Search Unity

Share

Is this article helpful for you?

Thank you for your feedback!

At Worldwide Developers Conference (WWDC) in June, Apple announced a new product: Sign in with Apple. With the imminent release of iOS 13 on September 19, Apple has updated the App Store Review Guidelines and they now require any new applications that use third-party or social login services to offer Sign in with Apple as an equivalent option. Existing applications will be required to comply by April 2020. You can read more about this change on Apple's developer site.

We know many Unity developers depend on third-party sign-in services. To make complying with these new guidelines easier, we have created a new asset store package. You can add the package to new or existing projects to leverage the new Sign in with Apple feature easily.

Below you will find the following:

  1. A step by step guide of how to use the new asset store plugin
  2. Links to important guidelines
  3. For more advanced use cases, an overview of how you can perform server-side validation

Player identity is a core part of many mobile games and is increasingly important in the context of player privacy. Whether you maintain an in-house system or rely on third-party login services, we want to help make the player experience more seamless while providing flexibility for game developers. With that in mind, we also want to take this opportunity to share plans for our upcoming User Authentication solution, available later this year.

Getting started

To get started with Sign in with Apple in we have created a new Asset Store package. The purpose of this package is to make available the newly added iOS 13 API’s required to use Sign in with Apple.

You will also need Xcode 11, which will work on either macOS 10.14 (Mojave) or 10.15 (Catalina) and a device that has iOS 13.0 installed. You can find downloads for Xcode and iOS 13 here. We also recommend that you read and review the Sign in With Apple Getting Started Guide. This guide covers Apple's Human Interface Guidelines and App Store Review Guidelines. Your application will also need to have the Sign in with Apple capability enabled in Apple’s developer portal.

You can download the new package from the Unity Asset Store.

To use the package:

1. Import the package into an existing Unity project.

2. Create a script that has a callback to receive data about the login from Apple. See the sample script “SignInWithApple.cs” for an example of how the API is used.

3. Rebuild your Unity project and open the Xcode project created by Unity.

4. Within Xcode entitlements and framework dependencies need to be configured.

a. In the Project Settings “Sign in with Apple” capability must be added.

b. You must add the AuthenticationServices framework to the project. You will want to mark this framework optional if you plan to target prior versions of iOS.

See the video below to help locate the steps described above.

Note: Xcode projects created with Unity 2019.2 or lower will not have the UnityFramework target. The AuthenticationServices framework should be added to the Unity-iPhone target instead.

5. With your project configured, you can now extract any data made available in the callbacks to be used with the projects existing codebase.

Server-side validation

For games or applications which also require server-side identity validation, you can pass the identityToken to a server for validation.

Apple's identityToken is a JSON Web Token (JWT) token which the client-side cannot generate. To validate that JWT token is issued by Apple and intended to be used by your app, you must verify:

  • Apply the standard JWT validation:
  • Check the audience of the JWT token is for your app.
    • The token you get back from Sign in with Apple uses your iOS app ID as the audience. Your server-side needs to validate the token to make sure it is intended to your app.

The Apple JWT payload claims are:

ClaimColumn NameTypeExampleDescription
issIssuerstringhttps://appleid.apple.comThe value is always https://appleid.apple.com
audAudiencestringcom.unity.testAppThe audience of the token.
expExpiration Timenumber1568671600The expiration time in epoch (seconds since 1970-01-01 00:00:00Z) of the token.
iatIssued Atnumber1568671000The time in epoch at which the token is issued.
subSubjectstring001999.80b18c74c3264cad895d0eae181d8f50.1909The user ID of the authenticated user.
c_hashCode HashstringagyAh42GdE-O72Y4HUHypgThe hash of the authorization code. It's only used when you need to validate the authorization code.
emailEmailstringxxx@privaterelay.appleid.comThe email address of the user.
email_verifiedEmail VerifiedstringtrueWhether the email is verified. Note that it's a string JSON type.
auth_timeAuth Timenumber1568671000The time in epoch at which the authentication happened.

There are JWT libraries available in most programming languages. These libraries can help you parse and validate the token.

If you use javascript, the following is an example of how to validate the token. It reads the token from stdin, and try to validate the token. Replace "your.app.id" with your real app ID from Apple.

const jwt = require('jsonwebtoken')
const jwksClient = require('jwks-rsa');
fs = require('fs');

var token = fs.readFileSync('/dev/stdin').toString().trim();
console.log(token);

var client = jwksClient({
  jwksUri: 'https://appleid.apple.com/auth/keys'
});

function getApplePublicKey(header, callback) {
  client.getSigningKey(header.kid, function (err, key) {
    var signingKey = key.publicKey || key.rsaPublicKey;
    callback(null, signingKey);
  });
}

jwt.verify(token, getApplePublicKey, null, function (err, decoded) {
  if (err) {
    console.error(err);
    process.exit(1);
  }
  if (decoded.iss !== "https://appleid.apple.com") {
    console.error("unexpected issuer (iss claim): ", decoded.iss);
    process.exit(1);
  }
  if (decoded.aud !== "your.app.id") {
    console.error("unexpected audience (aud claim): ", decoded.aud);
    process.exit(1);
  }
  console.log("Validated Apple token: ", decoded);
});

Looking forward

The upcoming User Authentication solution will consist of Unity hosted authentication and authorization APIs, a Unity package that implements login and key auth workflows independent of backend implementation, and a drop-in Prefab to address UX specific requirements such as those required by Sign in with Apple.

Our first release of User Authentication will provide support for authentication via email id/password and Sign in with Apple (including support on Android) as a federated identity provider. Additionally, this new solution will be extensible, enabling you to integrate any additional custom or third-party federated identity providers of your choice. User Authentication will allow you to configure identity providers across multiple platforms within the Unity Editor using a common, simplified API. This will reduce development time from weeks to days while also enabling you to provide your customers with more choices for authentication easily. As consumers become more privacy-conscious there will be a growing need for authentication alternatives.

The alpha release for User Authentication will be available later this year. Please sign up for early access.

September 19, 2019 in Engine & platform | 6 min. read

Is this article helpful for you?

Thank you for your feedback!