How To: Add Apple Sign In (Identity Provider) Services to Virtuoso's Authentication Layer (VAL)

Here are the steps for integrating Apple’s Identity Provider Services into VAL i.e., Apple’s OpenID Connect Compliant Identity Provider (IdP) functionality as one of the IdP options exposed via VAL.

Conceptually, the process is as follows:

  1. Register your VAL-enabled Virtuoso instance as an Application (the Relying Party) with Apple’s Identity Provider Services
  2. Add Apple’s Identity Provider to the the collection of IdPs registered with your VAL-enabled Virtuoso instance .

Application (Relying Party) Registration Related Steps

  1. Register an Application with Apple via its Developer Portal
  2. Ensure Application is successfully registered in the Apps Store – this ensure it has a usable App ID
  3. Create a Service ID that identifies OAuth Apps (HTTP Origins identified by Domains) that will rely on its Authentication Services – you will typically have to associate the Service ID with an App ID as part of a group (in our case we use our YouID App for this)

The steps above are outlined in the following docs for assistance:

  1. https://appleid.apple.com/#!&page=signin – for App ID and Service ID setup
  2. https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple – a HowTo Guide

VAL Setup Steps

This is achieved via the Conductor or OAuth Idp Admin UI (https:/{your-instance-cname}/oauth/admin.vsp).

Irrespective of interface, the steps are as follows, in regards to registering a new Custom IdP.

  1. Click on the “Add OAuth API Keys” button

  1. Fill in the form as follows

  1. Complete the “Options” section using a JSON data snippet as per
{"issuer":"https://appleid.apple.com", "authorization_endpoint":"https://appleid.apple.com/auth/authorize", "token_endpoint":"https://appleid.apple.com/auth/token", "jwks_uri":"https://appleid.apple.com/auth/keys", "response_types_supported":["code id_token"], "token_endpoint_auth_methods_supported":["client_secret_post"], "scopes_supported":["openid",
"name",
"email"], "jwks":{"keys":[{"kty":"RSA", "kid":"86D88Kf", "use":"sig", "alg":"RS256", "n":"iGaLqP6y-SJCCBq5Hv6pGDbG_SQ11MNjH7rWHcCFYz4hGwHC4lcSurTlV8u3avoVNM8jXevG1Iu1SY11qInqUvjJur--hghr1b56OPJu6H1iKulSxGjEIyDP6c5BdE1uwprYyr4IO9th8fOwCPygjLFrh44XEGbDIFeImwvBAGOhmMB2AD1n1KviyNsH0bEB7phQtiLk-ILjv1bORSRl8AK677-1T8isGfHKXGZ_ZGtStDe7Lu0Ihp8zoUt59kx2o9uWpROkzF56ypresiIl4WprClRCjz8x6cPZXU2qNWhu71TQvUFwvIvbkE1oYaJMb0jcOTmBRZA2QuYw-zHLwQ", "e":"AQAB"},
{"kty":"RSA", "kid":"eXaunmL", "use":"sig", "alg":"RS256", "n":"4dGQ7bQK8LgILOdLsYzfZjkEAoQeVC_aqyc8GC6RX7dq_KvRAQAWPvkam8VQv4GK5T4ogklEKEvj5ISBamdDNq1n52TpxQwI2EqxSk7I9fKPKhRt4F8-2yETlYvye-2s6NeWJim0KBtOVrk0gWvEDgd6WOqJl_yt5WBISvILNyVg1qAAM8JeX6dRPosahRVDjA52G2X-Tip84wqwyRpUlq2ybzcLh3zyhCitBOebiRWDQfG26EH9lTlJhll-p_Dg8vAXxJLIJ4SNLcqgFeZe4OfHLgdzMvxXZJnPp_VgmkcpUdRotazKZumj6dBPcXI_XID4Z4Z3OM1KrZPJNdUhxw", "e":"AQAB"}]}}
  1. Save

  2. Test VAL authentication via SPARQL endpoint or other services that use VAL for authentication

Screen Shot 2020-05-12 at 10.41.22 AM

Here is a screencast demonstrating VAL using OpenID Connect for loosely-coupled interaction with OAuth Identity Providers.

Related