An out-of-the-box feature, the Apple Authentication script is a PersonAuthenticationType script which enables a user to sign-in using Apple credentials. After users authenticate using their Apple credentials, their Apple credentials are provisioned into the Jans-auth server.

• A Jans-auth Server (installation instructions here)
• The Google authentication script (included in the default Jans-auth Server distribution);
• An Apple Developer account.
• Google API jars namely google-api-client, google-oauth-client and google-http-client-jackson2 added to jans-auth-server

If your org has signed up for the Developer Program or the Enterprise program, you need to be the owner or admin of the Apple Developer Account.

1. Navigate to Certificates, IDs and Profiles > Identifiers > Add Identifiers > Service IDs (Service ID is analogous to client_id)
2. Edit your Service ID configuration and enable the "Sign in with Apple" option
3. Configure the "Return URL" to https://<yor.jans.server>/oxauth/postlogin.xhtml

On the following page, https://console.cloud.google.com/apis/credentials, you will see a table containing your recently created client. Click on the download button and download the JSON file containing details of the Client. Place this file in /etc/certs/google_client_secret.json

1. Copy the library files to /opt/jans/jetty/jans-auth/custom/libs

• cd /opt/jans/jetty/jans-auth/custom/libs
• wget https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar -O google-api-client-1.33.2.jar
• wget https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar -O google-oauth-client-1.33.1.jar
• wget https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar -O google-http-client-jackson2-1.41.5.jar

2. Edit /opt/jans/jetty/jans-auth/webapps/oxauth.xml and add the following line:

   <Set name="extraClasspath">./custom/libs/google-oauth-client-1.33.1.jar,./custom/libs/google-api-client-1.33.2.jar,./custom/libs/google-http-client-jackson2-1.41.5.jar</Set></Configure>
   

3. Restart the jans-auth service
   systemctl status jans-auth

The custom script has the following properties:

To update this setting in Jans persistence, follow this link

By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism.

Obtain the json contents of google custom script by using a jans-cli command like get-config-scripts-by-type, get-config-scripts-by-inum etc.

e.g : /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION , /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7

Update the custom script and change the enabled attribute to true Now Google is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect acr_values, applications can now request Google authentication for users.

!!! Note To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration. Find "acr_values_supported": and you should see "google".

Use this link as a reference.

Steps:

1. Create a file say google-auth-default.json with the following contents

{
  "defaultAcr": "google"
}

2.Update the default authentication method to Google Sign-in

/opt/jans/jans-cli/config-cli.py --operation-id put-acrs --data /tmp/google-auth-default.json

📝 NOTE

To make sure google has been enabled successfully as a default authentication method, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https://<hostname>/.well-known/openid-configuration. Find "acr_values_supported": and you should see "google".