Sign in with Apple
Enable privacy-focused WiFi authentication on your captive portal using Sign in with Apple, supporting email relay and built-in two-factor authentication for iOS, macOS, and web users.
Overview
Sign in with Apple provides:
- Privacy-focused authentication for Apple users
- Email relay option for privacy
- Cross-platform support (iOS, macOS, web)
- Two-factor authentication built-in
Prerequisites
- IronWifi account with captive portal
- Apple Developer account ($99/year)
- App ID with Sign in with Apple capability
Why Sign in with Apple?
Benefits
- Required by Apple for apps with social login on iOS
- High trust among Apple users
- Real email or relay - user choice
- Built-in 2FA security
- No tracking by Apple
User Privacy
Users can choose:
- Share real email address
- Use Apple's private relay email
- Hide My Email generates unique address
Apple Developer Setup
Step 1: Create App ID
- Go to developer.apple.com
- Navigate to Certificates, Identifiers & Profiles
- Go to Identifiers > App IDs
- Click + to create new App ID
- Select App type
- Configure:
- Description: WiFi Portal
- Bundle ID: com.yourcompany.wifiportal
- Enable Sign in with Apple capability
- Click Continue and Register
Step 2: Create Service ID
For web authentication:
- Go to Identifiers > Service IDs
- Click + to create new Service ID
- Configure:
- Description: WiFi Portal Web
- Identifier: com.yourcompany.wifiportal.web
- Enable Sign in with Apple
- Click Configure
- Add:
- Primary App ID: Select your App ID
- Domains: auth.ironwifi.com
- Return URLs:
https://auth.ironwifi.com/callback/apple
- Save and register
Step 3: Create Key
- Go to Keys
- Click + to create new key
- Name: "WiFi Portal Sign in with Apple"
- Enable Sign in with Apple
- Configure and link to your App ID
- Register and download the key file (.p8)
- Note the Key ID
Step 4: Get Team ID
- In developer account, click account name
- Note your Team ID (10 characters)
IronWifi Configuration
Step 1: Add Apple Provider
- Log in to IronWifi Console
- Navigate to Networks > Captive Portals
- Select your captive portal
- Go to Authentication Providers
- Click Add Provider > Sign in with Apple
Step 2: Configure Credentials
Enter Apple credentials:
- Service ID: Your Service ID identifier
- Team ID: Your Apple Developer Team ID
- Key ID: Your Sign in with Apple key ID
- Private Key: Contents of the .p8 file
- Redirect URI:
https://auth.ironwifi.com/callback/apple
Step 3: Configure Options
Settings:
- Request Email: Ask for email address
- Request Name: Ask for name (first login only)
Data Collection
Available Data
Sign in with Apple provides:
| Field | Description |
|---|---|
sub | Unique user identifier |
email | Real or relay email |
email_verified | Email verification status |
is_private_email | Whether using relay |
name | First and last name (first auth only) |
Important Notes
- Name only provided once: On first authorization
- Store the name: Won't be provided again
- Email may be relay: Handle @privaterelay.appleid.com
Handling Private Relay Email
What is Private Relay?
Apple's Hide My Email creates unique addresses:
abc123def@privaterelay.appleid.com
Sending to Relay Addresses
To send emails to relay addresses:
- Register your domain with Apple
- Add sending domain in Apple Developer
- Configure SPF/DKIM for your domain
Registration
- In Apple Developer, go to Services
- Find Sign in with Apple for Email Communication
- Register your domains and email addresses
- Configure DNS records as specified
Authentication Flow
User Experience
- Guest connects to WiFi
- Captive portal shows "Sign in with Apple" button
- Guest clicks, Apple login appears
- Authenticates with Apple ID (Face ID/Touch ID/password)
- Chooses to share or hide email
- Redirected back, access granted
Web vs Native
Web (Captive Portal):
- JavaScript SDK or redirect
- Works on any device with browser
Native iOS:
- AuthenticationServices framework
- Best experience on Apple devices
Splash Page Integration
Add Apple Button
<div class="social-login">
<a href="{{apple_auth_url}}" class="btn-apple">
<svg class="apple-logo"><!-- Apple logo --></svg>
Sign in with Apple
</a>
</div>
<style>
.btn-apple {
background: #000000;
color: white;
padding: 12px 24px;
border-radius: 4px;
font-family: -apple-system, BlinkMacSystemFont, sans-serif;
}
</style>
Apple Button Guidelines
Follow Apple's Human Interface Guidelines:
- Use official button styles
- Don't modify the Apple logo
- Maintain button proportions
- See Apple Design Resources
Token Handling
ID Token
Apple returns a JWT ID token:
{
"iss": "https://appleid.apple.com",
"sub": "001234.abc123...",
"aud": "com.yourcompany.wifiportal.web",
"exp": 1234567890,
"email": "user@example.com",
"email_verified": true,
"is_private_email": false
}
Token Validation
IronWifi validates:
- Token signature (using Apple's public keys)
- Issuer (appleid.apple.com)
- Audience (your Service ID)
- Expiration
Troubleshooting
Authorization Failed
Invalid Client:
- Verify Service ID matches
- Check Team ID
- Confirm key is correct
Invalid Redirect URI:
- URL must match exactly
- Check domain is registered
- Verify HTTPS
No Email Received
- User may have declined email sharing
- Store email from first authorization
- Email only provided on initial auth
Private Relay Issues
- Register domain with Apple
- Configure email authentication (SPF/DKIM)
- Verify sending domain approved
Security
Key Security
- Keep .p8 private key secure
- Don't commit to version control
- Rotate keys periodically
- Limit key access
Token Security
- Validate all tokens server-side
- Don't trust client-provided data
- Check token expiration
- Verify audience claim
Best Practices
- Store user data from first auth
- Handle relay emails properly
- Follow Apple guidelines for buttons
- Secure key storage
- Graceful fallbacks for errors
- Test on Apple devices