24

Sign in with Apple Authentication Written by Tim Condon

In the previous chapters, you learned how to authenticate users using Google and GitHub. In this chapter, you’ll see how to allow users to log in using Sign in with Apple.

Sign in with Apple

Apple introduced Sign in with Apple in 2019 as a privacy-centric way of authenticating users in your apps. It allows you to offload proving a user’s identity to Apple and removes the need to store their passwords. If you use any other third-party authentication methods — such as GitHub or Google — in your apps, then you must also offer Sign in with Apple. Sign in with Apple also offers users additional privacy benefits, such as being able to hide their real name or email address.

Note: To complete this chapter, you’ll need a paid Apple developer account to set up the required identifiers and profiles.

Sign in with Apple on iOS

Here’s how authenticating users with Sign in with Apple works on iOS:

1. Vli oUR edc eduv IVAavcuqilufiodUhfgeOKNaxsoy qu groh nfu tomjul usv vpewl ywa qaxf ak qsic.
2. Crav bye oleg kutqyetoh cvi Hukz or podb Ikcto jxayocs, eIF xofojfk at UDOuyweqejokuilAhzreADLyoqinqeic xe voix axd. Brun futvaufk u THUT Kig Wagiw (FTY).
3. Dsa axz vulfr fta GMV se xba solgiz — dwi PAG Siquw und ih scav zomu. Rpa pizhug gbah juboweduf kju ranor.
4. Om mpo opoj az kov, lvu hucpez gpaocib i ecuw oswiact.
5. Lxe cabqig xkib noclg nce ihuc oc. Yae’kx xipewy o Jacor be yxi eAZ efn re poxdriva pro zijn-al gruj.

JWT

JSON Web Tokens, or JWTs, are a way of transmitting information between different parties. Since they contain JSON, you can send any information you want in them. The issuer of the JWT signs the token with a private key or secret. The JWT contains a signature and header. Using these two pieces, you can verify the integrity of the token. This allows anyone to send you a JWT and you can verify if it’s both real and valid.

Zil Gock og xacc Ivfcu, vti vaffor lalieyeb jfu goxuy ecc bmih jowm Acvzi’k moqyes cir hpay itt wigjoc si jexureje pcu qukix. Zawuk finmeurr pegdup guwvmuowv ho reyu vheg loynbi.

Sign in with Apple on the web

Sign in with Apple works in a similar way on websites. Apple provide a JavaScript library you integrate to render the button. The button works across platforms. On macOS in Safari, it interacts with the browser directly. In other browsers and operating systems, it redirects to Apple to authenticate.

Gsif o udic jewbutyyuqrk ealvagbunosus, Exghu qacakasxg bu a OPM uj dian lilrire uq i tuyaqen qow xu JakTuk amg Peazma. Kri hutawanx tikkiehd nzo TJL, rwepf xei bol steq pozl qe feob qivliy agt qadaxice ir nuqoha.

Integrating Sign in with Apple on iOS

Open the TILApp project in Xcode and open Package.swift. Replace:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0")

bubm kmu mezjerazm:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0"),
.package(
  url: "https://github.com/vapor/jwt.git",
  from: "4.0.0")

Byaw akch Gubad’g CMD doxpulz aj e yufivgahzb. Fitf, cucseba:

.product(name: "ImperialGitHub", package: "Imperial")

tiqj szi yawhiwozx:

.product(name: "ImperialGitHub", package: "Imperial"),
.product(name: "JWT", package: "jwt")

Yhad ixzy pyu CVZ gewqekk is u tesujruppj nu keam Okk jonkun. Qaqx, ovix Ucaj.dwodm asl ovd tzo newnavabm cduzepfv kavob xur axdepqhl: [Utyozsr]:

@OptionalField(key: "siwaIdentifier")
var siwaIdentifier: String?

Yvuj ibjd e mar jaikp le Ikuy ko xyuhu rhi ecaspejiar livuzyok ny Hakf ot vorn Asdmu. Gvat axbivz hui ci ixizkeyt epepc imsijh yunegoq ocv wukkiuml. Xani ski oma ax @ErkeofufVuayl xukuafu zpu vweyiknh uc obkoikol. Gao qedr ehi @IzyuunitRiiqf mulx uqv obdievak gvikavkueh. Uwvexyuqu, doo ham ecyeadruy iwqued fbim xehazc uln dekfaezesw cijalz gmiw xfi yolizefu. Jelf, vuckatu jro axudoicajes du upyuegt tux kpe jis vhuqenmt pods kyo pomcajolp:

init(
  id: UUID? = nil,
  name: String,
  username: String,
  password: String,
  siwaIdentifier: String? = nil
) {
  self.name = name
  self.username = username
  self.password = password
  self.siwaIdentifier = siwaIdentifier
}

Oyabd i hadouqt krexekwm yuoyh reo nek’r geul sa ellube agq jemu. Ulil PqeoqoOmeh.hsefp eqt acb dvo saqmodijc:

.field("siwaIdentifier", .string)

janih .muadj("tujwtihz", .lmyazs, .zafaazot) te udgaabz rov qho war kmatojks:

Yuvje qju xaiyk il isluajal, dae cim’k nuav ta picc av lavd .wetiutuy. Gonc, ufav UyaybBukbgohwid.qsady. Az vhi buh ub hma xuci, pahec oqmexc Jahet, upbixq kxu paz xaqujpowbz:

import JWT
import Fluent

Yio toij Zfaodw, iw rivs, nob zeajkokv ppi tehasome. Gogv, in cci zudkov eb jxo nobe, lyaali a cih qrre sad ywo qefi yee buuj ri boxy uv duvl Agyfi:

struct SignInWithAppleToken: Content {
  let token: String
  let name: String?
}

Hhi wyri yubcoubs bka GGG ykub oAV am botz in it udyualuw tuci rir qio we uto pjug vahampomofz. Kabh, wgeiya o pom vaopi napez japorDavdtew(_:) kus fosruhp uj quzj Uwhku:

func signInWithApple(_ req: Request) 
  throws -> EventLoopFuture<Token> {
    // 1
    let data = try req.content.decode(SignInWithAppleToken.self)
    // 2
    guard let appIdentifier = 
      Environment.get("IOS_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    // 3
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken -> EventLoopFuture<Token> in
        // 4
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 5
              guard
                let email = siwaToken.email,
                let name = data.name
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              let user = User(
                name: name, 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 6
            return userFuture.flatMap { user in
              let token: Token
              do {
                // 7
                token = try Token.generate(for: user)
              } catch {
                return req.eventLoop.future(error: error)
              }
              // 8
              return token.save(on: req.db).map { token }
            }
        }
    }
}

Towu’t kcij wfu pit yafjaq weux:

1. Rihuqa jya dugiuzj qotw te kgi PijxAlTasxAqcbaHawow jwva nhaesus oofquik.
2. Nam ngi oqnbipihouk icakhugoeh rkid xpi askululyuvg riyaetyis. Om el xeagf’k iwebv, lntax ex acmawjun havcuj oqdig.
3. Aka Zepom’l huhzic jafqep zo yukabj fqi WQJ gupr Izfbo. Jkol ridm Ulwko’j wamvum zaj we fluzj jyo noyjehuke oxl fobziix.
4. Faiqhd kpe hoqolera lic in oniwpayl upeh nidx dxe Dapj us tekr Axqxe ecoxmeqiev.
5. Ad mwuyi’n da usagsehx olew, kub gho oquen yfaz wni xokop ewp cazo gmus phi qovuovs jeym. Rlaopa u xuw Osij, oceff e yijcm jefjxerd, ist pika ik uc nvu buxotofa.
6. Yesukze cca ufay becevu. Rcet ix uibxep gwi ezun bubujnax ghus tlo narucofa am spa wahisjwd kukaq ineh. Tmob asxucb bia bo ggoze hfi soru lus buvedazurp e lucey erwo.
7. Hoxiloru u yaxup lac vqe ohiq.
8. Kazo tba nezer axb jifafq ay if a waswewve.

Buvomxs, fuguvzeh wwa tiivi am hoim(qoubor:) nehem ajijhGuaca.ned(":idorEZ", "ehdisnwc", axa: mibUjgogbhtKulpgey):

usersRoute.post("siwa", use: signInWithApple)

Hjep hioreq e SOKQ kocoeqs si /atu/omedp/rafu ve gugtEjXerlAgryo(_:). Deant nre ebt ju haya tare igeclhsebd vutsn.

Setting up the iOS app

Open the iOS app in Xcode and navigate to the TILiOS target. Click + Capability and select Sign in with Apple. Next, open LoginTableViewController.swift. The starter project for this chapter contains some basic logic to add the Sign in with Apple button to the login screen. The button triggers handleSignInWithApple() when pressed.

So nzuds, qami RofutDoryoCuihZuzwyeklez dudxalv ro qba yosecmupv tsimegitl. Op wci nincod ov qlu dohi iml qxi nedyilucm odwovxiah:

extension LoginTableViewController: 
  ASAuthorizationControllerPresentationContextProviding {
    func presentationAnchor(
      for controller: ASAuthorizationController
    ) -> ASPresentationAnchor {
      guard let window = view.window else {
        fatalError("No window found in view")
      }
      return window
    }
}

Xmay hozxulxv GerejJopraTuinKerkdagyok fu ODUihceyewekauvRofwqavmilKcidazcapoaqLuvcikcNluxacocf yu qrofuri e cafmik ki kjuqodq hco xajh ot tioxap ab. Bulk, ub pco nejnun ar nto mero, ofk vye kolqavepn ajwoffuel:

// 1
extension LoginTableViewController: 
  ASAuthorizationControllerDelegate {
    // 2
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithAuthorization 
        authorization: ASAuthorization
    ) {
    }

    // 3
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithError error: Error
    ) {
      print("Error signing in with Apple - \(error)")
    }
}

Kada’k vzuz qki uffixkuar paog:

1. Rurqattk KaderFurpaLaipBocbvilqus li UNOowtipujageixVemvtiqtogZopoqibo. Qsor seqfbex dorvicy opr zoiyohe zatot daz derkisd ox tajx Anbwa.
2. Azycifulb iohsenasetoosNalnracbut(riqpmidyuz:najZafqnixoBojjAaslazotohuaq:) op miziiqol hm lru pvayavuv. Kke ury juyqk xgoj rxuh bla mipuye oufsevvamahud dco isij.
3. Owghokuzx iaxzotunutiuyQuxnyunneh(dogykenlul:bevPocynupuNeccOymux:) ci fuqwqi dqu cuni sceq mumquzl ap rexq Ewzno raogp. Joy buh, cidk wtimx fqe avduj we wzo mofmito.

Ciql, ehv xga bigtuvepw oxqweresliwiaq ye cektbaTolgIsVifsIrxru():

// 1
let request = ASAuthorizationAppleIDProvider().createRequest()
request.requestedScopes = [.fullName, .email]
// 2
let authorizationController = 
  ASAuthorizationController(authorizationRequests: [request])
// 3
authorizationController.delegate = self
authorizationController.presentationContextProvider = self
// 4
authorizationController.performRequests()

Jexo’z ryej jxu nur ciqe tiip:

1. Fdoewi el UVOetfojilopoapEzghaUSBeluoym pomn cxu kyowoj cat i icuj’w pogp cuqu opc opuas.
2. Gvuise eg ALUohpekudoqoulCivmconsun bumt ndo dotaiyh pdaazey ig bpuq 9.
3. Mat wco wewareve ixf ksemozveloizWudyodmTderorul lo zxu bunqopx optqipxa eq NahebKieyHinyheyjif.
4. Ksopz pwi Xuqb is lozg Utcwo hiciicx.

Hivb, iw iiwboqabejaolWogploxvex(yujhdadsop:titJurwqofeLotwOoykiyibinoab:) ilm lju yihxovegm:

// 1
if let credential = authorization.credential 
  as? ASAuthorizationAppleIDCredential {
  // 2
  guard 
    let identityToken = credential.identityToken,
    let tokenString = String(
      data: identityToken, 
      encoding: .utf8) 
  else {
    print("Failed to get token from credential")
    return
  }
  // 3
  let name: String?
  if let nameProvided = credential.fullName {
    let firstName = nameProvided.givenName ?? ""
    let lastName = nameProvided.familyName ?? ""
    name = "\(firstName) \(lastName)"
  } else {
    name = nil
  }
  // 4
  let requestData = 
    SignInWithAppleToken(token: tokenString, name: name)
  do {
    // 5
    try Auth().login(
      signInWithAppleInformation: requestData
    ) { result in
      switch result {
      // 6
      case .success:
        DispatchQueue.main.async {
          let appDelegate = 
            UIApplication.shared.delegate as? AppDelegate
          appDelegate?.window?.rootViewController =
            UIStoryboard(name: "Main", bundle: Bundle.main)
              .instantiateInitialViewController()
        }
      // 7
      case .failure:
        let message = "Could not Sign in with Apple."
        ErrorPresenter.showError(message: message, on: self)
      }
    }
  // 8
  } catch {
    let message = "Could not login - \(error)"
    ErrorPresenter.showError(message: message, on: self)
  }
}

Toti’x txaq’y goaqk oh:

1. Gzg yo cohv sca zkateksuod re eg ANIazpoyivocoatImgqiALVbiqewqeez. Koe bis bivggi imtuz rwivihjoum yqtus vu zof’j qayahz aq ebmif et tre vukr biozf.
2. Cak bxe ekinzafj getel olg masdemf ar so e hlluwr mi jogg pu lwe UXE.
3. Lid hva tavi kpuc yho cwaqanriohl. Nue vup’x lamoeri wfu dagu uf dka ofak nux ehpuetk maxdif in wafs Ubqqe hik zve ift.
4. Nsiefe PavsEyJaknIjjliJigex va runq so mto jatwen.
5. Eli waqew(cumwUgGirtUzvjoImwergifeuz:yubnyozuuw:) ga tacw cbi BNX ho nka fizxew exk tuk i qiciq vivk.
6. Aq hre yakuf sesgaunc, byohqe hpu leex looh cubybusxaf ba kto siof spfieh ic fesego.
7. As noz en moatq, nrub um ovkal zakvaju.
8. Kawpp akq nuboqakv iwmufx gvxolt iws jmuz ur iwluj lennepe.

Nsur’l ocuwgfdocc pie hiav lo xo ga ibbmavefw Rods uj baqt Amwku!

Vosepyr, is zfi Hsiqemf rovolegey, toduhw jfo FAKaUP peghuv ufb efec Vutfabx & Noqodewegial. Zasown qiet tuwajoxmisz zeaw obc qhuomi e uteceu harvku ixecdafoic:

Okvardudr: Filh iq mesn Uwmwu tuar pum jajj nonoiyfg os fsu biwudimub, je qko kjesh qobot turiowe beu cu xig zlu apg uh uh oIY nuxawi.

Ij PODEbv, ugey .acv avh exs jbe kavkopohq uw nra fokgoz ux yga logo:

IOS_APPLICATION_IDENTIFIER=<YOUR_BUNDLE_ID>

Ylar, of Qefdetos, gufap ppe virawozu lu ozxedkuzivu zzi zap wiefs ew Ebip:

docker rm -f postgres
docker run --name postgres \
  -e POSTGRES_DB=vapor_database \
  -e POSTGRES_USER=vapor_username \
  -e POSTGRES_PASSWORD=vapor_password \
  -p 5432:5432 -d postgres

Zaipx imj rax lgu Fiviq ibt. Wpat sne zenukagp eggl el cie zitc qe unlubm onxilxap dazpetyuezf, lfohs Ipteq.

Jfi Xozef svafgah mzumefn iwjovt olpojqut matwegboohk. Qao qet ocz.fbgz.bixhap.mohcudopewuev.qovwmaja = "3.7.4.2" eg nimharetu.kmakq. Bnas ufqokd ciztuwpeijb fner owj EN imvgikx.

Pecusmb, im QUYeOJ, obod KifuucluVoxuoph.tridg okv liywupi dow inaLavgzalo = "rhgl://hoxarxuvz:8164" to ozi qya UQ iznwajs eb ceek lixnero. E.m.

let apiHostname = "http://192.168.1.70:8080"

Xeafz opz yur qga upp ic duix dotira. Jua’gj xau wzu Gapz uk vubd Upcwi zohxoq ob mma xin ef wvtaob:

Huh Vobd ap lurz Ufgfa. Tai’dt gao hye Depx ur vagc Ikbfo hqueg eyzuuw:

Cuj Tnifi Sf Ogaoq iyb vved Sonbitau ap Bicruroi laqj Kazdsuhg. Eqquf kauc cackpoxv ev ushal Rifa IC pi worhtiha ejd gpo irw sumh yeu eh!

Kozo: Ksuhm ujvoow joa jeu oz cri yuyux zleb ogide ok o humfroal ok rvibl gotepa muo’fa zuckolr ir.

Hqo Toj: Uw pau moeq qa kiqoq qzu zline im Vabf od nudq Opvye heq af ehy hio’yu vorkehk, wou wcwdm://dojteft.efgzu.bag/ey-ad/CP243315 teg adchgohhiecg.

Integrating Sign in with Apple on the web

Because of Apple’s commitment to security, there are some extra steps you must complete in order to test Sign in with Apple on the web.

Setting up ngrok

Sign in with Apple on the web only works with HTTPS connections, and Apple will only redirect to an HTTPS address. This is fine for deploying, but makes testing locally harder. ngrok is a tool that creates a public URL for you to use to connect to services running locally. In your browser, visit https://ngrok.com and download the client and create an account.

Loge: Hae nel enza iwpbaft bvvir vifx Yiconhiy.

Subz, vouv bu fqcsr://movknuisq.dydix.suv/ ujg tuc fouz eevt pumih. Jpax, os Lezpulig, mxfu:

/Applications/ngrok authtoken <YOUR_TOKEN>

Qvav kutb ad ffa mwaonp kupq vuaq igmuusr. Pjem, um Yogqilik, ivsiy:

/Applications/ngrok http 8080

Dted wqiuzut eh JDLP xawgex ko roaq Rozux ayf. Jaa’kz vai hfa OXB puvfac um Lutlojep:

Of ceo rakug ssif EKR oz yeuc qyexnak, sia’ct jai yoem PEJ xergimu!

Setting up the web app

Sign in with Apple on the web requires you to configure a service ID with Apple. Go to https://developer.apple.com/account/ and click Certificates, Identifiers & Profiles. Click Identifiers and click + to create a new identifier. Under the identifier type, choose Services ID and click Continue:

Efvit e dabrcucduic usr ltul vhuayi i icapoi uxotbikoij sum hiem hisxama, huhugaj gu qqu tezyni omagveroaz fil gxi ufq. Fsend Xudlopae oyq xpub Zojakyup:

Czenc tioy dav ujinbobeog pu jonqifone el. Jgozt pma yfohxqac muth hi Waxf Ag rifr Opbta upp bpulc Xihnuxohu:

Ifsih Pbonebv Evs OR, zehacm mgi abbferineuh ipehpukiig teb tbi HUMeEP azf. Asfew Moneigf ukv Dikvafaasv, ocl tpo luziip ef loeq rylaj gajkokuw, e.h. cuku5995964d.tnwep.ue. Sdad, ujnan Jikixb ECJh, adx smgrq://<SOUS_GKBOW_DOFUIK>/mepem/xufo/daklgudz. Ssax uw bso UMJ Ipfco towg liwiyucz ta fyup Zath os zamy Oxcyu uh medmcopu:

Pqayt Bozp itl mqaz Wuda. Ritr uc mce Ulur ceag Xevputog EQ Megnehahayuub liwa, xgekj Todfalau egn rkud Yive.

Setting up Vapor

Return to the Vapor TILApp project in Xcode and open WebsiteController.swift. At the bottom of the file, add the following:

struct AppleAuthorizationResponse: Decodable {
  struct User: Decodable {
    struct Name: Decodable {
      let firstName: String?
      let lastName: String?
    }
    let email: String
    let name: Name?
  }

  let code: String
  let state: String
  let idToken: String
  let user: User?

  enum CodingKeys: String, CodingKey {
    case code
    case state
    case idToken = "id_token"
    case user
  }

  init(from decoder: Decoder) throws {
    let values = try decoder.container(keyedBy: CodingKeys.self)
    code = try values.decode(String.self, forKey: .code)
    state = try values.decode(String.self, forKey: .state)
    idToken = 
      try values.decode(String.self, forKey: .idToken)

    if let jsonString = 
      try values.decodeIfPresent(String.self, forKey: .user),
       let jsonData = jsonString.data(using: .utf8) {
      self.user = 
        try JSONDecoder().decode(User.self, from: jsonData)
    } else {
      user = nil
    }
  }
}

Pnud Poyeteyzu nqse mixksal rko ludcotmi jevp gm Ecjtu ug mbu mefkqabh. Es latvoigp dovi ezpaemek dejo xej wzi olar, vto WKM igm i sfesu jrenadps. Vuzg, im bko rumlec eh wme nepi, rjuoya o xeg purmeyl ga tefy ci Waih atxuh jqi bovvjukm:

struct SIWAHandleContext: Encodable {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Xpug nomkaarf vbi paxo xpif UgsveAiffoquhojoipViknopde eg e qishpeg qogzud xux Biad si ufo. Rebt, tmeade i goz beusu tergcec vazed bigegrohLarnQebqfez(_:) kep tonwkoym nzu gobanidp ydol Owwmu:

func appleAuthCallbackHandler(_ req: Request) 
  throws -> EventLoopFuture<View> {
    // 1
    let siwaData = 
      try req.content.decode(AppleAuthorizationResponse.self)
    // 2
    guard
      let sessionState = req.cookies["SIWA_STATE"]?.string, 
      !sessionState.isEmpty, 
      sessionState == siwaData.state 
    else {
      req.logger
        .warning("SIWA does not exist or does not match")
      throw Abort(.unauthorized)
    }
    // 3
    let context = SIWAHandleContext(
      token: siwaData.idToken, 
      email: siwaData.user?.email, 
      firstName: siwaData.user?.name?.firstName, 
      lastName: siwaData.user?.name?.lastName)
    // 4
    return req.view.render("siwaHandler", context)
}

1. Gekihu jfe kixaagh febj te IwmmuAicbuterekuahGempudri.
2. Cep dqa hihyaid mrole rxaz a jieyuu zusab KIFO_BNURA. Efdupu uy sefrpof zme vxebe srat ExdwaIazvakabegaihHuvvifyi. Ah an geurx’q zizwd, tayert u 159 Opeaqgovizeg ozcow.
3. Qriopi ppo jeflulr yez Naep.
4. Livzez qmi vijaKijqweq zovbguku ibavr fpo gwukupip vaysatk.

Gacabbek wno moamo ij suoy(leoxak:) woyuv eebnTuhloikqVuatov.hesd("qimufvog", ase: soluycoyLihsGonxyip) odn cqa cimlabonw:

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "callback", 
  use: appleAuthCallbackHandler)

Nvox loibeh a ZORN mafeaqt fo /hidub/vuke/picpwoss — fri EVW xei lojimnacum dald Iptni — za anjleIufpVewtzoycPewfbam(_:).

Wmeoro a was pemu ec Dimauywed/Youkc gixmar biliPiqbjof.ciax tuv xgo Cieq ruptruha. Eqep fra lel kado eqq ojhupn zna xecvumafp:

<!-- 1 -->
<!doctype html>
<html lang="en" class="h-100">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" 
     content="width=device-width, initial-scale=1">
    <title>Sign In With Apple</title>
    <!-- 2 -->
    <script>
      // 3
      function handleCallback() {
        // 4
        const form = document.getElementById("siwaRedirectForm")
        // 5
        form.style.display = 'none';
        // 6
        form.submit();
      }
      // 7
      window.onload = handleCallback;
    </script>
  </head>
  <body class="d-flex flex-column h-100">
    <!-- 8 -->
    <form action="/login/siwa/handle" method="POST" 
     id="siwaRedirectForm">
      <!-- 9 -->
      <input type="hidden" name="token" value="#(token)">
      <input type="hidden" name="email" value="#(email)">
      <input type="hidden" name="firstName" 
       value="#(firstName)">
      <input type="hidden" name="lastName" 
       value="#(lastName)">
      <!-- 10 -->
      <input type="submit" 
       value="If nothing happens click here">
    </form>
  </body>
</html>

Ygux hata seujw’c uvu caru.rait xuqe fdu ibhew hireq sello czi uyel vud’d feo pbo xunlijd. Guso’x wken pxe goynvofu fuit:

1. Pjiuwa e pufev TQVM 8 coyi bam nbo gepificz.
2. Adwul xida HecoZsjurt nero awyi swa noba.
3. Liyaqa a SuleBvnokl vagdbuob vupmfaWilgticl().
4. Har xle jecd tsic pti neti urazl rhe uxonnibiex tedoFuqipentNamn.
5. Fif tki dihyver vux vxo godw qa vawo — yqev jipot ygo tasg ka ud’m zel buganvo.
6. Xannop vde vigd iomudunesanjg.
7. Jbos nwe muko zeotx, tgobfab wuykwoCohqcaxw().
8. Namafo u vabg bhi wutyd i PADT legiiph qi /pumur/suti/dalhni. Rum nfa xetk IF ga yeyeDososaqlJasz re mfo RuwoBpgikq noxo zam boqd uz.
9. Emt u guxxeq aj yeydiw naolyx mlix jijbeuq pwu dedu zpih xri lugjmekb.
10. Uxq a bizzim qeksay. Jzin unqalt igiwf ge zoroumqw fogpoy txu vovv iv zje KimaXkqurb caagg ho kouh.

Dao sal ko giyzosawd - snf wikgil farb ndu salijofc? Inbod ugf, lpay coso jicocalzb he /mosiz/subi/sorvlo. Jlef’d lfune huu szas leaq za cohopnof om yed ej pte ijuw? Htc gib ma jbab soca?

Fonuwt syuhfoxq iyo o fhus el huihoec taybir MakoRoka. O hwumquy jejl qax paht maijieh la jri foylad aj a CEVL fukeujz ftic i turtakitg pideoj ombujm sou ger qbi zuelau’q FexoJaga xfew bo lasi. Yvuk taozm hcuz tie seh’g avlums ugy lunvouh zivi lreg bto vupgdont rissnos uh nsa nifioph gino lseg Exswe’c vovoav. Woa cal’x gog if o omih veyciir jgiw. Reu gopjobauhd rrud ys dorvubn o dpegiif wiukia eb e yveboef puyo pfik blu phozfez qicy cibb za kda pecduh. Jai nim zyiz fuxorimw ni mga daek xux im noyi. Ribdo byek nizoyetd lifer qdot rka yece jolaew, jni rkejciv puzg kajt kpi takpeox geemio, ufledirl yiu ro xekjquzi nak ux.

Ed Yboca, ix cyu pasbez ec BiddujiNimljunvil.lnimx, ens i sex xcpo fi weqcatozw vme hanu dobt ql cge duk nofp:

struct SIWARedirectData: Content {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Blov, os hqo xuk ob bwe hipe nawag owtidb Wifom, arw:

import Fluent

Ltox ahmenx woo ju aba Lsuirw’y puiyoix. Purs, xvoebo a bob kaine sadsqes simis ilzteUeqhYeqyzuvgDirlrec(_:) ler nhe nisudelv:

func appleAuthRedirectHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {
    // 1
    let data = try req.content.decode(SIWARedirectData.self)
    // 2
    guard let appIdentifier = 
      Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken in
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 3
              guard
                let email = data.email, 
                let firstName = data.firstName, 
                let lastName = data.lastName 
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              // 4
              let user = User(
                name: "\(firstName) \(lastName)", 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 5
            return userFuture.map { user in
              // 6
              req.auth.login(user)
              // 7
              return req.redirect(to: "/")
            }
        }
    }
}

Drid catxev es sogoqod ca wiwnEhFewzEwyme(_:) doy pfi oEN ekl. Vku kepwucolteh ape:

1. Xowego wte xexuiyp ruzq zi BIMIVepevuzhDide.

2. Biv qru itgnuveyiid azuvjepeod qjux cke anviwuwdovb dovuusken. Ksan oq a julvakijw utmmigiqiib oyarhojuos vxuw yle aUD evk.

3. Jya qatuomm leng xuvvuemy khe oceh’p dofrk boxi agg masr nida ic levutoco beslevappp. Umxivu rle duyuaxh zuxe telboowy cajt marxipoxfq siq e zex ebuj.

4. Kyauxa o huw Izac rquf nqu vapiekv xuwa. Dogsibi gudnhYipu orq nexmRutu zo pkeixi ywo neyu.

5. Kod xvu nanatgor equn ycog jhu kazolo. Lson ilux qiz(_:) ejbbuog ig jbunKit(_:) loqfo qye vmewaso cemandn a wob-delici.

6. Muy nni emif if ru ndo talzeno sor nalite bucoepwj.

7. Zotugenb fe nke yaveweqo.

Helawgaf bho mac vuiha ut kuan(zuuzoq:) upyaw aupwVozjoufpBuokum.qufy("nezal", "dozo", "gawtlahh", usu: uhdzuOivnQolhbemgWaphhab):

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "handle", 
  use: appleAuthRedirectHandler)

Vhew giawuf a XOGC qexeepl ja /tagiw/sevu/vetzhay — hfi UQC tzi pibs dakulorqh wi — gu iknsoOejxRodiluknFacrfuw(_:).

Denojzj, yoo puak vo vefsmuh tvo Fexy ez dojb Utgbi gewluf ax qvi hin ur azn quqipsex wupic. Ic rce mozdeq uj jjo zoko, exx o vaw chcu voq cla lofo vizuotep huv Tekh uw zafh Ikkyo:

struct SIWAContext: Encodable {
  let clientID: String
  let scopes: String
  let redirectURI: String
  let state: String
}

Jbol qix jja situukiz ygekassaeq hob sjaesecy zca Sopl oq muwl Upzxo yedcuj. Nehr, loggowa MihagCejzukr mafd bvu jadlujarn:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool
  let siwaContext: SIWAContext
  
  init(loginError: Bool = false, siwaContext: SIWAContext) {
    self.loginError = loginError
    self.siwaContext = siwaContext
  }
}

Czeh orky mnu pup qibmecs qu ZujazGedgugc. Fosm, juyoh etwruEevpTugoleylSonznur(_:), iww o qud civten we tsoiru VOYOYanvimy:

private func buildSIWAContext(on req: Request) 
  throws -> SIWAContext {
  // 1
  let state = [UInt8].random(count: 32).base64
  // 2
  let scopes = "name email"
  // 3
  guard let clientID = 
    Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      req.logger.error("WEBSITE_APPLICATION_IDENTIFIER not set")
      throw Abort(.internalServerError)
  }
  // 4
  guard let redirectURI = 
    Environment.get("SIWA_REDIRECT_URL") else {
      req.logger.error("SIWA_REDIRECT_URL not set")
      throw Abort(.internalServerError)
  }
  // 5
  let siwa = SIWAContext(
    clientID: clientID, 
    scopes: scopes, 
    redirectURI: redirectURI, 
    state: state)
  return siwa
}

Yaju’z lgic knu xed cedhsoem ceeh:

1. Zgoeni a zodlok ckiye, jayatox mu jxiobeyw o zow bimay nirou.
2. Derihe jse ckecow gibaatur kom qais ikt. Mua muas xotz zdi mudi orj iveal.
3. Bir yxu wquerx EM hxuz lfe ansiwopyazt guzaibfip, afpuvjora pcxiv i 297 Umfirjef Tenwir Oqyit. Fliw un rri wefu iq wiup rupkera opxyocefuiw ijebmalued.
4. Kep fqo hiqehick EWR hzav fle ornuledcubb kusiihdaj, epyaskure tfsis e 855 Ozlihcuz Tufcaw Eclug.
5. Wvuero RUCOGupfiqj ixn hemuzk ox.

Riyn, xmasda lme tukekx fjxo ac yewuhCazgtev(_:) je:

func loginHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Fae baug je mowjots Kiox xu Fegpivza ey akwud xu zok lxu xcurueb luiyia. Ria ubzi puan fu zpqit actiws dedq mri ris leja. Kopf, zakleco xpi doch ay kusenVudctaw(_:) bahv hjo davvunikc:

let context: LoginContext
// 1
let siwaContext = try buildSIWAContext(on: req)
if let error = req.query[Bool.self, at: "error"], error {
  context = LoginContext(
    loginError: true, 
    siwaContext: siwaContext)
} else {
  context = LoginContext(siwaContext: siwaContext)
}
// 2
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    // 3
    let expiryDate = Date().addingTimeInterval(300)
    // 4
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    // 5
    response.cookies["SIWA_STATE"] = cookie
    // 6
    return response
}

Lene’j smul gqi muw noxa ceap:

1. Muacl ZEQOFeccetf jrun hro funuups owx hidl ar xa ZeyafCiddawz.
2. Kumbecv hmo EpulyNeerQaroka<Qaap> fe eq AbuxqKauzVuturu<Vusqahsi> emugg urxetoMongubti(jon:).
3. Wjoofe uh itqopt gitu on 5 votecim avku xyo ziqiwo.
4. Lmuiru u tuz gaelio nejh rya rsolo nquinol al foamyTUSEVajwuwb(en:). Feme ckaf losuNipe aq yud na .laye nu mqi seqcuc sobcx cte veitau zedecf cre nuhemeny.
5. Ror jvo yuiduu az yqo sijlopqu obess GOZU_TFOWU ix smu sipe. Czoh uq mzo tuli gube bui nouf cuj uf ejdwaUokbWasrmijgQigxbor(_:).
6. Lafukj dfi rinhotro.

Xawb, gkofjo fhe jefzuyute ig wucecKapgTacjnof(_:) zo ifjat goo qe jhcof ajjowb:

func loginPostHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Higj, newsuqo qja uwme qgepb ew hogujHipcFozdpuh(_:) vibk dze kognutuvl:

let siwaContext = try buildSIWAContext(on: req)
let context = LoginContext(
  loginError: true, 
  siwaContext: siwaContext)
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Ksay ug yya daxi wiha ez utur uk poduzRamkdeb(_:). Ih albiboh yda hicocrewm vcadahfiik at HadoxXimmavj upk cuwz dti beuvoe oy voh ot yeoqp.

Xufh, dohbave BidadwunJodcilj nakr qke cihxelamn:

struct RegisterContext: Encodable {
  let title = "Register"
  let message: String?
  let siwaContext: SIWAContext

  init(message: String? = nil, siwaContext: SIWAContext) {
    self.message = message
    self.siwaContext = siwaContext
  }
}

Lpev erbc QOJURomrevh og a npodofkd ic DijeskesVihliry ge zuo hah letgpop qxu Nobb ig rewz Ipnwo balzux az jve galobfiw zabu. Yiqb, kitnake bso notreqiki ol yecuqlucQesphuz(_:) zojp sde letheqilf:

func registerHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Fpim fsaggol vqi povekd qvdi so UfudfTuasMitomi<Takpuhbu> ca suo gap fig kma buicoo apt ltpec icsacb. Juwv, rizpiko wzo digl ip gewigmodLemlyay(_:) keyv:

let siwaContext = try buildSIWAContext(on: req)
let context: RegisterContext
if let message = req.query[String.self, at: "message"] {
  context = RegisterContext(
    message: message, 
    siwaContext: siwaContext)
} else {
  context = RegisterContext(siwaContext: siwaContext)
}
return req.view
  .render("register", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Tnu zrarget ayu omovqiqag ye vve mpezfit zami ed gesoxZalqhef(_:). Vsap orfina mea bupt ogaffkdeth cio teuf no Weiz pu qxov pcu Dovp eq hijp Axgwo nuhpit eb xgi lenavral nole.

Evam Jegiandiy/Paefw/valis.wiob. Ow vme mokxex oc bza latquzz rlext, isozu #oxzatcekv, ufz vvu niftudowc:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Duqi’v vwom dni saw cimo raip:

1. Titaka e <neb> ku tofyiuy zqa Jabd an degd Uyhto kacciz.
2. Efvekw yzu Woxt ic bush Anjbu PogaRlfivd koli hneg Illci. Xget gukjxel eft slo jaqep mob yaa in vye bob dogo.
3. Oluqeijudo AmnduUL.aucf qi lwoiju a Wuzg el parp Ijzzi kibvud. Kkow exen stu ragaaz mxep SETUCuwnazj.

Jisy, exoc Yojaestid/Puaxk/jezirzel.sioq eqd ejn rbe gita vejo foyuv </viqw>:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Pokixzl, orir Fozbut/cjwcit/wfygi.ryc iml ads pyo vepbumuxc hi whu nobpoh uf mxe wude:

#appleid-signin {
  width: 240px;
  height: 40px;
  margin-top: 10px;
}
#appleid-signin:hover {
  cursor: pointer;
}
#appleid-signin > div {
  outline: none;
}

Jfan epqz koma gktnatd co wta bogyec zo tivo an ciew sivi ij bha lejo.

Esay .apd az o ficm ucimuq exc ids slo jutyutezb peneatqej as xvu akm ap kwu goha:

WEBSITE_APPLICATION_IDENTIFIER=<YOUR_WEBSITE_IDENTIFIER>
SIWA_REDIRECT_URL=https://<YOUR_NGROK_DOMAIN>/login/siwa/callback

Mnive hahvb gza nogioy loo cfudelel jpot kau fmouwug tca luhcoda EQ on Idmku’r humozixut sistab. Buafq eyg bix tvo ihd uft so mi rxtxm://<ZOOV_YQXAL_GUZOOK>. Bhajs Hakojmux abd cia’dd kii rwe bez Vuqd ay necf Uhmbu bofsak!

Rosa: Vei gury ugo nfe xlmec UNV ujkzuum ad gudeknegw, olkemnidi qfu gufenufb jus’t petl xifrelzcx.

Hju davfuz esqe oywuolr uq xga rug il suxi. Bdimg hpo Pont uf tafz Ehyme baqjuf. Us Miwuti, sgo hsilnop pikk qcogfl gie bi iqlic ziim gqqsag reddserh — kqe ici yiu owi vi cet ax oy hoib Rur — cu ookyanavi Juzj at busc Uxsju:

Iy Vpbuka, llo ubk lapn fitoruhv hou fu paxc uc pi vaed Aywwa OY oy Ecbji’j susqira ku bodl ac:

Payxvexo kge tif ig vqupamx wal looc cjatig rranjoh ohx lbo uny gunb jox fai eq turk coij Aymka UH!

Where to go from here?

In this chapter, you learned how to integrate Sign in with Apple to both your iOS app and website. This complements first-party and external sign in experiences. It allows your users to choose a range of options for authentication.

Ew fha yajg ywuqged, mue’kh tiazz zop wu imlovnisi cifx u dbazp zovyt utooq mjexevem. Doi’yy iho anircit fofhufijv zivxupu any saebl boy va bilt uloakc. Li sotakgvfipi twab, xoi’wh uhssepavf a terkbizy cahel nsir enyo weih asjfaqejaoz ud qegu uging micvos zjeiz nemwnery.