Sign in with Apple Script - maduvena/jans-docs GitHub Wiki
An out-of-the-box feature, the Apple Authentication script is a PersonAuthenticationType
script which enables a user to sign-in using Apple credentials. After users authenticate using their Apple credentials, their Apple credentials are provisioned into the Jans-auth server.
- A Jans-auth Server (installation instructions here)
- The Google authentication script (included in the default Jans-auth Server distribution);
- An Apple Developer account.
- Google API jars namely google-api-client, google-oauth-client and google-http-client-jackson2 added to jans-auth-server
If your org has signed up for the Developer Program or the Enterprise program, you need to be the owner or admin of the Apple Developer Account.
- Navigate to
Certificates, IDs and Profiles
>Identifiers
> Add Identifiers > Service IDs (Service ID is analogous toclient_id
) - Edit your Service ID configuration and enable the "Sign in with Apple" option
- Configure the "Return URL" to
https://<yor.jans.server>/oxauth/postlogin.xhtml
On the following page, https://console.cloud.google.com/apis/credentials, you will see a table containing your recently created client. Click on the download button and download the JSON file containing details of the Client.
Place this file in /etc/certs/google_client_secret.json
- Copy the library files to
/opt/jans/jetty/jans-auth/custom/libs
cd /opt/jans/jetty/jans-auth/custom/libs
wget https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar -O google-api-client-1.33.2.jar
wget https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar -O google-oauth-client-1.33.1.jar
wget https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar -O google-http-client-jackson2-1.41.5.jar
-
Edit
/opt/jans/jetty/jans-auth/webapps/oxauth.xml
and add the following line:<Set name="extraClasspath">./custom/libs/google-oauth-client-1.33.1.jar,./custom/libs/google-api-client-1.33.2.jar,./custom/libs/google-http-client-jackson2-1.41.5.jar</Set></Configure>
-
Restart the
jans-auth
service
systemctl status jans-auth
The custom script has the following properties:
Property | Description | Input value |
---|---|---|
google_creds_file |
Details of the client created on https://console.cloud.google.com/apis/credentials. See this step. | /etc/certs/google_client_secret.json |
To update this setting in Jans persistence, follow this link
By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism.
Obtain the json contents of google
custom script by using a jans-cli command like get-config-scripts-by-type, get-config-scripts-by-inum etc.
e.g : /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION , /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7
Update the custom script and change the enabled attribute to true
Now Google is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect acr_values, applications can now request Google authentication for users.
!!! Note To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration. Find "acr_values_supported": and you should see "google".
Use this link as a reference.
Steps:
- Create a file say
google-auth-default.json
with the following contents
{
"defaultAcr": "google"
}
2.Update the default authentication method to Google Sign-in
/opt/jans/jans-cli/config-cli.py --operation-id put-acrs --data /tmp/google-auth-default.json
📝 NOTE
To make sure google
has been enabled successfully as a default authentication method, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https://<hostname>/.well-known/openid-configuration
. Find "acr_values_supported":
and you should see "google"
.