif v>=13 then
: --apple sign in button and code can go here
: end

  1. it says it at the top “An entitlement that lets your app use Sign in with Apple.” If you don’t want to use that is up to you.

  2. that what “make sure provisioning profile supports apple pay” means on my documentation

Well, My provisioning profile has Apple Sign In and NOT Apple Pay, and it works fine.

@Scott_Harrison you may want to consider changing your documentation to REMOVE references to “Apple Pay”, as you can see from the Apple App ID Configuration, “Apple Pay” is 3rd from the top, but “Sign In with Apple” is directly underneath Push Notifications must lower on the list. The fact that I have it working in my apps now WITHOUT “Apple Pay” proves it unnecessary and could also confuse other developers; just my two cents.

1 Like

Also, your documentation does not provide any information about what the json.encode(e) returns; in other words, you leave it to developers to figure it out. Here is more info that could help others…

function doAppleSignIn()
  local firstName,lastName,email
  local signIn = require "plugin.appleSignIn"
  local function appleSignInListener(e)
    local ts=json.encode(e)
    print("AppleSignIn Json="..ts)
    if not e.isError then
        if e.fullName and e.fullName.givenName then
          firstName=e.fullName.givenName
        end
        if e.fullName and e.fullName.familyName then
          lastName=e.fullName.familyName
        end
        if e.email then
          email=e.email
        end
     end
     return firstName,lastName,email
   end
   first,last,email=signIn.show("nameAndEmail","appleSignInListener")
   if not first then
     -- not successful
   else
     -- successful
   end
end
doAppleSignIn()  --call the routine above

– Note 1) this code is intended for you to use ONCE per app, and then for you to save the results without having to use AppleSignIn again. I’m not sure it will work a second time, or each time you open the app, without using the other token and authorization-related parameters you can see below. 2) you can also check if e.error=true to see if unsuccessful, but this code works and is more elegant.

Also, here are the 3 results of json.encode(e) that are possible; so your developers can understand how the Apple Sign In will respond in these 3 circumstances:

–when user attempting to hide email (in this case, e.isError and e.email are BOTH=NOT)
AppleSignIn Json={
“name”:“appleSignIn”,
“user”:“001577.6660c67777304b1ba24e155285388352.1422”,
“isError”:false,
“fullName”:{“givenName”:“Troy”,“familyName”:“Lyndon”},
“identityToken”:“eyJraWQiOiI4NkQ4OEtmIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJkZ2FtZXMuZXhvZHVzdHJpdmlhIiwiZXhwIjoxNTkwNzY2ODM2LCJpYXQiOjE1OTA3NjYyMzYsInN1YiI6IjAwMTU3Ny42NjYwYzY3Nzc3MzA0YjFiYTI0ZTE1NTI4NTM4ODM1Mi4xNDIyIiwiY19oYXNoIjoiLW9IV1ZrZl9abjZNR0VabEUwNGZhUSIsImF1dGhfdGltZSI6MTU5MDc2NjIzNiwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.fwsfFmAzBSH-O5hxOVXX3ZWfyPfpEUvMGZPS6Xdi2KbHLICFlVR7ZLCTxdmg0fx4iots7BlWTPZWQPgWtCj1b1Dpe7u8YFUJnyOT7xLDFx6ekjROMy73yz2XMpDvpftZtOkqa74OK_uZAUoSYHkm7oTX_GgR47C3_RlG2Qj8zFWz2LqY0RldBRRjcRFTETjEvibcXyiuMvAlNfmDEtbbnZ2tVu2kAJs51pX23RWZJ2w09zOzIedu–vIWX2aHGEOONPZGx10Qs6RZ8Oeke3PmR9wa8uYvzgmIpFw2ozbJ77ekGQR9GTlKc07A06p0hNtji4xJ-hNTS2HeoGh3Rtsig”,
“authorizationCode”:“c25308b6cdfff42ba94ddb4ba3fd244c1.0.nrvxx.6d5tGF0r-aCRTe8Whru7WA”}

–when user granted us their email (in this case, e.isError is NOT)
AppleSignIn Json={
“authorizationCode”:“c386026b767e146af8568d72d786a9461.0.nrvxx.IO-7UXtFvHH1dmOKUlj_8Q”,
“isError”:false,
“user”:“001577.6660c67777304b1ba24e155285388352.1422”,
“fullName”:{“givenName”:“Troy”,“familyName”:“Lyndon”},
“name”:“appleSignIn”,
“identityToken”:“eyJraWQiOiJlWGF1bm1MIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnJkZ2FtZXMuZXhvZHVzdHJpdmlhIiwiZXhwIjoxNTkwNzYzMzQyLCJpYXQiOjE1OTA3NjI3NDIsInN1YiI6IjAwMTU3Ny42NjYwYzY3Nzc3MzA0YjFiYTI0ZTE1NTI4NTM4ODM1Mi4xNDIyIiwiY19oYXNoIjoibVJTV3BwNGFFVkZJMHRDUk5sOW02USIsImF1dGhfdGltZSI6MTU5MDc2Mjc0Miwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.y_C8W34jd_ZauTN-l4fGIoOx5XeN9RpkAFOk_1vZiQcwF8bWyXi7Plrdr11-WcpgztwQQeWoWL3RIAWxWdpXu8wG3rzTYu-zJOCxu6HaxoHFFyC8seaqDhRNkxIWdK_ymjPDCWenzqZZN5laMroNYOD3wMF3TCbKUUqmDfVlbymHofMA28SihqqhRFQxsRjZ6w-kqyNT8D_H8JEgExs0oZW473XhsvgkRcaZV77RimYEFmL7rTncMbhHwlInInKpBsBB3z7MS22O6MduppCK8VjPCmP3zP9srXmSaE24XrSoGHqcSkXQZSzJ4quueczX5SwsycKQpg1T0wK7EOpMCw”,
email":"troylyndon@anemaildomain.com”}

–when a user cancels AppleSignIn
AppleSignIn Json={
“isError”:true,
“error”:“The operation couldn’t be completed. (com.apple.AuthenticationServices.AuthorizationError error 1001.)”,
“name”:“appleSignIn”}

Previously this plugin will return a private-relay email address when the user selects ‘hide email address’. But now, there is no private email returned. Email is only returned if the user selects ‘share actual email address’.

It seems to be a problem @ Apple side. Most likely since a vulnerability bug was discovered.

sample@privaterelay.appleid.com

1 Like

Inorder to get the private-email address, you will need to decode the ‘identityToken’ returned from the app. This ‘identityToken’ is acutally the JWT token. Decode and the private-email-address is in there. For PHP, I use the griffin package to decode it.

@Scott_Harrison - can you please implement the fix that @yosu discovered so that you are actually passing a valid email address, rather than requiring developers to have to create some kind of server-based code to translate the identityToken into an actual private-email-address? Please read his two posts carefully to see the problem.

@yosu @troylyndon
Let me break up the questions

First the email stuff with hiding email, it must have been an apple bug because I am running the latest apple version and Xcode and I get an email in both cases. I tested this minutes ago.

{“authorizationCode”:“cd7f6937900634a8d8b5861db26fa000a.0.nvuy.kxYwVrQMQMQMh3p-E9o3rA”,“isError”:false,“user”:“000548.14d86617b5bd475b9d93590cd68fac82.2018”,“fullName”:{“givenName”:“Scott”,“familyName”:“Harrison”},“name":“appleSignIn”,“identityToken”:“eyJraWQiOiI4NkQ4OEtmIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLnNjb3R0cnVsZXM0NC50ZXN0QXBwIiwiZXhwIjoxNTkyNTk1NTkyLCJpYXQiOjE1OTI1OTQ5OTIsInN1YiI6IjAwMDU0OC4xNGQ4NjYxN2I1YmQ0NzViOWQ5MzU5MGNkNjhmYWM4Mi4yMDE4IiwiY19oYXNoIjoiU2JkOHpkMGNBbTB3cVRMUGtZVFh1USIsImVtYWlsIjoiem02dGVpc2s5ckBwcml2YXRlcmVsYXkuYXBwbGVpZC5jb20iLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJpc19wcml2YXRlX2VtYWlsIjoidHJ1ZSIsImF1dGhfdGltZSI6MTU5MjU5NDk5Miwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.epNs8RUs2r_w7FGvmcEj3LfF3qLSvQebA6xKPuo6cyh__9Zj3QCcCwTtT2DC7PtpOqGVXylecGAFugYWC125L4tkvO_sqzbTGsFtnUxR17fUerBBFN4lCHgZFUCju6BdZzQGzodGoeSvkN2LLIZAK5UYpXew8Xv7wDeB5q9wmlfQJUhmQQzzOlyOJ0BVghhpILEDl-FMO214Bcr_0JrC90037_g7hdo9mVW6ldHXWMRufKVZaFsa7Chtlq9RvDEbkwkU3RiNMzy7bWwIDnEOy-AI0-YhRTD7hc69Oa-rOPrvffRam7zGsTJYjL1Q1VE7EYW3ZE_MwjLTv-rW-G2UJA”,“email”:"zm6teisk9r@privaterelay.appleid.com”}

second JWT

I am not messing with JWT stuff. There are a ton of libraries for this. I included a link lua library and dozens of other libraries for JS/PHP if you want to handle with on your server.