Apple

Support level: authentik

Allows users to authenticate using their Apple ID.

Preparation

danger

An Apple developer account is required.

danger

Apple mandates the use of a registered TLD, as such this source will not work with .local and other non-public TLDs.

The following placeholders will be used:

Log into your Apple developer account, and navigate to Certificates, IDs & Profiles, then click Identifiers in the sidebar.
Register a new Identifier with the type of App IDs, and the subtype App.
Choose a name that users will recognise for the Description field.
For your bundle ID, use the reverse domain of authentik, in this case company.authentik.
Scroll down the list of capabilities, and check the box next to Sign In with Apple.
At the top, click Continue and Register.

Register another new Identifier with the type of Services IDs.
Again, choose the same name as above for your Description field.
Use the same identifier as above, but add a suffix like signin or oauth, as identifiers are unique.
At the top, click Continue and Register.

Once back at the overview list, click on the just-created Identifier.
Enable the checkbox next to Sign In with Apple, and click Configure
Under domains, enter authentik.company.
Under Return URLs, enter https://authentik.company/source/oauth/callback/apple/.

Click on Keys in the sidebar. Register a new Key with any name, and select Sign in with Apple.
Click on Configure, and select the App ID you've created above.
At the top, click Save, Continue and Register.
Download the Key file and note the Key ID.

Under Directory -> Federation & Social login Click Create Apple OAuth Source
Name: Apple
Slug: apple
Consumer Key: The identifier from step 9, then ;, then your Team ID from step 19, then ;, then the Key ID from step 18.
Example: io.goauthentik.dev-local;JQNH45HN7V;XFBNJ82BV6
Consumer Secret: Paste the contents of the keyfile you've downloaded

Save, and you now have Apple as a source.

note

For more details on how-to have the new source display on the Login Page see here.