How To: Add Apple Sign In (Identity Provider) Services to Virtuoso's Authentication Layer (VAL)

Here are the steps for integrating Apple’s Identity Provider Services into VAL i.e., Apple’s OpenID Connect Compliant Identity Provider (IdP) functionality as one of the IdP options exposed via VAL.

Conceptually, the process is as follows:

  1. Register your VAL-enabled Virtuoso instance as an Application (the Relying Party) with Apple’s Identity Provider Services
  2. Add Apple’s Identity Provider to the the collection of IdPs registered with your VAL-enabled Virtuoso instance .

Application (Relying Party) Registration Related Steps

  1. Register an Application with Apple via its Developer Portal
  2. Ensure Application is successfully registered in the Apps Store – this ensure it has a usable App ID
  3. Create a Service ID that identifies OAuth Apps (HTTP Origins identified by Domains) that will rely on its Authentication Services – you will typically have to associate the Service ID with an App ID as part of a group (in our case we use our YouID App for this)
  4. Create and download Private (Signing) Key

At the end of this process the following will be created:

  1. Application Name (displayed in the final interaction page)
  2. Key ID
  3. Application Private Key (delivered in a downloadable PKCS#8 file)
  4. Sign In with Apple ID {team-id}.{reverse-dns-id} – the first part is the Team ID while the reverse dns part (e.g. com.uriburner.linkeddata) is the client_id

Currently, rather than offer static client secrets for OAuth 2.0 usage, Apple requires that you derive said client secret yourself using your private key (item #3 above). You achieve this goal via the JWT standard, an elliptic curve algorithm with a P-256 curve, and SHA256 hash i.e., the ES256 JWT algorithm.
Note, some JWT libraries don’t support elliptic curve methods, so make sure there’s support in whatever library you choose.

Using Ruby Client Secret Generator using ES256 JWT Algorithm

  1. From your command-line execute: gem install jwt
  2. Create a file name ‘client_secret.rb’ with the following content
require 'jwt'

key_file = '{pkcs-8-private-key-file}'
team_id = '{team-id}'
client_id = '{client-app-id-in-reverse-dns-form}'
key_id = '{key-id}'

ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file

headers = {
  'kid' => key_id
}

claims = {
	'iss' => team_id,
	'iat' => Time.now.to_i,
	'exp' => Time.now.to_i + 86400*180,
	'aud' => 'https://appleid.apple.com',
	'sub' => client_id,
}

token = JWT.encode claims, ecdsa_key, 'ES256', headers

puts token
  1. Generate the Client Secret by running the following from your command-line: ruby client_secret.rb

SeeAlso

  1. Apple ID – for App ID and Service ID setup
  2. What the Heck is Sign In with Apple? | Okta Developer – a HowTo Guide

VAL Setup Steps

This is achieved via the Conductor or OAuth Idp Admin UI (https:/{your-instance-cname}/oauth/admin.vsp).

Irrespective of interface, the steps are as follows, in regards to registering a new Custom IdP.

  1. Click on the “Add OAuth API Keys” button

  1. Fill in the form as follows

  1. Complete the “Options” section using a JSON data snippet as per
{"issuer":"https://appleid.apple.com", "authorization_endpoint":"https://appleid.apple.com/auth/authorize", "token_endpoint":"https://appleid.apple.com/auth/token", "jwks_uri":"https://appleid.apple.com/auth/keys", "response_types_supported":["code id_token"], "token_endpoint_auth_methods_supported":["client_secret_post"], "scopes_supported":["openid",
"name",
"email"], "jwks":{"keys":[{"kty":"RSA", "kid":"86D88Kf", "use":"sig", "alg":"RS256", "n":"iGaLqP6y-SJCCBq5Hv6pGDbG_SQ11MNjH7rWHcCFYz4hGwHC4lcSurTlV8u3avoVNM8jXevG1Iu1SY11qInqUvjJur--hghr1b56OPJu6H1iKulSxGjEIyDP6c5BdE1uwprYyr4IO9th8fOwCPygjLFrh44XEGbDIFeImwvBAGOhmMB2AD1n1KviyNsH0bEB7phQtiLk-ILjv1bORSRl8AK677-1T8isGfHKXGZ_ZGtStDe7Lu0Ihp8zoUt59kx2o9uWpROkzF56ypresiIl4WprClRCjz8x6cPZXU2qNWhu71TQvUFwvIvbkE1oYaJMb0jcOTmBRZA2QuYw-zHLwQ", "e":"AQAB"},
{"kty":"RSA", "kid":"eXaunmL", "use":"sig", "alg":"RS256", "n":"4dGQ7bQK8LgILOdLsYzfZjkEAoQeVC_aqyc8GC6RX7dq_KvRAQAWPvkam8VQv4GK5T4ogklEKEvj5ISBamdDNq1n52TpxQwI2EqxSk7I9fKPKhRt4F8-2yETlYvye-2s6NeWJim0KBtOVrk0gWvEDgd6WOqJl_yt5WBISvILNyVg1qAAM8JeX6dRPosahRVDjA52G2X-Tip84wqwyRpUlq2ybzcLh3zyhCitBOebiRWDQfG26EH9lTlJhll-p_Dg8vAXxJLIJ4SNLcqgFeZe4OfHLgdzMvxXZJnPp_VgmkcpUdRotazKZumj6dBPcXI_XID4Z4Z3OM1KrZPJNdUhxw", "e":"AQAB"}]}}
  1. Save

  2. Test VAL authentication using the “verify” button associated with your Apple Sign In Service binding

Once Apple Sign In service binding verification is successful, you can start using it via any interface that authenticates using VAL e.g., your Virtuoso SPARQL Query Service endpoint.

Screen Shot 2020-05-12 at 10.41.22 AM

Here’s a screencast demonstrating VAL using OpenID Connect for loosely-coupled interaction with OAuth Identity Providers.

Related