Sign-in with Apple (Optional)

[中文版本]

The end users might want to use their Apple accounts to login to RainMaker mobile apps.
This section describes the steps required to configure the Apple sign-in for the end users.

Pre-requisites

  1. Apple developer account is already created, and developer program enrollment is completed. (Reference: https://developer.apple.com/programs/enroll/)

  2. ESP-RainMaker-Core is deployed.

  3. Custom domain is created. (Reference: Configuring custom domain)

Steps to Configure Apple Sign In

Configurations in Apple Developer Account

  1. Create an App ID from Apple Developer console, if not created already.

  2. Click on Keys in the left section.

  3. Click on the + button to add a new key.

Register AppId

  1. Provide a key name and select sign in with apple.

Register AppId

  1. Click on Configure button on the right of "Sign in with Apple".

  2. Select your Primary App ID. Primary App ID should be of format "<teamId>.<bundleId>". Team Id and Bundle Id were noted down in step 1.

Register AppId

  1. Press Save to save the configurations.

  2. On "Register a New Key" page, click on Continue.

  3. Review the configuration. Click on Regsiter to create a new key.

  4. Take note of Key ID and download the key file. This will be required while configuring Apple as Identity Provider via RainMaker Dashboard.

  5. Click on Identifiers, then click on + button.

Apple Identifiers

  1. Select Service IDs from the list then Continue.

ServiceId

  1. On the Register a Services ID page, select the Sign in with Apple checkbox to enable the service, and then select Configure.

  2. Provide an identifier and description for your service.

Service Config

  1. Take a note of identifier(Services ID). Services ID will be required while configuring Apple as Identity Provider via RainMaker Dashboard.

  2. Click on Register to register Services ID.

Service Config

  1. After Registration of service ID, go back to identifiers. Click on the service ID that you have registered in the step above.

  2. Enable 'Sign In With Apple' and click on the Configure button

Service Config

  1. Configure your domain:

    Standard RainMaker

    • Enter your Amazon Cognito domain "https://<your-company-domain>.auth.<aws-region>.amazoncognito.com" as shown below.

    OAuth only RainMaker

  2. and Return URLs:

    Standard RainMaker

    OAuth only RainMaker

    • Get your HTTP API Endpoint
    • Redirect URI: {HTTP API Endpoint}/cognitocallbackThe domain here should be the one created in AWS Cognito. The return URL should be "https://<domain>/oauth2/idpresponse".

Website URLs

Configure Apple as Identity Provider via the RainMaker Dashboard

  1. Log in to RainMaker Dashboard with your admin account. Go to deployment settings.

Dashboard Deployment Settings

  1. Go to the Identity Providers tab.

Identity Providers

  1. Click on the '+' icon to add Identity providers configuration.
  2. Choose "SignInWithApple" from "Identity Provider" dropdown.
  3. Provide Client ID i.e, services ID noted in step 15 of "Configurations in Apple Developer Account" section.
  4. Enter "Apple" as Provider Name.
  5. Provide Key ID noted in step 1 and 10 of "Configurations in Apple Developer Account" section.
  6. Provide Team ID noted in the step 1, Creating App ID.
  7. Provide content of private key file downloaded in step 10 of "Configurations in Apple Developer Account" section).

Identity Providers

Enable Apple as an Identity Provider

Note: This is not relevant for Oauth only RainMaker

  1. Log in to RainMaker Dashboard with your admin account. Go to deployment settings.

Dashboard Deployment Settings

  1. Go to the Identity Configurations tab.

Cognito Config

  1. Enable the 'signinwithapple' identity provider for clients as per your requirements. This will enable users to sign in using Apple to the respective clients.

Configuring callback URL(Redirect URIs)

Callback URL indicates where the user is to be redirected after a successful sign-in using third party authenticating services. After the user successfully signs-up using one of these third party authenticating services, the user will be redirected to one of these URLs.

If users are to be redirected to your phone app, you should form the callback URL for your app. To form the callback URLs(Redirect URLs) for iOS app, please check Getting Redirect URL for iOS app

Configure the callback URLs in RainMaker dashboard with steps given here: Configuring callback URL

Verifying Sign-in With Apple

Note: For Oauth only RainMaker, refer these steps instead.

This section describes the steps to verify if the Sign-in with Apple is configured correctly.

  • Login to AWS Console, Go to Cognito Service & click on user pools to get the list of all user pools.

Verifying Sign-in with Google

  • Click on the "rainmaker-user-email-mobile-pool". Verifying Sign-in with Google

  • Go to App integration & scroll down to App Client Lists Verifying Sign-in with Google

  • Click on rainmaker-user-email-mobile-pool-client, here you will get the App client information Verifying Sign-in with Google

  • Scroll down and click on View Hosted UI.

Hosted UI

  1. In the launched Hosted UI, you will be shown multiple options as shown below:

Hosted UI

  1. Click on Continue with Apple.

  2. Enter your Apple ID and the password.

  3. After you click the Next button, you will be redirected to the callback URL configured in the Cognito App client settings and you will see an authorization code in the browser URL.

Hosted UI

Note - In this example, we have configured Espressif’s home page, so the redirection happened to this page.

Email Relay Service

Apple’s private email relay service is used by privacy-conscious users that keep their personal email address private when setting up an account. In order to send email messages through the relay service to these users, you will need to register your outbound email domains, subdomains, or email addresses. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay.

To check if your organization email domain has an SPF record:

  1. Go to https://dnschecker.org/spf-record-validation.php
  2. Enter you email domain and click on validate
  3. You would see the output as below as you scroll down. This means that the SPF record exist for your email domain. SPF Record

Steps to add a Domain:

  1. In Certificates, Identifiers & Profiles, select More from the sidebar, and click Configure Sign in with Apple for Email Communication.
  2. In the Email Sources section, click the Add button (+) in the upper-left corner.
  3. Enter a comma-delimited list of domains, subdomains and unique email addresses that will be used for email communication and click Next.
  4. Confirm your entered email sources and click Register.
  5. The below table will display if the registered email source passed an SPF check.

Private Relay Email/Domain Added

Sign-in with GoogleVoice Assistant Integrations