Apple identity provider needs support to both web and mobile

[Brunom50]

Apple identity provider needs support to web and mobile

Description

When creating an Apple identity provider in Fusion Auth, the documentation indicates that the configured serviceId must be a Service Id configured in the apple console. https://fusionauth.io/docs/v1/tech/identity-providers/apple/. This works for a web integration of the apple login.

On the other hand, when implementing the apple login in mobile, the serviceId must be the bundleId of the application. In our case, we need to have apple login available in both web and mobile applications. This presents an issue for our implementation because essentially we need to have two apple identity providers configured in Fusion Auth (which is not possible at the moment):

• One for the web app with the FA serviceId configured with the Apple Service Id;
• One for the mobile app with FA serviceId configured with the Apple Bundle Id.

Am I doing something wrong? How can I have a provider configured in fusion auth that works both on mobile and on the web? Or does Fusion Auth needs a new development made like for example allowing multiple identity providers with the same type?

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/778
• https://github.com/FusionAuth/fusionauth-issues/issues/1134

[robotdan]

Probably a dup of https://github.com/FusionAuth/fusionauth-issues/issues/778

[robotdan]

As a test... is it possible to create two separate FusionAuth applications? One for mobile and one for web? And then in the Apple IdP configuration, use the overrides to change the service Id and Team Id to make it work ?

If so, then could we just add a new field to the config for bundle Id and then add some additional parameter to the Identity Provider Login API such that we know which type of login you are doing?

Anyone from this thread of #778 open to testing this theory and providing us some feedback? Thanks!!

[mooreds]

@Brunom50 any chance you could assist with debugging the way @robotdan mentioned?

[Brunom50]

Hey @mooreds. Sorry for the late response. I implemented @robotdan suggestion and it's working as expected to both web and mobile apple login.

[robotdan]

Thanks for the update @Brunom50 - so I think this could be a work around for those on this thread - assuming you can use separate applications.

And I think this means we could optionally just add another configuration for the Apple IdP and then allow the caller of the /api/identity-provider/login API to indicate which mode to utilize.

[glen-84]

This is all very confusing.

Under which circumstances do you need to use a bundle ID? We tried a bundle ID and it didn't seem to work, but the service ID did. 🤷‍♂️

[mooreds]

@glen-84 Are you building a mobile app or a web app?

• For web applications, the Service Id is the Apple Service Id.
• For mobile applications, the Service Id is the Apple Bundle Id.

[glen-84]

@mooreds

Both. We followed the documentation, and used the bundle ID for the mobile app, but we got this:

When removing the override for mobile, and thus using the service ID, it worked.

I'm waiting to gain additional permissions in the Apple dev console, and then I'll have a closer look.

[mooreds]

That looks like you are using the webview for apple login on your mobile device. Is that correct?

[glen-84]

Yes. Is there a more mobile-specific way of doing it? I think it might be good to clarify in the docs that the bundle ID is not required in all (mobile) scenarios.

[mooreds]

That's a great point! I haven't run through this scenario myself, but my understanding is if you are creating a native UX (using UIKit for example) then you need to use the bundleId as the serviceId. But if you are using a webview or the system browser, then you are back in the web world.

@Brunom50 , you actually have implemented this. Is my understanding correct? If you can confirm, then I can update the documentation to be clearer.

[spwitt]

Internal

• https://github.com/FusionAuth/fusionauth-app/pull/162

[spwitt]

Hello @Brunom50 and @glen-84 !

I've just finished the changes for this feature. A brief summary:

• Add bundleId to Apple IdP config and application override
• The Apple IdP login API will continue to use servicesId by default
• If you specify data.isNativeApp with a value of "true" (as a string) on your request, it will validate using bundleId instead of servicesId
• In the isNativeApp case, redirect_uri is not required on the API request to FusionAuth
  • I believe the redirect_uri parameter is not required by Apple from native apps. Please correct me on that point if that's incorrect.
• You should be able to specify both servicesId and bundleId on the main IdP configuration and get rid of the duplicate FusionAuth application and IdP settings override

No one on the FusionAuth team has much experience with iOS development. Would you be interested in testing this feature using an Early Access Program build before it officially releases?

[glen-84]

@spwitt

No one on the FusionAuth team has much experience with iOS development. Would you be interested in testing this feature using an Early Access Program build before it officially releases?

We're using a web-based (non-native) integration, so we won't be able to test this.

[robotdan]

This is available in the early access build of 1.43.0 if anyone is interested to give it a go before the general release.

https://fusionauth.io/docs/v1/tech/admin-guide/releases#early-access-program

The gist of the current solution is outlined above by @spwitt (https://github.com/FusionAuth/fusionauth-issues/issues/1248#issuecomment-1344629086)

[spwitt]

Doc task completed. Closing issue.