I think many have already heard Sign In with Apple (SIWA for short) after WWDC 2019. In the material, I will tell you what specific pitfalls I had to face when integrating this thing into our licensed portal. This article is not entirely for those who have just decided to deal with SIWA (for them I have given a number of introductory links at the end of the text). In this material, most likely, many will find answers to questions that may arise when integrating a new Apple service.
Apple does not allow custom redirects
Actually, I still haven't seen an answer to this question on developer forums. The gist is this: if you want to use the SIWA JS API, i.e., not work through the native SDK due to its absence for one reason or another (not macOSIf you're using iOS or older versions of these systems, you need your own public portal; there's no other way. Because on the WWDR portal, you need to register and verify your ownership of your domain, and only that domain can be used for Apple-approved redirects:
What to do if there is a desire to intercept the redirect in the application? We solved this problem very simply: we created a list of valid redirects for our applications on our portal, which they order before displaying the SIWA authorization page. And we just do a redirect from the portal to the application with the data received from Apple. Simple and angry.
Problems with e-mail
Let's look at how we solved problems with the user's e-mail. Firstly, there is no REST API that allows you to get this information from the backend - only the client receives this data and can pass it along with the authorization code.
Secondly, information about the user's name and e-mail is transmitted only once, on the very first user login to the application through Apple, where the user selects options for sharing his personal data.
By themselves, these problems are not directly critical if the connection with the social profile was successfully created on the portal - the user ID is the same and is tied to the Team ID - i.e. it is the same for all your team's applications integrated with SIWA. But if the login was made through Apple, and further along the path an error occurred and the connection on the portal was not created, then the only option is to send the user to appleid.apple.com, break the connection with the application and try again. Actually, the problem is solved by writing the corresponding KB article and linking to it.
The next more annoying problem is that Apple came up with a new concept with e-mail proxy. In our case, if the user was already on the licensed portal with his real soap and at the first login through Apple selects the option to hide e-mail, a new account is registered with this proxy e-mail, in which there are obviously no licenses, which puts the end user in dead end.
The solution to this problem is quite simple: the user ID is the same in SIWA and does not depend on the selected options / application in which the sign in is made, then we simply use a special script to switch this connection with Apple to another account with a real user soap and thereby “restore your purchases ". After this procedure, the user begins to get into another account on the portal through SIWA and everything works correctly for him.
When signing in through the web portal, there is no application icon
To solve another problem, we turned to Apple representatives for clarification, we share our knowledge:
That is, the meaning is the following: only one can be put at the head of the SIWA group macOSAn iOS app that already has the required portal service IDs added. Therefore, for the main app icon to be displayed, it must have versions published in the App Store with media that have been verified by Apple. The icon will be taken from there.
Accordingly, if you only have a portal and no applications from the App Store, then there will be no beautiful icon, but you can get out with the name of the application - if the main application does not have media, this info is taken from the Description service ID:
The number of elements in a SIWA group is limited to 5
This problem has no solution at the moment, other than using multiple groups, if you are missing 6 IDs: 1 parent application and 5 dependents, then when you try to register the next one, you will see this message:
We have created groups for our license portal and for each of the applications that operate on this portal. Regarding the slot limit, we have already started a radar at Apple and are awaiting their response.
Useful links
Most useful , in my opinion, according to which I did everything in fact. Apple's semi-useful dock .
Enjoy! Questions, thoughts, ideas and suggestions are accepted in the comments.
Source: habr.com
