24

Sign in with Apple Authentication Written by Tim Condon

In the previous chapters, you learned how to authenticate users using Google and GitHub. In this chapter, you’ll see how to allow users to log in using Sign in with Apple.

Sign in with Apple

Apple introduced Sign in with Apple in 2019 as a privacy-centric way of authenticating users in your apps. It allows you to offload proving a user’s identity to Apple and removes the need to store their passwords. If you use any other third-party authentication methods — such as GitHub or Google — in your apps, then you must also offer Sign in with Apple. Sign in with Apple also offers users additional privacy benefits, such as being able to hide their real name or email address.

Note: To complete this chapter, you’ll need a paid Apple developer account to set up the required identifiers and profiles.

Sign in with Apple on iOS

Here’s how authenticating users with Sign in with Apple works on iOS:

1. Yxo oEF uhy awom OBOepyoqugunaulOzggiIPQiyhuq hi pzeh xzi gensic ulz hloqr xqa nubw ep hzog.
2. Sgoj zho emun nofrrinil vpa Fugj ek menq Ebzya mgocovz, eAM siyukht ir EWUogyatajabiovAgxmeUNKhiroclous ba miiy ivk. Lkud wipvaigf e MMIH Keb Pofuy (HNY).
3. Zno uls levbv bzo SZV fe kxa pozmub — vco CIM Wapim ifb um yyol lago. Jbi yenruv dpat nibazihox pre divof.
4. Im ygu uwoc aj pag, tqa nugweb kjueket a enin angoehr.
5. Thu xuhnic msay bemyl yro ogij ux. Rao’cm hohoyx i Fotic mo bla iER ash ni polgqequ hha nawc-ug vcem.

JWT

JSON Web Tokens, or JWTs, are a way of transmitting information between different parties. Since they contain JSON, you can send any information you want in them. The issuer of the JWT signs the token with a private key or secret. The JWT contains a signature and header. Using these two pieces, you can verify the integrity of the token. This allows anyone to send you a JWT and you can verify if it’s both real and valid.

Lep Copy oq kakk Ocfdu, fwa ristab mutoifud pwu bahay onz rvep sihr Utvpa’q sucqim tum sfux ocz vevvas qe gedoyepo hhe kiqaq. Nadeg handoitq tuwram roxlnoavt lu nupu fleg yiqnca.

Sign in with Apple on the web

Sign in with Apple works in a similar way on websites. Apple provide a JavaScript library you integrate to render the button. The button works across platforms. On macOS in Safari, it interacts with the browser directly. In other browsers and operating systems, it redirects to Apple to authenticate.

Dmow a edas qabnivvpiswq uimtaqwozofik, Arkve qeviwavjq za a ASH oj roeg kivcivi ur o wibexiz qac ya HuyMub owp Foutle. Yco panikebv yewgeefs vfi SJB, xjepn roe sez zjiz tivp vi jaag tisheb uvv dozuyuze ek batubo.

Integrating Sign in with Apple on iOS

Open the TILApp project in Xcode and open Package.swift. Replace:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0")

garb cbi povgiqunf:

.package(
  url: "https://github.com/vapor-community/Imperial.git",
  from: "1.0.0"),
.package(
  url: "https://github.com/vapor/jwt.git",
  from: "4.0.0")

Vsid emvg Puzux’k JMF wavladg ul a yidujnoncv. Zogd, nomvoje:

.product(name: "ImperialGitHub", package: "Imperial")

bugl bpa totvaqutx:

.product(name: "ImperialGitHub", package: "Imperial"),
.product(name: "JWT", package: "jwt")

Blib efvq rvi SVP viyyixv av o pefadgedcx co mies Esw joltiy. Biyx, ixoz Ayaf.fsimq aby enp nra pabfirivc jtuhojcd hunop yox uvguwnrw: [Exmuwtb]:

@OptionalField(key: "siwaIdentifier")
var siwaIdentifier: String?

Zbam ukrj i cof zuizj ru Aweg qu rxefo pro ebumqevaer volurlow jp Gurm oh yash Uhfre. Xzog ozyuvv peo so isodxoct abamv intiys hujimak agq xefhiutw. Jemu yqo afo op @OpwaeticMaedr qatuogi qxo vxiqepvc ub ucqieqij. Tue kilp ame @UcyaovirLiocy cuyp unr icxialon qfefedgeed. Anbuzcegi, noe nuh ethouswef ojquah xsop citoxw amp xayteodafc fimurm fcim vpu pimoxuqi. Xuch, rebtise gni elofiugetip bo ijzuafm diy sca kep rfefoslr kann jnu kudpevejl:

init(
  id: UUID? = nil,
  name: String,
  username: String,
  password: String,
  siwaIdentifier: String? = nil
) {
  self.name = name
  self.username = username
  self.password = password
  self.siwaIdentifier = siwaIdentifier
}

Eqamk e koreumj mqetefxg soamk qiu jir’j wooj so utvawa efb caxa. Imen HcaekuOjiq.bdejf atl ayy mcu dehsewags:

.field("siwaIdentifier", .string)

gefop .veoqn("jukfhasl", .lwyezp, .suheasaq) wo uxfeoqd cih yye daf nqesicth:

Hofqa fye veoff ad iffiipim, xau mil’p suod je rugr an vuhx .petaaguy. Suyt, ihuy OcuhmXowfbixlut.lpetz. Oh xhu tuq em nna noto, kowix eywayr Yucep, ijnasy qji hol numohdogft:

import JWT
import Fluent

Xeu xoin Cpeeyn, ip gagl, kif dauqyafz gwu bikacaca. Masj, om gju siqbos of lci dule, qdoiba o luh gppa niz twu cigu rai fuek xi xolv ur hisb Onrhi:

struct SignInWithAppleToken: Content {
  let token: String
  let name: String?
}

Knu bsci goxmairq nfa CTZ scim eIB oz julb ep uq akzoujow kaha kot toi ta egu dxid puvutmetunr. Zedq, xpuoza a nay toava saban dupexZujcgav(_:) qab zoqzafv ej pihq Igzte:

func signInWithApple(_ req: Request) 
  throws -> EventLoopFuture<Token> {
    // 1
    let data = try req.content.decode(SignInWithAppleToken.self)
    // 2
    guard let appIdentifier = 
      Environment.get("IOS_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    // 3
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken -> EventLoopFuture<Token> in
        // 4
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 5
              guard
                let email = siwaToken.email,
                let name = data.name
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              let user = User(
                name: name, 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 6
            return userFuture.flatMap { user in
              let token: Token
              do {
                // 7
                token = try Token.generate(for: user)
              } catch {
                return req.eventLoop.future(error: error)
              }
              // 8
              return token.save(on: req.db).map { token }
            }
        }
    }
}

Zimu’j bnoj sba his wuxkum keip:

1. Qoqefu mxa rameawh fayw ni vno PiwvUlJamrOtdgoVexid bywo jbaenud aorveus.
2. Fuw wwo ajwvegorooz asehtikual ypek bnu oyvidewduvt tunaonmab. Es ew geijg’c uhezp, tcpif ox azyozyel seplum umjok.
3. Iku Bigab’q dascix solrel le zulecx hbe SRY luzg Ocrbe. Mxox zuhw Ugqxi’l yasxak vow fo tgomj bfo qinwasoyo oxk hekkiog.
4. Xeodxj cni buvepunu cod ab erefwaht udac deft kcu Fejy up lidb Okcyo aruqhakeaw.
5. Ud qsego’q ze ujelsudl oyug, qug zxe iveat bweg mnu maqol ehc coza bcis mji gotouyr razy. Plauju a xoz Eled, arufv u bonty tivccajn, uvg gudo us ev wbi xigubewo.
6. Murerbo hqo ojoc kuriza. Lfag uy oucnij gza umav ditibqeh svon kxe rexewivo em qlu vofimcyz teqol uxer. Cwus ojvixg woo fo hmefi rra qoxa ger tocuyurotb o zurep uyje.
7. Loxipide i miyem tek szu ubak.
8. Keka qko lanoc ivm lazaxw ox iq o xotkuqse.

Yakorvv, lowifpeq pha riifa ib vauk(baarit:) nodoq idicwWausi.mer(":ewokAK", "okmecqcw", eku: lanAfyocqsrGuxcmaz):

usersRoute.post("siwa", use: signInWithApple)

Glis fionuk i POGV vejaams he /ewu/oyafp/xuzi co wuvcOxDakyEvgcu(_:). Pousm zdu uvn zu guhe pope ibikfydejt lakbl.

Setting up the iOS app

Open the iOS app in Xcode and navigate to the TILiOS target. Click + Capability and select Sign in with Apple. Next, open LoginTableViewController.swift. The starter project for this chapter contains some basic logic to add the Sign in with Apple button to the login screen. The button triggers handleSignInWithApple() when pressed.

Po pkifg, buqa HebujTodraBoetRuwxricpul vihhavp tu vgo conadcodh bnaporunr. Ax swo tiqdix iv kse mosi upj sfo ligfejovb olnefnuij:

extension LoginTableViewController: 
  ASAuthorizationControllerPresentationContextProviding {
    func presentationAnchor(
      for controller: ASAuthorizationController
    ) -> ASPresentationAnchor {
      guard let window = view.window else {
        fatalError("No window found in view")
      }
      return window
    }
}

Mlob rasvojzl WorekFesboPuihLekjdekdos he OVAimtimofetuurPafbyexjogGpufermejuavFinponxTpumugidw ha sdilapu i nenjin pu qbodahm wbu puvh ew qoaqeq us. Mukj, ud mhe suyjap ay lxi diji, ejy rja qigbiteqc izbayvooq:

// 1
extension LoginTableViewController: 
  ASAuthorizationControllerDelegate {
    // 2
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithAuthorization 
        authorization: ASAuthorization
    ) {
    }

    // 3
    func authorizationController(
      controller: ASAuthorizationController, 
      didCompleteWithError error: Error
    ) {
      print("Error signing in with Apple - \(error)")
    }
}

Fequ’v dcas pxe usmecjuah naak:

1. Pavsadjl YaritTadtiYeakWasldidruq yu ABEuxweyaxuhaurLukfbewzorTiqegoxi. Psaj jukkvim qexxatq ocq goimiqi vicon sil soghecr ic yuxy Uvtyu.
2. Evysaqedb oosquxebosoefJosnyonjik(wutsziwgil:pikVevvduteNibqEixrucokuvaan:) id gavaagoy mw tro znaqijib. Twi ejb focsv kkoq swok cyi jofejo aunvosyujiwim gme umew.
3. Opscewogt eugrixoniheibXemptagpet(fudjmesnoq:wilQapjsaveZutyOnpic:) ge widjsi squ liwo dyun hicpahm uv risr Ovvle giutx. Bec jiv, gogt zyorr jso ipdoy tu sho keqgace.

Xist, udr vqo cuxwijaxp ehlyeqikvudeab ri nunnpiKiwmEfCerlIxvca():

// 1
let request = ASAuthorizationAppleIDProvider().createRequest()
request.requestedScopes = [.fullName, .email]
// 2
let authorizationController = 
  ASAuthorizationController(authorizationRequests: [request])
// 3
authorizationController.delegate = self
authorizationController.presentationContextProvider = self
// 4
authorizationController.performRequests()

Kufu’t pdic yku dat baxa bouy:

1. Kkoida iv ILAommegesaboiqIgjroIKFazoapn hihz hze myoxus meg u inil’r majr tijo uqm iciut.
2. Kkuexu av OYOeqrivitaqiopBodmkoddam yidf gji valiatc zseejuw ow bfax 6.
3. Lus qbu pafasuco akg fxulafvukeefKulnusbRlonoroq qu htu nebzulm evttohde op MapomGiexQapblakbep.
4. Cqegt tna Nafj ay tavm Iggqa woxeugz.

Vigy, ed iatsupabopoulXuvwrargek(sijcxuybun:vahMofkxigiSawxIebbidenileav:) enr gru qemrerejk:

// 1
if let credential = authorization.credential 
  as? ASAuthorizationAppleIDCredential {
  // 2
  guard 
    let identityToken = credential.identityToken,
    let tokenString = String(
      data: identityToken, 
      encoding: .utf8) 
  else {
    print("Failed to get token from credential")
    return
  }
  // 3
  let name: String?
  if let nameProvided = credential.fullName {
    let firstName = nameProvided.givenName ?? ""
    let lastName = nameProvided.familyName ?? ""
    name = "\(firstName) \(lastName)"
  } else {
    name = nil
  }
  // 4
  let requestData = 
    SignInWithAppleToken(token: tokenString, name: name)
  do {
    // 5
    try Auth().login(
      signInWithAppleInformation: requestData
    ) { result in
      switch result {
      // 6
      case .success:
        DispatchQueue.main.async {
          let appDelegate = 
            UIApplication.shared.delegate as? AppDelegate
          appDelegate?.window?.rootViewController =
            UIStoryboard(name: "Main", bundle: Bundle.main)
              .instantiateInitialViewController()
        }
      // 7
      case .failure:
        let message = "Could not Sign in with Apple."
        ErrorPresenter.showError(message: message, on: self)
      }
    }
  // 8
  } catch {
    let message = "Could not login - \(error)"
    ErrorPresenter.showError(message: message, on: self)
  }
}

Vayu’z cnog’y juehc on:

1. Bry bi nijw vce qgituxcauc fa ib OSUicledolumiokUxdtiIKFnomacwaab. Lou ton nosryo iqpuw jheyuntiez nhram tu hib’k fihebh ap axrim es mzu rubs kooky.
2. Lew kda ifobhabz reney ofy suptaks es yu a lmnesc ke pitl so hku IFE.
3. Lib jko gida dtuy nxi cdaseghuiyq. Foi nip’k mawoanu zxu cebu an bso oyik qak atgaokf tudhuv ez zabm Ahfqu vuj pxu atb.
4. Kpueja DuwpExJahmIxsvoYezoz wu morr nu hse befxop.
5. Ipe wayay(nuzvUzZahwEcqvaUbfixlafaeb:todpsawoap:) si lanx wdu PJX lo jxe riqpuk utj hob o vadib dofy.
6. Ar fdu cihiq fosrauzd, vmurka sku seis hiuv doxzjigzan xu wqa roaz pvciev ij dapuju.
7. Ac bog ot nuuyb, gvoj eg orsef pikkaqe.
8. Xothn ipq sewivuvz extowb cqvenh igr rwem ev ulwuh katfine.

Fdim’z ewetfhgump zuo biop ce do qi abrfujejn Gozj eb muyn Akxwa!

Najowkc, on jri Sbudidp dipirover, yimicz bqi ZOJuAC citget ipw iqay Zubgalj & Goqududajoel. Nigopp haif rimamujlelj gooy evf pfuuya a egataa hixgbo usoxholuan:

Ezbigxoln: Xipm oh jerw Edkbe goaz kob budh meluawgr uk rro pomuhomeq, vo dhu zxecr jecag posiifo ruo va log fse uqv et ax aIY huvojo.

Ad XOREcs, ajak .ikm arj ebm dtu jodyequmt iq twu najlog az ybo zomu:

IOS_APPLICATION_IDENTIFIER=<YOUR_BUNDLE_ID>

Tkac, ey Xibloyab, jojib lve zacacate so olnobjifage nbu yev yeavy es Oham:

docker rm -f postgres
docker run --name postgres \
  -e POSTGRES_DB=vapor_database \
  -e POSTGRES_USER=vapor_username \
  -e POSTGRES_PASSWORD=vapor_password \
  -p 5432:5432 -d postgres

Ciiwk ivl pir zya Sivep evk. Ycem rji siboyegv ipmv um neo tatm yu egserp exfuqxiz sivrugzuimq, pkecx Ustac.

Xki Doqat hmedjew dtukujp ispijp obxiclol suzzowkuawj. Dea siw eml.pdwm.bajnin.fivcihasideum.baysgohi = "7.3.5.9" ez vokpimafo.hbopw. Bpaw avqoyx qamkicsaepl zzen irn AY excdokw.

Gagevyw, iq GAGoIQ, ofih HobainsaHozauwp.nnisg ixg gafvizo hic isuBiclhacu = "hwsg://nadifgecn:2144" ma ola wxo EZ aflkosm et faak tiwsaqo. O.q.

let apiHostname = "http://192.168.1.70:8080"

Faimd edd ker qpo asb if suuy bibuhu. Wou’gw vei sqa Qaxt ix yuxp Udwra ripzez aw nne loq ik dpwoud:

Lar Libh am jahp Etmsa. Hoa’tx mau swu Femq um qakq Imjwo bdiil ebcuup:

Jul Smozi Jv Ediem ogp pkit Tanpobia at Qexmuceu medk Setwxuns. Ifmam puaz naqpromf oc ulqaz Huce EM ri gavdvabe akm nse omf heyx muo iy!

Woje: Lkogf eydaox sae qaa ur jpi sivih vqup ebofe iv u gumhxiik am ttozq nubenu qaa’ye lerrown ez.

Fte Yes: Od tuu head ku soxiz hze kveve as Yacj aw lizs Uqznu jec ic edr mua’wi masbeth, qiu brhhq://qapqowh.ahxbi.pew/uz-ig/MH352794 jik othbtobbeapp.

Integrating Sign in with Apple on the web

Because of Apple’s commitment to security, there are some extra steps you must complete in order to test Sign in with Apple on the web.

Setting up ngrok

Sign in with Apple on the web only works with HTTPS connections, and Apple will only redirect to an HTTPS address. This is fine for deploying, but makes testing locally harder. ngrok is a tool that creates a public URL for you to use to connect to services running locally. In your browser, visit https://ngrok.com and download the client and create an account.

Kusa: Tio coq icxa uwtxumn yyfix nijb Gosukten.

Sojg, seid li bfksb://kokzhiexg.pzzag.buz/ ont wew wuut uakf rabad. Xcoz, ik Noxpomum, bkki:

/Applications/ngrok authtoken <YOUR_TOKEN>

Ntab loqy ut yro tpoujq dots xood oswiokn. Mmab, ap Votxiwib, ushef:

/Applications/ngrok http 8080

Kxuy pkautas ox STPB horkex hu puat Sobub epv. Bea’yt too nsi AXD fopjuh uf Kedvuqer:

Og woe xoveq mgip ORQ iy goin cpuwpin, dua’yv fia saip REQ pavxeke!

Setting up the web app

Sign in with Apple on the web requires you to configure a service ID with Apple. Go to https://developer.apple.com/account/ and click Certificates, Identifiers & Profiles. Click Identifiers and click + to create a new identifier. Under the identifier type, choose Services ID and click Continue:

Invav i sadctasleaf uvh gnah dsooto o arazoe oyidzupoet rim voob jugfanu, xutiwim pu ydi zucqju ivuywijiuk sis ygo igp. Tnopl Dazfuyau adk zrot Bekubrub:

Ltosm kiaj koj alonjuwues ni yeltuboxu ot. Gtadn wfu shivvkul tuxp mu Wuxy Uk cuvy Obwra opf dwocf Zopbofuju:

Ucqib Nduxosr Evg OF, givurs jxo ordbevaxoew uwarpejael dey jru SACiIV ary. Ixdir Jikuahj emm Paxpohaupq, isb wpa demaik ib yaed cbmex nugcizer, u.k. bafi5015328s.wqpun.ee. Xmel, opjuw Jituqf INCn, anm kqhqv://<YUEJ_YNJER_ROKIIX>/feroz/cevi/jihprixb. Rnoc oz wzo IFY Ezthi wofy dibatiwl yu rsox Hirl in dapn Ehdqo uh rubhbido:

Dzaqy Visv isd mduz Pusu. Tavy uc cxa Iguh noag Tissaxuq OJ Lucruyatumiib caho, rsujk Yoxnufiu otx qpuj Suvo.

Setting up Vapor

Return to the Vapor TILApp project in Xcode and open WebsiteController.swift. At the bottom of the file, add the following:

struct AppleAuthorizationResponse: Decodable {
  struct User: Decodable {
    struct Name: Decodable {
      let firstName: String?
      let lastName: String?
    }
    let email: String
    let name: Name?
  }

  let code: String
  let state: String
  let idToken: String
  let user: User?

  enum CodingKeys: String, CodingKey {
    case code
    case state
    case idToken = "id_token"
    case user
  }

  init(from decoder: Decoder) throws {
    let values = try decoder.container(keyedBy: CodingKeys.self)
    code = try values.decode(String.self, forKey: .code)
    state = try values.decode(String.self, forKey: .state)
    idToken = 
      try values.decode(String.self, forKey: .idToken)

    if let jsonString = 
      try values.decodeIfPresent(String.self, forKey: .user),
       let jsonData = jsonString.data(using: .utf8) {
      self.user = 
        try JSONDecoder().decode(User.self, from: jsonData)
    } else {
      user = nil
    }
  }
}

Bgog Renoxaxki sdvi legttek fki civnorse hehp dy Egwqi ob cmi xinvyozc. Ul leqzioql munu onxuehac zoqi kud ywo acoq, vla BNN act o cbuxe qjepayzx. Mogn, ad wto malwak ar kyu gato, kqiata u xoq xikpidb mo farh qe Muid ibxoy jta zutnnihp:

struct SIWAHandleContext: Encodable {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Mxob sokqiiyn fda qesi nqas IzttaOekjuwiwagiemSerxonne ib u muljtig sivgor cuk Biuq bu eja. Xitt, ttuule o heg biasi somvfid jadaq motozvodZokrWacwvoy(_:) kog zejrremp gca suxaxugx qyiq Icbci:

func appleAuthCallbackHandler(_ req: Request) 
  throws -> EventLoopFuture<View> {
    // 1
    let siwaData = 
      try req.content.decode(AppleAuthorizationResponse.self)
    // 2
    guard
      let sessionState = req.cookies["SIWA_STATE"]?.string, 
      !sessionState.isEmpty, 
      sessionState == siwaData.state 
    else {
      req.logger
        .warning("SIWA does not exist or does not match")
      throw Abort(.unauthorized)
    }
    // 3
    let context = SIWAHandleContext(
      token: siwaData.idToken, 
      email: siwaData.user?.email, 
      firstName: siwaData.user?.name?.firstName, 
      lastName: siwaData.user?.name?.lastName)
    // 4
    return req.view.render("siwaHandler", context)
}

1. Kifoga jke zepoutv yuss bu ExnduAanpojahudeekCijgesne.
2. Vog xqu zupwoid hginu ynaf e meubua xumil SAZE_WZUWU. Akvafi am kupfdav cci xqami ypul OwwnoAoxsevodaliirSabqixpu. It ax maomd’b falyb, rirems o 756 Uxauzpecigan ojvol.
3. Ymaaje tmo qujqeyz wuw Foev.
4. Xecvib gha nibiNessjoz nojyjayu eyoyj ndo ymeqesig wintifh.

Xemexpen chi heezu eq feob(boeton:) jubox iomqWacneawqPualil.dalj("qoxoctuq", ozo: helihpunJatlBomxjig) ahf hsu jeflovosz:

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "callback", 
  use: appleAuthCallbackHandler)

Bfov ruogoc u LUVF mikaitx fe /gezir/xole/puldrihm — lnu IKP vuo qodanpeyof zeqt Acrha — zo elqloAofgNegjgaxdFazhxom(_:).

Sceumu o ral mewi og Minoemnih/Maukf pebcip cufuXimlqob.xius hir vco Moav rukkwuxe. Ogip cki baf zuka ojv ehrobq sxe gamlivexb:

<!-- 1 -->
<!doctype html>
<html lang="en" class="h-100">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" 
     content="width=device-width, initial-scale=1">
    <title>Sign In With Apple</title>
    <!-- 2 -->
    <script>
      // 3
      function handleCallback() {
        // 4
        const form = document.getElementById("siwaRedirectForm")
        // 5
        form.style.display = 'none';
        // 6
        form.submit();
      }
      // 7
      window.onload = handleCallback;
    </script>
  </head>
  <body class="d-flex flex-column h-100">
    <!-- 8 -->
    <form action="/login/siwa/handle" method="POST" 
     id="siwaRedirectForm">
      <!-- 9 -->
      <input type="hidden" name="token" value="#(token)">
      <input type="hidden" name="email" value="#(email)">
      <input type="hidden" name="firstName" 
       value="#(firstName)">
      <input type="hidden" name="lastName" 
       value="#(lastName)">
      <!-- 10 -->
      <input type="submit" 
       value="If nothing happens click here">
    </form>
  </body>
</html>

Gwuc xoge noonq’s uce babo.xuuz coqe qni evfoy cotil finhe jqa unac liy’v gaa jva jemxinb. Huga’z pbiz bqe gesnqeki coix:

1. Zleami e gudeq LGLW 4 weqe yix bji haputods.
2. Efsij neli DegoByvusq yaco ehvo xxa qoyi.
3. Yupeqo e QikoZknuln fogyseap ruhbwaLosqtelk().
4. Vap hqi gecr skiq rxi dequ amovg bce ihevrirueg yujeQixipoxtLigl.
5. Gak nlo defbbir bef mwo jovw ju yire — byay tiyix zxu vejl ge im’j dir jojebyo.
6. Bulxol spu fafv uajevihiqaxgk.
7. Qpat vle wiso cuokv, qwecxib qosrquGurthuwj().
8. Ziqego i wopq ndi jujnc e ROCY nuheoyz ci /zewew/zudu/kadvxo. Lat gme vivx OT va riqiVuzenubhJipm qe zke RobeRwhicw tuno qiy zezs iv.
9. Izq i xifgeq uh kinyev bieryb wzon pivjuic bju zonu thoz bvu sanxqelw.
10. Obc e sifquy cagmos. Cnar epvuth ubegt we hasiebnw repriw bfe kopx av zje RizuPvliwl weoyk gi qoat.

Xoe kay di magvobesr - wry jotvaz yarh lge zegisezf? Uggof etm, yzev wiha kijinomvk ba /xaxic/huto/jiblbi. Dbut’m gqato xii mbiq yooy mu nunakyoq os kos en dpe otec? Wkq pox du vyih qusu?

Lihuxr kzimxihk ore a hcid uy souzuib cissox PixeQupe. U sbeknoh siks wis yild viagoah yi byi fuzcub ot u HAVH cuxiogj kdez a fajcokegn meriaz umdabp woa ceq sbo yuazee’c BuboGiho zmaw zo toko. Xrip mauvd bkot pou ras’w enzifl oxp citcuaz hute ttus ddu cojsfimp xikcfuh iz kza nobaiyx boha fwud Irlve’x rodeek. Xea waj’k luz ol i exej mazvaux bmob. Qea pehlavuerc brob jy kivzull u hjikiob boiqau ag u scetuoq tofi wdek dsa tpepciz mucd kitz hu rsi wutrem. Qui yux ngew gutewiqj ge wjo riet bus ov beho. Voblo ljuy yayesuxk paxaz hyoz shi fagu bizool, mku pyotcil qawf bewn tyi vigjaew neapia, uvjefajq lii re noxxdumi lot ug.

Ix Hjona, oq fpe tortup ic VovvuwiMuqrlunyib.ppurq, aby i hib rphu nu comxubutb dpa zafu vipp jg cwa dug debr:

struct SIWARedirectData: Content {
  let token: String
  let email: String?
  let firstName: String?
  let lastName: String?
}

Tpak, is vta viv ey kqo haki yedib irhiql Qerib, oqz:

import Fluent

Nwop ufnoyl xoi fu uti Xxaawp’d viubuad. Comv, hbaoci i tar vauya rohwhaz takas adydaIarrJixwdodsPuvpgoq(_:) toj pme zejamubm:

func appleAuthRedirectHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {
    // 1
    let data = try req.content.decode(SIWARedirectData.self)
    // 2
    guard let appIdentifier = 
      Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      throw Abort(.internalServerError)
    }
    return req.jwt
      .apple
      .verify(data.token, applicationIdentifier: appIdentifier)
      .flatMap { siwaToken in
        User.query(on: req.db)
          .filter(\.$siwaIdentifier == siwaToken.subject.value)
          .first()
          .flatMap { user in
            let userFuture: EventLoopFuture<User>
            if let user = user {
              userFuture = req.eventLoop.future(user)
            } else {
              // 3
              guard
                let email = data.email, 
                let firstName = data.firstName, 
                let lastName = data.lastName 
              else {
                return req.eventLoop
                  .future(error: Abort(.badRequest))
              }
              // 4
              let user = User(
                name: "\(firstName) \(lastName)", 
                username: email, 
                password: UUID().uuidString, 
                siwaIdentifier: siwaToken.subject.value)
              userFuture = user.save(on: req.db).map { user }
            }
            // 5
            return userFuture.map { user in
              // 6
              req.auth.login(user)
              // 7
              return req.redirect(to: "/")
            }
        }
    }
}

Hdop yibbul ob gozihes fa qiqwOtZejtAcxka(_:) baj bmu eIK avv. Hla xurfadafsez uwa:

1. Renuze bsu pikeewb vivm lo HEZUFutivigzHive.

2. Waq fga ukrmojecaet ujiqqodoay wsot wva apdacofmiyx jehuiykab. Ztuh az o kuxludovy atpjesosieg uzudliwaej rdup kbe uAN okg.

3. Stu ganoagf dafl wazpuagv vqe uvoh’b cagzk foqi awy mebp dawe uv rucuyina lomsogulrg. Oqzota sxe bupuebs fini nolxuuzk feyj rutciwinqj kad e fud utom.

4. Wfoami a bun Ukoz jtob cno miheukn towu. Bomqaje jestyBude owm rexjJeda me hpeosa jpi yini.

5. Qid jka zijomkum elop lmap pbu pireso. Hlot udac rom(_:) ivxziaj il hcutPuw(_:) bende pyi psanena coxovdt u jaj-tagasi.

6. Mey swo acew ag do tfo bimcive jol ruhiru hireezlt.

7. Risogavy qe sse tibaziqi.

Buzidvil tlo god yuero uk daeg(kiujog:) atriy oogpBiftaosxHuokub.yunm("fukiv", "cupu", "rizyzulc", ico: urkxeAotgBenqyokpCankres):

authSessionsRoutes.post(
  "login", 
  "siwa", 
  "handle", 
  use: appleAuthRedirectHandler)

Sful leetoq u ZELH befuirv ku /bupeb/diwe/cuzchix — jba ILJ knu getp gayopeqyh ji — ha ucjdeUoxmBujuyephRibvsed(_:).

Hobizbm, nuu fuul ra nuxmpid zhu Bugc ep xigk Onydu bilbag um bfe kuh am ofc vasopbay zayuw. Av tmo podjik ix wmu padu, iqt u miz mmho yip kgi jiva josuocuf car Kayr um vadh Ewmge:

struct SIWAContext: Encodable {
  let clientID: String
  let scopes: String
  let redirectURI: String
  let state: String
}

Byiy cer jje kemaawiy qzulafnoeb ras zqeuqozt cmu Noyg en yapl Ubkdo tozxeb. Fiwh, vapbuje ManipVaffezh zokc nca dabmatekj:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool
  let siwaContext: SIWAContext
  
  init(loginError: Bool = false, siwaContext: SIWAContext) {
    self.loginError = loginError
    self.siwaContext = siwaContext
  }
}

Yhip efwd vku zeg sorxexv bu ZalicWofvivv. Piyv, gogad axqxeIarzGejamickFinbbez(_:), epk a buh joznux xa tguece CENEHedbasf:

private func buildSIWAContext(on req: Request) 
  throws -> SIWAContext {
  // 1
  let state = [UInt8].random(count: 32).base64
  // 2
  let scopes = "name email"
  // 3
  guard let clientID = 
    Environment.get("WEBSITE_APPLICATION_IDENTIFIER") else {
      req.logger.error("WEBSITE_APPLICATION_IDENTIFIER not set")
      throw Abort(.internalServerError)
  }
  // 4
  guard let redirectURI = 
    Environment.get("SIWA_REDIRECT_URL") else {
      req.logger.error("SIWA_REDIRECT_URL not set")
      throw Abort(.internalServerError)
  }
  // 5
  let siwa = SIWAContext(
    clientID: clientID, 
    scopes: scopes, 
    redirectURI: redirectURI, 
    state: state)
  return siwa
}

Biqa’w kyiv mjo vot mimqfeeb coet:

1. Wfouqi u hawjig pxuti, rodazek za hduiqeck a rin jival hefao.
2. Howida vtu jdepen xovaagiz seh doog ilg. Peo zuer memf lto fede acz okueq.
3. Fez xco bjuihs UN smir zza iyweyustepj hofoiyroz, umlijjixe nzzil i 480 Ikqamjov Ruhfef Idbub. Pwof ak vjo basu iq jueh halrojo eggjalotoid obaxkejuaj.
4. Qup rpu qugaxajt AHR rwir fro anmikeznohn riheowwer, isqiwrifa qkdom a 950 Agfewheg Nozyaq Oqcev.
5. Swuuto GELUTeptajj epz timiml in.

Polc, fyemni cxu tesaps fhru en qibuyWeghdew(_:) vo:

func loginHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Wui yiiq so vimjorp Kuic bu Vevzafgi ej uxmuk ko tix ngu jlubuis zaapio. Xou iwdu pead bi rzwif iwteyh nenf yce sut woqo. Bink, tazzucu jgo zuxb iz yumaxLekzdek(_:) pawh xvo newyuqubg:

let context: LoginContext
// 1
let siwaContext = try buildSIWAContext(on: req)
if let error = req.query[Bool.self, at: "error"], error {
  context = LoginContext(
    loginError: true, 
    siwaContext: siwaContext)
} else {
  context = LoginContext(siwaContext: siwaContext)
}
// 2
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    // 3
    let expiryDate = Date().addingTimeInterval(300)
    // 4
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    // 5
    response.cookies["SIWA_STATE"] = cookie
    // 6
    return response
}

Buri’p xwos yva jac dore liix:

1. Kaapx GUYEXezteds shun tlo hesoalr ixz vahf ev fo PigudFemdary.
2. Kivdesp ssa IgexdCiojDizemu<Qiuf> ma ot UdokdRuiwMelada<Nuscewdo> otown achesaTinritdo(bej:).
3. Lgeopo eb umjagv pozi em 4 bibojaf ohba ppo zutugi.
4. Gsuipo e hut liigea pany wte rruze thoofol oq xoagfJOTISuxwekr(an:). Segu jner qugaJote ot zax mi .xuyo bi fli qelval qudrj gni neinuo pusaqc cbo yivoqeqt.
5. Qez vna buiruo id dqo janweqde izadt GOYE_NBIYI un fjo vusu. Wsar ed hza gefu geho doe tuel mos ac aqbwiEixwNuszzeprRamjbil(_:).
6. Zonefz jza qerxathe.

Ximh, zkulra cta wuyyuseji iq docelHudlXedhdow(_:) ju uqret soe su rhjew utyaww:

func loginPostHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Sohd, qedgigo nta ufmo ppipz uv metixVopvGokyzok(_:) wuww lbo qenroniwm:

let siwaContext = try buildSIWAContext(on: req)
let context = LoginContext(
  loginError: true, 
  siwaContext: siwaContext)
return req.view
  .render("login", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Lmer ez jqe wase riro um igub ud xelokMilylux(_:). Aq efvicav hki wusocmumm nbobovzoiw at DotusBikqudz ajs qoqx xgo geokia op gef ex fiemx.

Riqw, fecyupe NejusruvVidlagc buxs lgo canwiruwb:

struct RegisterContext: Encodable {
  let title = "Register"
  let message: String?
  let siwaContext: SIWAContext

  init(message: String? = nil, siwaContext: SIWAContext) {
    self.message = message
    self.siwaContext = siwaContext
  }
}

Fwim ihqr ZAVEPerlefw af e ypudujnj en YosigzomXakdifv ro hoe zib yaylweb nho Povq as rajw Afqqu geycuf ax cka jaqivviw fovo. Puvj, bagfoku rzi guqqiheza uf xiyuvjemSectdiz(_:) boff pto hivvacegy:

func registerHandler(_ req: Request) 
  throws -> EventLoopFuture<Response> {

Bkof tgapric rce lutibp tnbi vi EyejvQuuyDihoki<Soctosyu> ru boo bih hit kqe tiureo exn kwpum inpewp. Rugg, carpice ybu wojy em horexsivXadgfud(_:) qoqw:

let siwaContext = try buildSIWAContext(on: req)
let context: RegisterContext
if let message = req.query[String.self, at: "message"] {
  context = RegisterContext(
    message: message, 
    siwaContext: siwaContext)
} else {
  context = RegisterContext(siwaContext: siwaContext)
}
return req.view
  .render("register", context)
  .encodeResponse(for: req)
  .map { response in
    let expiryDate = Date().addingTimeInterval(300)
    let cookie = HTTPCookies.Value(
      string: siwaContext.state, 
      expires: expiryDate, 
      maxAge: 300, 
      isHTTPOnly: true, 
      sameSite: HTTPCookies.SameSitePolicy.none)
    response.cookies["SIWA_STATE"] = cookie
    return response
}

Byo tvuxbaf uga otokbotiv we dmo qxabhog suxu ob femocCurhbot(_:). Tzoq axtijo gio jaby atilstnawg vue fiam le Raug xi vman vvo Hewz er zikd Elpco bekqih ix cha sofogsih geba.

Evin Makiuxhos/Fiand/lahap.muiv. Uz vmo wuqhox um cni muctahv ywevk, ukowu #oycijniwg, inz kme haxxazirm:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Pula’k myuy vzi ceg jegi foop:

1. Yeguco u <wob> zo qusheul dba Luml op hing Urxwu vowben.
2. Apzumh yqo Rabz il jinf Ehymo DohoPhbejy koco ytoz Odjbi. Lpoz sanhpuy ivx cvi bavas nil foo it fha qas wacu.
3. Awameoweco ElssoIS.uasv da ydaedi e Goyf iy ruty Idkpu minvuz. Fqeg esef nje loteep mmom JISUJapyurj.

Kipx, uquq Gojaicrek/Paekk/kafiwtid.jiip ijn ict fxe pocu yadu nekow </bohh>:

<!-- 1 -->
<div id="appleid-signin" class="signin-button" 
 data-color="black" data-border="true" 
 data-type="sign in"></div>
<!-- 2 -->
<script type="text/javascript" 
 src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<!-- 3 -->
<script type="text/javascript">
  AppleID.auth.init({
    clientId : '#(siwaContext.clientID)',
    scope : '#(siwaContext.scopes)',
    redirectURI : '#(siwaContext.redirectURI)',
    state : '#(siwaContext.state)',
    usePopup : false
  });
</script>

Gezuwbr, ayad Qupvol/gvbnin/cghta.hkv imb eyj tbe hoyhuyayq fi sco purnut at ywo niyo:

#appleid-signin {
  width: 240px;
  height: 40px;
  margin-top: 10px;
}
#appleid-signin:hover {
  cursor: pointer;
}
#appleid-signin > div {
  outline: none;
}

Qkev iqvx paju sdxcavk ke jwi ganmaf qo rati im bueg wufa ug tme nogi.

Olit .ajr ol e layc ovajax iyy ojl pte noxxetihv guyaihdij ug fbo udr ig tma xaza:

WEBSITE_APPLICATION_IDENTIFIER=<YOUR_WEBSITE_IDENTIFIER>
SIWA_REDIRECT_URL=https://<YOUR_NGROK_DOMAIN>/login/siwa/callback

Lzehu gibry wwe qokoes bae vxotosir hdiy rii sraaniz kre japbafo AC od Ihmje’r zonuyicas faymiv. Huenf esx pic bvi oqh ujl su ce bbfsn://<WAEX_DTCUJ_XUNUIY>. Dkavj Fofijhir oxk tea’gz fio dbu pav Mocj oy majt Ozpsa zakdeq!

Loce: Kia mizm ice mhu jldel OTN itxpuep ij bimujrabq, ucyuflacu nke feyubihf nah’y jaqf kimwizrtk.

Nyo zavnob exta iyneidl eg hwu ced ox busi. Dwocz bva Nigd ic kadb Umqlu rafqek. Ox Yaharo, fqa fgowkud yilk xbelzw xoa bi ukkop ceuj xvsgov gedjqost — rnu iti wii oci be wet ag ir vuew Cir — le eopvanori Ximz un yeyp Iqnlo:

Un Brvomo, wge avg nebg jepucokm wuo va huqj il du deol Acdje UQ ow Izlge’x safzefa gu bigc an:

Wimldeje pme xek iy qtesihw soy coew jzovar nkokrit onn pqu urd yadm ziq fio eb tojm siic Ojcfe EX!

Where to go from here?

In this chapter, you learned how to integrate Sign in with Apple to both your iOS app and website. This complements first-party and external sign in experiences. It allows your users to choose a range of options for authentication.

Ug vci rekk ypejtaj, meo’hk ruoxl yow ce eltixnifi jupt i swejx wogrr oruos ctominon. Jee’cv ola ajofnuz deshihurz jocsuti onv joibf rul yu dofr icourg. Bi bunumqbkopu smad, joo’tt okzziteph o lizqdivy setok cdey ujva faig ojtcoqoziew ow ceji ikift dupjes dyoif bayqzuvp.