cd12e177ea
* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
74 lines
2.6 KiB
Markdown
74 lines
2.6 KiB
Markdown
---
|
|
title: Apple
|
|
---
|
|
|
|
<span class="badge badge--primary">Support level: authentik</span>
|
|
|
|
Allows users to authenticate using their Apple ID.
|
|
|
|
## Preparation
|
|
|
|
:::caution
|
|
An Apple developer account is required.
|
|
:::
|
|
|
|
:::caution
|
|
Apple mandates the use of a [registered TLD](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains), as such this source will not work with .local and other non-public TLDs.
|
|
:::
|
|
|
|
The following placeholders will be used:
|
|
|
|
- `authentik.company` is the FQDN of the authentik install.
|
|
|
|
## Apple
|
|
|
|
1. Log into your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
|
|
2. Register a new Identifier with the type of **App IDs**, and the subtype **App**.
|
|
3. Choose a name that users will recognise for the **Description** field.
|
|
4. For your bundle ID, use the reverse domain of authentik, in this case `company.authentik`.
|
|
5. Scroll down the list of capabilities, and check the box next to **Sign In with Apple**.
|
|
6. At the top, click **Continue** and **Register**.
|
|
|
|
|
|
|
|
7. Register another new Identifier with the type of **Services IDs**.
|
|
8. Again, choose the same name as above for your **Description** field.
|
|
9. Use the same identifier as above, but add a suffix like `signin` or `oauth`, as identifiers are unique.
|
|
10. At the top, click **Continue** and **Register**.
|
|
|
|
|
|
|
|
11. Once back at the overview list, click on the just-created Identifier.
|
|
12. Enable the checkbox next to **Sign In with Apple**, and click **Configure**
|
|
13. Under domains, enter `authentik.company`.
|
|
14. Under **Return URLs**, enter `https://authentik.company/source/oauth/callback/apple/`.
|
|
|
|
|
|
|
|
15. Click on **Keys** in the sidebar. Register a new Key with any name, and select **Sign in with Apple**.
|
|
16. Click on **Configure**, and select the App ID you've created above.
|
|
17. At the top, click **Save**, **Continue** and **Register**.
|
|
18. Download the Key file and note the **Key ID**.
|
|
|
|
|
|
|
|
19. Note the Team ID, visible at the top of the page.
|
|
|
|
## authentik
|
|
|
|
20. Under _Directory -> Federation & Social login_ Click **Create Apple OAuth Source**
|
|
|
|
21. **Name**: `Apple`
|
|
22. **Slug**: `apple`
|
|
23. **Consumer Key:** The identifier from step 9, then `;`, then your Team ID from step 19, then `;`, then the Key ID from step 18.
|
|
|
|
Example: `io.goauthentik.dev-local;JQNH45HN7V;XFBNJ82BV6`
|
|
|
|
24. **Consumer Secret:** Paste the contents of the keyfile you've downloaded
|
|
|
|
Save, and you now have Apple as a source.
|
|
|
|
:::note
|
|
For more details on how-to have the new source display on the Login Page see [here](../general#add-sources-to-default-login-page).
|
|
:::
|