Set up Apple as an identity provider

Last updated on July 20, 2024

Overview

You can connect your verified Apple Developer account to AccelByte Gaming Services (AGS) to enable Apple authentication in your game with the AGS SDK and in your publisher website with the AGS Player Portal. You may need to set up additional features within Apple services that are not listed here. We recommend contacting your Apple representative and reviewing the Apple Developer documentation.

important

This guide is intended for public use and contains limited information due to confidentiality. We recommend you refer to the full confidential guide first. Contact your AccelByte Technical Producer to request a copy of the guide.

Prerequisites

The prerequisites for enabling Apple as an identity provider vary as follows:

Web login integration

To set up web login integration, you must have:

• An Apple Developer account.
• An AGS Admin Portal account to set up authentication and manage permissions.
• A publisher namespace for your Player Portal and Launcher.
• A Player Portal.

In-game login integration

To set up in-game login integration, you must have:

• An Apple Developer account.
• A Unity or Unreal game project with the latest version of the AccelByte Game SDK imported.
• For Unreal Engine, you need OnlineSubsystemApple (Apple OSS).
• For Unity, you need the Apple Unity plugin from the Unity Asset Store.
• An AGS Admin Portal account to set up authentication and manage permissions.
• A game namespace.
• Familiarity with AGS Identity and Access Management (IAM) Clients.

Set up Apple configuration

To enable Apple as an identity provider, follow these steps first in your Apple Developer account.

Create certificates

The certificates resource represents the digital certificates you use to sign in to your iOS or Mac, or web apps for development and distribution. You must create a Developer ID application certificate. To do this, follow the steps on the Create Certificate guide in the Apple Developer documentation.

note

Only the appropriate account holder, manager, or admin can create certificates.

Create App IDs

An App ID identifies your app in a provisioning profile. It is a two-part string used to identify one or more apps from a single development team. You must create App IDs with App Type. To do this, follow the steps on the Register an App ID guide in the Apple Developer Documentation.

note

Only the appropriate account holder, admin, or other accounts with relevant permissions can create an app.

Create Service ID

For each website that uses Sign in with Apple (SIWA), it's necessary to register a services identifier (Services ID). Configure your domain and return URL, then create an associated private key. To do this, follow the steps on the Configure Sign in with Apple for the web guide in the Apple Developer documentation.

Create key

Enable your apps to allow users to authenticate in your application with their Apple ID. To do this, follow the steps on the Create a private key to access a service guide in the Apple Developer Documentation. Ensure that you keep a copy of the key you generate in this step. You will need it when you set up the Apple login method for web and in-game.

IMPORTANT

The SIWA feature must be enabled to be able to create keys.

Set up Apple login method

Set up web login

To allow your players to sign in to your Player Portal using their Apple accounts, follow these steps:

1. In the AGS Admin portal, go to your publisher namespace.

2. On the sidebar menu, go to Game Setup > 3rd Party Configuration > Auth & Account Linking.

3. On the Login Methods page, click on the + Add New button.

4. From the list of login method options, select Apple and fill in the login configuration with your Apple credentials. Click Create when you're done.

   • Service ID: your Apple Service ID.
   • Private Key: the base64 string of your Private Key. You need to convert or encode a .p8 file, which you should have downloaded when you created a key, to base64 string. You can use your own favor as a converter.
   • Team ID: your Apple Team ID. You can find it under your account name in the Apple Developer console.
   • Key ID: your key you generated from the Create key step.

5. On the details page, click Activate, then click Activate on the pop-up to confirm.

Test and verify

After activating the Apple web login method, you can test it out on your Player Portal. Follow these steps:

1. Go to the login page of your Player Portal.

   

2. From the login options, select the Apple logo.

   

3. You will be redirected to the Apple Login page. Use your Apple credentials to log in.

   

   note

   Currently, the system asks players to link their Apple account with an existing or new AccelByte account. AccelByte is working on the ability to enable players to log in to the Player Portal with a headless account.

Set up in-game login

To allow your players to sign in to your game using their Apple accounts, follow these steps:

1. 1. In the AGS Admin portal, go to your game namespace.

2. On the sidebar menu, go to Game Setup > 3rd Party Configuration > Auth & Account Linking.

3. On the Login Methods page, click on the + Add New button.

4. From the list of login method options, select Apple and fill in the login configuration with your Apple credentials. Click Create when you're done.

   • Service ID: your Apple Service ID.
   • Private Key: the base64 string of your Private Key. You need to convert or encode a .p8 file, which you should have downloaded when you created a key, to base64 string. You can use your own favor as a converter.
   • Team ID: your Apple Team ID. You can find it under your account name in the Apple Developer console.
   • Key ID: your key you generated from the Create key step.

5. On the details page, click Activate, then click Activate on the pop-up to confirm.

Create an IAM client for Apple

An IAM client is a representation of the game client that you want to release on your target platform. Learn more about IAM Clients in Manage access control for applications.

In-game login

The setup for each game engine is different. Follow the steps that are applicable to your game engine.

Unreal Engine instructions

Unreal Engine in-game login integration

Prepare Unreal project settings

1. Set the Client ID and Client Secret in DefaultEngine.ini file.

   [/Script/AccelByteUe4Sdk.AccelByteSettings]
   ClientId=abcdefg12345
   ClientSecret=abcdefg12345
   Namespace=test
   PublisherNamespace=accelbyte
   BaseUrl="https://prod.gamingservices.accelbyte.io"
   QosPingTimeout=0.6
   
   [/Script/AccelByteUe4Sdk.AccelByteServerSettings]
   ClientId=defghi12345
   ClientSecret=defghi12345
   Namespace=test
   PublisherNamespace=accelbyte
   RedirectURI="http://127.0.0.1"
   BaseUrl="https://prod.gamingservices.accelbyte.io"
   QosPingTimeout=0.6

2. Set these fields in the IOSGame.ini file.

   [OnlineSubsystem]
   ; For iOS, our native service will be IOS
   DefaultPlatformService=IOS
   NativePlatformService=Apple
   
   [OnlineSubsystemApple]
   bEnabled=True
   
   [OnlineSubsystemIOS]
   bEnabled=True
   
   [OnlineSubsystemIOS.Store]
   bSupportsInAppPurchasing=True
   bUseStoreV2=false
   
   [/Script/IOSRuntimeSettings.IOSRuntimeSettings]
   bEnableSignInWithAppleSupport=True
   
   [OnlineSubsystemGoogle.OnlineIdentityApple]
   +ScopeFields="email"
   +ScopeFields="fullName"

3. Add the AccelByteUe4Sdk plugin name into the Build.cs file.

   PublicDependencyModuleNames.AddRange(new string[] {  "AccelByteUe4Sdk"  });
   
   PrivateDependencyModuleNames.Add("OnlineSubsystem");
   PrivateDependencyModuleNames.Add("OnlineSubsystemAccelByte");
   PrivateDependencyModuleNames.Add("OnlineSubsystemApple");

4. Enable OnlineSubsystemApple plugin in your project's .uproject file.

   {
       "Name": "OnlineSubsystemApple",
       "Enabled": true,
       "SupportedTargetPlatforms": [
           "Mac",
           "IOS",
           "TVOS"
       ]
   },

Unreal Engine IOS build configuration

Set the Unreal certificates and provisioning

1. Set the Bundle Identifier to your app's Bundle ID from the Apple Developer portal. Make sure the App ID already has SIWA capability.

2. Set the correct certificate and provisioning file. This requires .mobileprovision and cert.SingningRequest files.

3. Ensure the Signing & Capabilities on your local setup (Xcode) has the Sign In with Apple capability enabled.

Unreal Engine Source BaseEngine.ini Configuration to Enable SIWA

1. Locate the file [EngineDir]/Config/BaseEngine.ini in the Engine installation.

2. Open it and search for [/Script/IOSRuntimeSettings.IOSRuntimeSettings] section.

3. Add this field under that section.

   [/Script/IOSRuntimeSettings.IOSRuntimeSettings]
   bEnableSignInWithAppleSupport=True  <--- Please add this boolean configuration

Unreal Engine Source Code Modification to using AuthorizationCode Instead of IdentityToken

danger

Avoid this modification completely if there is no particular reason to use AuthorizationCode and we not recommend it.

Our Identity service already recognizes IdentityToken and the Unreal Engine Apple Subsystem also automatically supports IdentityToken. We can discard the AuthorizationCode flow.

To forcefully change the IdentityToken generation into AuthorizationCode. We need to follow these steps:

1. Locate and open the following file.

   <EngineDir>\Plugins\Online\OnlineSubsystemApple\Source\Private\OnlineExternalUIInterfaceApple.cpp

2. Inside the file, locate this line.

   signInWithAppleBridge->SignInResultCallback([AuthAppleID user], [AuthAppleID identityToken], [AuthAppleID email], [AuthAppleID fullName], nullptr);

3. Change the line to the following, replacing the information in the square brackets appropriately.

   signInWithAppleBridge->SignInResultCallback([AuthAppleID user], [AuthAppleID authorizationCode], [AuthAppleID email], [AuthAppleID fullName], nullptr);

Unreal sample code implementation

1. Header declaration:

   #include <OnlineSubsystem.h>
   #include "Interfaces/OnlineIdentityInterface.h"
   #include "Interfaces/OnlineLeaderboardInterface.h"
   
   #include "OnlineIdentityInterfaceAccelByte.h"
   #include "OnlineSubsystemAccelByte.h"
   #include "OnlineSubsystemAccelByteTypes.h"
   
   #include "Core/AccelByteMultiRegistry.h"
   #include "Core/AccelByteError.h" 

2. Log in to Apple Service using Apple OnlineSubsystem, then get the PlatformToken from OnlineIdentity->GetAuthToken(...).

       const IOnlineSubsystem* OnlineSubsystem = IOnlineSubsystem::Get(TEXT("Apple"));
       if (OnlineSubsystem == nullptr)
       {
       FString Message = TEXT("Cannot login with no online subsystem set!");
       UE_LOG(LogTemp, Warning, TEXT("%s"), *Message); 
       return;
       } 
   
       const IOnlineIdentityPtr OnlineIdentity = OnlineSubsystem->GetIdentityInterface();
       if (!OnlineIdentity.IsValid())
       {
       FString Message = TEXT("Could not retrieve identity interface from native subsystem.");
       UE_LOG(LogTemp, Warning, TEXT("%s"), *Message); 
       return;
       }
   
       int32 TempLocalUserNum = 0;
       OnlineIdentity->AddOnLoginCompleteDelegate_Handle(TempLocalUserNum,
           FOnLoginCompleteDelegate::CreateLambda([=]
           (int32 LocalUserNum, bool bWasSuccessful, const FUniqueNetId& UserId, const FString& Error)
               {
                   if (bWasSuccessful)
                   {
                       UE_LOG(LogTemp, Warning, TEXT("Success Apple Login"));  
                       PlatformToken = OnlineIdentity->GetAuthToken(TempLocalUserNum);  
                       UE_LOG(LogTemp, Warning, TEXT("Apple PlatformToken : %s"), *PlatformToken);    
                   }
                   else
                   {
                       UE_LOG(LogTemp, Warning, TEXT("Error Login: %s"), *Error); 
                   }
               })
       );
       // login native
       FOnlineAccountCredentials Creds{};
       OnlineIdentity->Login(TempLocalUserNum, Creds); // Apple Login 

3. Log in to AGS using AGS Online Subsystem (OSS) or AGS SDK.

   AGS OSS

   The login success indicator can be confirmed by the bWasSuccessful boolean from the FOnLoginCompleteDelegate callback.

   // Log in to AGS using OSS
   const IOnlineSubsystem* OnlineSubsystemABPtr = IOnlineSubsystem::Get("ACCELBYTE");
   if (OnlineSubsystemABPtr == nullptr)
   {
       FString Message = TEXT("Cannot login to AGS, AccelByte Online Subsystem is null!");
       UE_LOG(LogTemp, Warning, TEXT("%s"), *Message); 
       return;
   } 
   
   const IOnlineIdentityPtr OnlineIdentityABPtr = OnlineSubsystemABPtr->GetIdentityInterface();
   if (OnlineIdentityABPtr == nullptr)
   {
       FString Message = TEXT("Cannot login to AGS, AccelByte Identity Interface is null!");
       UE_LOG(LogTemp, Warning, TEXT("%s"), *Message); 
       return;
   }
   
   bool bABLoginDone = false;
   bool bABLoginSuccess = false;
   FDelegateHandle ABOnLoginCompleteDelegateHandle;
   const FOnLoginCompleteDelegate ABLoginComplete = FOnLoginCompleteDelegate::CreateLambda(
       [&]
       (int32 LoggedInLocalUserNum, bool bWasSuccessful, const FUniqueNetId& UserId, FString Error)
       {
           bABLoginDone = true;
           bABLoginSuccess = bWasSuccessful;
           if (bWasSuccessful)
           {
               UE_LOG(LogTemp, Log, TEXT("Log in to AGS result: success.")); 
           }
           else
           {
               UE_LOG(LogTemp, Warning, TEXT("Log in to AGS result: fail.")); 
           }
           OnlineIdentityABPtr->ClearOnLoginCompleteDelegate_Handle(0, ABOnLoginCompleteDelegateHandle);
       });
   ABOnLoginCompleteDelegateHandle = OnlineIdentityABPtr->AddOnLoginCompleteDelegate_Handle(0, ABLoginComplete);
   
   FOnlineAccelByteAccountCredentials OnlineAccountCredentialsNative(
       EAccelByteLoginType::Apple,
       "",
       PlatformToken, // Obtained from previous step; log in using Apple OnlineSubsystem
       true);
   OnlineIdentityABPtr->Login(0, OnlineAccountCredentialsNative);

   AGS SDK

   note

   We don't recommend this method. However, if you prefer to log in using the AGS SDK, take note that the SDK may not be able to support various functions such as handling player states, caching mechanisms, native-platform functions, etc.

   // Log in to AGS using low-level SDK 
   FRegistry::User.LoginWithOtherPlatform(EAccelBytePlatformType::Apple
       , PlatformToken //Obtained from previous step, Log in using Apple OnlineSubsystem
       , FVoidHandler::CreateLambda([=]()
           {
               UE_LOG(LogTemp, Log, TEXT("    Success AB Login "));   
           })
       , FOAuthErrorHandler::CreateLambda([=](int32, const FString&, const FErrorOAuthInfo& Result)
           { 
               UE_LOG(LogTemp, Warning, TEXT("    Error. Code: %s, Reason: %s"), *Result.Error, *Result.Error_description); 
   }));

Sample code testing

Old sample using AuthorizationCode

This example shows the result of testing the code using iPhone 11. The following image shows that the code works and a user is able to log in using Apple with the sample code.

Recent sample using IdentityToken

This example shows the result of testing the code using iPhone 14. The following image shows the Apple IdentityToken from Unreal Engine Apple Online Subsystem.

The token is exchanged to AGS and we can obtain the AccelByte authorization token (LoginToIAM result).

Unity Engine Instructions

Unity in-game login integration

Prepare Unity project settings

This step uses the following files:

• Asset/Resources AccelByteSDKConfig.json
• Asset/Resources AccelByteSDKOAuthConfig.json

{
  "Default": {
    "Namespace": "example-namespace",
    "UsePlayerPrefs": true,
    "EnableDebugLog": true,
    "DebugLogFilter": "Verbose",
    "BaseUrl": "https://prod.gamingservices.accelbyte.io",
    "IamServerUrl": "https://prod.gamingservices.accelbyte.io/iam",
    "PlatformServerUrl": "https://prod.gamingservices.accelbyte.io/platform",
    "BasicServerUrl": "https://prod.gamingservices.accelbyte.io/basic",
    "LobbyServerUrl": "wss://demo.accelbyte.io/lobby/",
    "CloudStorageServerUrl": "https://prod.gamingservices.accelbyte.io/social",
    "GameProfileServerUrl": "https://prod.gamingservices.accelbyte.io/social",
    "StatisticServerUrl": "https://prod.gamingservices.accelbyte.io/social",
    "QosManagerServerUrl": "https://prod.gamingservices.accelbyte.io/qosm",
    "AgreementServerUrl": "https://prod.gamingservices.accelbyte.io/agreement",
    "LeaderboardServerUrl": "https://prod.gamingservices.accelbyte.io/leaderboard",
    "CloudSaveServerUrl": "https://prod.gamingservices.accelbyte.io/cloudsave",
    "GameTelemetryServerUrl": "https://prod.gamingservices.accelbyte.io/game-telemetry",
    "AchievementServerUrl": "https://prod.gamingservices.accelbyte.io/achievement",
    "UGCServerUrl": "https://prod.gamingservices.accelbyte.io/ugc",
    "ReportingServerUrl": "https://prod.gamingservices.accelbyte.io/reporting",
    "SeasonPassServerUrl": "https://prod.gamingservices.accelbyte.io/seasonpass",
    "SessionBrowserServerUrl": "https://prod.gamingservices.accelbyte.io/sessionbrowser",
    "SessionServerUrl": "https://prod.gamingservices.accelbyte.io/session",
    "MatchmakingV2ServerUrl": "https://prod.gamingservices.accelbyte.io/match2",
    "UseTurnManager": false,
    "TurnManagerServerUrl": "https://prod.gamingservices.accelbyte.io/turnmanager",
    "TurnServerHost": "",
    "TurnServerPort": "",
    "TurnServerPassword": "",
    "TurnServerSecret": "",
    "TurnServerUsername": "",
    "GroupServerUrl": "https://prod.gamingservices.accelbyte.io/group",
    "ChatServerUrl": "wss://demo.accelbyte.io/chat/",
    "RedirectUri": "http://127.0.0.1",
    "AppId": "133xxx",
    "PublisherNamespace": "accelbyte",
    "CustomerName": "game-sdk",
    "MaximumCacheSize": 100,
    "MaximumCacheLifeTime": 100
  }
}

Unity build configuration

Set the Certificate and Provisioning

1. Set the Bundle Identifier to your app's Bundle ID from the Apple Developer portal. Make sure the App ID already has SIWA capability.

2. Set automatic management of signing, Team, and Bundle Identifier.

Unity sample code implementation

1. Header declaration:

   using AppleAuth;
   using AppleAuth.Enums;
   using AppleAuth.Extensions;
   using AppleAuth.Interfaces;
   using AppleAuth.Native;
   using UnityEngine; 
   using TMPro;
   using System;
   using System.Text;
   using System.Collections;
   using AccelByte.Api;
   using AccelByte.Core;
   using AccelByte.Models;

2. Log in to Apple Service, then get the Platform Token.

   string authCode = "";
   
   void RunLogin()
   {
       IAppleAuthManager _appleAuthManager;
   
       // If the current platform is supported
       if (AppleAuthManager.IsCurrentPlatformSupported)
       {
           // Creates a default JSON deserializer, to transform JSON Native responses to C## instances
           var deserializer = new PayloadDeserializer();
           // Creates an Apple Authentication manager with the deserializer
           this._appleAuthManager = new AppleAuthManager(deserializer);    
       } 
   
       var loginArgs = new AppleAuthLoginArgs(LoginOptions.IncludeEmail | LoginOptions.IncludeFullName);
       bool done = false;
       string authCode = "";
       this._appleAuthManager.LoginWithAppleId(
           loginArgs,
           credential =>
           { 
   
               LogText.text += "\nSuccess login Apple ";
   
               var appleIDCred = credential as IAppleIDCredential;
               authCode = Encoding.UTF8.GetString(appleIDCred.AuthorizationCode, 0, appleIDCred.AuthorizationCode.Length);
   
               LogText.text += "\nAuth Code : " + authCode; 
   
               done = true;
           },
           error =>
           {
               var authorizationErrorCode = error.GetAuthorizationErrorCode();
               Debug.LogWarning("Sign in with Apple failed " + authorizationErrorCode.ToString() + " " + error.ToString()); 
   
               LogText.text += "\nSign in with Apple failed " + authorizationErrorCode.ToString() + " " + error.ToString();
               done = true;
           }); 
   
   }
   
   // Update is called once per frame
   void Update()
   {
       // Updates the AppleAuthManager instance to execute
       // pending callbacks inside Unity's execution loop
       if (this._appleAuthManager != null)
       {
           this._appleAuthManager.Update();
       }
       
   }

3. Log in to AGS.

   var user = AccelBytePlugin.GetUser();
   Result<TokenData, OAuthError> callback = null;
   
   user.LoginWithOtherPlatform(PlatformType.Apple, authCode, (Result<TokenData, OAuthError> result) =>
   {
       if (result.IsError)
       { 
           LogText.text += "\nLogin Error : " + result.Error.error + " " +result.Error.error_description;
       }
       else
       { 
           LogText.text += "\nLogin to AccelByte Success ";
       }
       callback = result;
   });

Unity sample code testing

In this example, we tested the code on an iPhone 11. The following image shows that the code works and a user is able to log in using Apple with the sample code.