Integrate Apple as an identity provider with Pomerium using Apple's Sign in with Apple authentication service.
To complete this guide:
While we do our best to keep our documentation up to date, changes to third-party systems are outside our control. Refer to the Sign in with Apple developer docs as needed, or let us know if we need to re-visit this page.
Set up Apple
In your Account dashboard, go to Certificates, IDs, & Profiles.
Register an App ID
- Select Identifiers
- Create a new Identifier (+) and select App IDs
- For app type, select App
- Enter a Description
- For Bundle ID, select Explicit and enter a domain (for example,
- Under Capabilities, select Sign In with Apple
Register a Services ID
- Go back to Certificates, Identifiers & Profiles
- Select + and Services IDs
- Enter a Description and Identifier (for example,
- Register your Services ID
Edit your Services ID Configuration:
- Under the App ID dropdown, select Services IDs
- Select your Services ID
- Enable Sign In with Apple and select Configure
In the Web Authentication Configuration window:
- Select the Primary App ID
- In Domains and Subdomains, enter your authenticate service URL (for example,
- In Return URLs, enter your authenticate service URL and the
/oauth2/callbackpath (for example,
- Select Continue and save your Service ID configuration
Create a signing key
- Go back to the Certificates, Identifiers & Profiles page
- From the sidebar, select Keys
- Create a new key (+)
- Under Register a New Key, enter a Key Name
- Select Sign in with Apple and Configure
- In Configure Key, select the Primary App ID
After successfully creating a signing key, Apple will prompt you to download your key.
Download the key and store it somewhere safe. You can only download it once and must pass in the key in order to generate your Client Secret (JWT).
Generate a signed JWT
Apple requires a signed JWT for the client secret.
|The algorithm used to sign the token. For Sign in with Apple, use
|A 10-character key identifier generated for the Sign in with Apple private key associated with your developer account.
|10-character Team ID associated with your Developer Account.
|Expiration time; must not exceed 15777000 (6 months in seconds) from Current UNIX Time.
https://appleid.apple.com. The audience claim identifies the intended recipient of the client secret.
client_id. The subject identifies the principal that is the subject of the client secret.
client_id must be the value of either Service ID or App ID.
To sign your JWT, use the signing key you downloaded earlier.
Once you've generated a signed JWT, you can configure Pomerium.
Set up Pomerium
In your Pomerium configuration file, add the following identity provider settings:
Access a route defined in your configuration file.
Apple should prompt you to sign in:
If you get a
403 response when accessing a route, but should be permitted access based on your policy, check that the expected claims are included in your Apple JWT.
For example, the minimal claims defined by Apple exclude