Support for Sign in with Apple [#3232712]

Problem/Motivation

Sign in with Apple supports OpenID Connect, so it would be great if support for this could be included in a submodule like the Google support is. This would be a big help to mobile app developers using Drupal who want to integrate the platform sign-in functionality on iOS.

Proposed resolution

Add support for Sign in with Apple, which supports OpenID connect.

Comments

Comment #1

13 September 2021 at 16:51

ptmkenny created an issue.

Comment #2

ptmkenny CreditAttribution: ptmkenny commented 26 October 2021 at 07:11

I have started to create my own provider in `MYMODULE/src/Plugin/OpenIDConnectClient/OpenIDConnectAppleClient.php`.

With this code, I get an Apple sign in page and can log in with my Apple account, but I get an "access denied" error when I am returned to my site at `https://mysite.lndo.site/openid-connect/apple`.

<?php

namespace Drupal\MYMODULE\Plugin\OpenIDConnectClient;

use Drupal\Core\Form\FormStateInterface;
use Drupal\openid_connect\Plugin\OpenIDConnectClientBase;

/**
 * Apple OpenID Connect client.
 *
 * Implements OpenID Connect Client plugin for Apple.
 *
 * @OpenIDConnectClient(
 *   id = "apple",
 *   label = @Translation("Sign in with Apple")
 * )
 */
class OpenIDConnectAppleClient extends OpenIDConnectClientBase {

  /**
   * {@inheritdoc}
   */
  public function buildConfigurationForm(array $form, FormStateInterface $form_state) {
    $form = parent::buildConfigurationForm($form, $form_state);

    $url = 'https://developer.apple.com/';
    $form['description'] = [
      '#markup' => '<div class="description">' . $this->t('Set up your app at <a href="@url" target="_blank">Apple Developer</a>.', ['@url' => $url]) . '</div>',
    ];

    return $form;
  }

  /**
   * {@inheritdoc}
   */
  public function getEndpoints() {
    // Data from https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api
    return [
      'authorization' => 'https://appleid.apple.com/auth/authorize?&response_mode=form_post',
      'token' => 'https://appleid.apple.com/auth/token',
      // Apple does not provide a userinfo endpoint.
      'userinfo' => '',
    ];
  }

}

Comment #3

berramou CreditAttribution: berramou as a volunteer commented 27 October 2021 at 09:34

the route openid_connect.redirect_controller_redirect with the path /openid-connect/{client_name} has _custom_access: '\Drupal\openid_connect\Controller\OpenIDConnectRedirectController::access'
so you should check why this function return AccessResult::forbidden();

public function access() {
    // Confirm anti-forgery state token. This round-trip verification helps to
    // ensure that the user, not a malicious script, is making the request.
    $request = $this->requestStack->getCurrentRequest();
    $state_token = $request->get('state');
    if ($state_token && $this->stateToken->confirm($state_token)) {
      return AccessResult::allowed();
    }
    return AccessResult::forbidden();
  }