Apple SSO Configuration
Configure Apple ID authentication for your Devana.ai whitemark instance.
Required Environment Variables
| Variable | Description | Required | Example |
|---|---|---|---|
APPLE_CLIENT_ID | Your Apple Service ID | Yes | com.yourcompany.devana |
APPLE_TEAM_ID | Your Apple Developer Team ID | Yes | ABC123DEF4 |
APPLE_KEY_ID | Apple private key identifier | Yes | XYZ987ABC1 |
APPLE_CALLBACK_URL | Callback URL for authentication | Yes | https://your-domain.com/auth/apple/callback |
Setup Instructions
1. Apple Developer Account Setup
-
Create an App ID:
- Go to Apple Developer Console
- Navigate to "Certificates, IDs & Profiles"
- Create a new App ID with "Sign In with Apple" capability enabled
-
Create a Service ID:
- Create a new Service ID (this will be your
APPLE_CLIENT_ID) - Enable "Sign In with Apple" for this Service ID
- Configure the callback URL (must match
APPLE_CALLBACK_URL)
- Create a new Service ID (this will be your
-
Generate a Private Key:
- Create a new key with "Sign In with Apple" enabled
- Download the private key file (.p8)
- Note the Key ID (
APPLE_KEY_ID)
2. Environment Configuration
Add the following variables to your environment configuration:
# Apple OAuth Configuration
APPLE_CLIENT_ID=com.yourcompany.devana
APPLE_TEAM_ID=ABC123DEF4
APPLE_KEY_ID=XYZ987ABC1
APPLE_CALLBACK_URL=https://your-domain.com/auth/apple/callback
3. Private Key Setup
The Apple private key (.p8 file) needs to be accessible to your application. You can either:
Option A: Environment Variable Convert the private key to base64 and store it as an environment variable:
base64 -i AuthKey_XYZ987ABC1.p8 | tr -d '\n'
Option B: File System Place the private key file in a secure location accessible by your application and reference it in your configuration.
4. Whitemark Configuration
Configure your whitemark to include Apple as an allowed provider:
{
"allowedProviders": ["APPLE"],
"registrationType": ["SSO"]
}
Authentication Flow
- User clicks "Sign in with Apple" button
- User is redirected to Apple's authentication page
- User authenticates with their Apple ID
- Apple redirects back to your callback URL with authorization code
- Application exchanges code for user information
- User is created/updated in Devana.ai and logged in
User Data Mapping
Apple provides limited user information:
| Apple Field | Devana.ai Field | Notes |
|---|---|---|
email | email | Primary identifier |
name.firstName | firstName | May be empty on subsequent logins |
name.lastName | lastName | May be empty on subsequent logins |
user | providerId | Unique Apple user identifier |
Security Features
- CSRF Protection: State parameter validation prevents cross-site request forgery
- Session Management: Secure session handling with automatic cleanup
- Domain Validation: Authentication tied to specific whitemark domains
Troubleshooting
Common Issues
Invalid client_id:
- Verify
APPLE_CLIENT_IDmatches your Service ID exactly - Ensure the Service ID has "Sign In with Apple" enabled
Invalid redirect_uri:
- Callback URL must match exactly what's configured in Apple Developer Console
- URLs are case-sensitive and must include protocol (https://)
Invalid key:
- Verify
APPLE_KEY_IDmatches your private key - Ensure
APPLE_TEAM_IDis correct - Check that the private key file is accessible and valid
No email in profile:
- Apple may not provide email on subsequent logins
- Consider prompting users to verify their email address
Testing
- Enable Apple SSO in your whitemark configuration
- Navigate to your login page
- Click "Sign in with Apple"
- Complete authentication with a test Apple ID
- Verify user is created and logged in successfully
Notes
- Important : L'authentification Apple nécessite une validation complète en environnement de production. Veuillez effectuer des tests exhaustifs avant tout déploiement client.
- Apple users may see different privacy options that can affect data availability
- First-time logins typically provide more user information than subsequent logins