From f720ae4a348cf7ee997f2ba2ab864180141b07f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Gimi=C5=84ski?= Date: Fri, 6 Mar 2026 09:40:11 +0100 Subject: [PATCH 1/4] Update doc with apple sign in redirection for web --- .../04-providers/04-apple/01-setup.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md index 32ad40bc..27e7c0fd 100644 --- a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md +++ b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md @@ -31,6 +31,7 @@ development: appleServiceIdentifier: 'com.example.service' appleBundleIdentifier: 'com.example.app' appleRedirectUri: 'https://example.com/auth/callback' + appleWebRedirectUri: 'https://example.com/auth/apple-complete' appleTeamId: 'ABC123DEF4' appleKeyId: 'XYZ789ABC0' appleKey: | @@ -71,6 +72,7 @@ void run(List args) async { serviceIdentifier: pod.getPassword('appleServiceIdentifier')!, bundleIdentifier: pod.getPassword('appleBundleIdentifier')!, redirectUri: pod.getPassword('appleRedirectUri')!, + webRedirectUri: pod.getPassword('appleWebRedirectUri'), teamId: pod.getPassword('appleTeamId')!, keyId: pod.getPassword('appleKeyId')!, key: pod.getPassword('appleKey')!, @@ -98,6 +100,7 @@ You can use the `AppleIdpConfigFromPasswords` constructor in replacement of the - `appleServiceIdentifier` - `appleBundleIdentifier` - `appleRedirectUri` + - `appleWebRedirectUri` (optional, for Web support when using server callback route) - `appleTeamId` - `appleKeyId` - `appleKey` @@ -108,6 +111,7 @@ Or the following environment variables: - `SERVERPOD_PASSWORD_appleServiceIdentifier` - `SERVERPOD_PASSWORD_appleBundleIdentifier` - `SERVERPOD_PASSWORD_appleRedirectUri` + - `SERVERPOD_PASSWORD_appleWebRedirectUri` (optional, for Web support when using server callback route) - `SERVERPOD_PASSWORD_appleTeamId` - `SERVERPOD_PASSWORD_appleKeyId` - `SERVERPOD_PASSWORD_appleKey` @@ -129,6 +133,7 @@ Finally, run `serverpod generate` to generate the client code and create a migra - `serviceIdentifier`: Required. The service identifier for the Sign in with Apple project. - `bundleIdentifier`: Required. The bundle ID of the Apple-native app using Sign in with Apple. - `redirectUri`: Required. The redirect URL used for 3rd party platforms (e.g., Android, Web). +- `webRedirectUri`: Optional. The URL where the browser is redirected after the server receives Apple's callback on Web. Required for Web support when using the server callback route. - `teamId`: Required. The team identifier of the parent Apple Developer account. - `keyId`: Required. The ID of the key associated with the Sign in with Apple service. - `key`: Required. The secret contents of the private key file received from Apple. @@ -169,7 +174,14 @@ No additional client-side Android configuration is needed beyond what the [sign_ ### Web -For web, configure the redirect URI in your Apple Developer Portal to match your server's callback route (e.g., `https://example.com/auth/callback`). +Apple Sign In on Web uses a server callback first, then redirects the browser to your web app. + +To enable this: + +1. Configure the redirect URI in your Apple Developer Portal to match your server's callback route (e.g., `https://example.com/auth/callback`). +2. Set `webRedirectUri` in `AppleIdpConfig` (or `appleWebRedirectUri` in `passwords.yaml`) to the Web URL that should receive the callback parameters (e.g., `https://example.com/auth/apple-complete`). + +If `webRedirectUri` is not configured, Web callbacks to the server route will fail. ## Present the authentication UI From d560bd917f9cb01a878f7d855661a275594fa473 Mon Sep 17 00:00:00 2001 From: Marcelo Soares Date: Tue, 10 Mar 2026 12:06:15 -0300 Subject: [PATCH 2/4] fix: Reorder the new optional elements --- .../04-providers/04-apple/01-setup.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md index 27e7c0fd..bcebb6f7 100644 --- a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md +++ b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md @@ -72,10 +72,11 @@ void run(List args) async { serviceIdentifier: pod.getPassword('appleServiceIdentifier')!, bundleIdentifier: pod.getPassword('appleBundleIdentifier')!, redirectUri: pod.getPassword('appleRedirectUri')!, - webRedirectUri: pod.getPassword('appleWebRedirectUri'), teamId: pod.getPassword('appleTeamId')!, keyId: pod.getPassword('appleKeyId')!, key: pod.getPassword('appleKey')!, + // Optional: Required only for Web support when using server callback route. + webRedirectUri: pod.getPassword('appleWebRedirectUri'), // Optional: Required only for Android support. androidPackageIdentifier: pod.getPassword('appleAndroidPackageIdentifier'), ), @@ -100,10 +101,10 @@ You can use the `AppleIdpConfigFromPasswords` constructor in replacement of the - `appleServiceIdentifier` - `appleBundleIdentifier` - `appleRedirectUri` - - `appleWebRedirectUri` (optional, for Web support when using server callback route) - `appleTeamId` - `appleKeyId` - `appleKey` + - `appleWebRedirectUri` (optional, for Web support when using server callback route) - `appleAndroidPackageIdentifier` (optional, for Android support) Or the following environment variables: @@ -111,10 +112,10 @@ Or the following environment variables: - `SERVERPOD_PASSWORD_appleServiceIdentifier` - `SERVERPOD_PASSWORD_appleBundleIdentifier` - `SERVERPOD_PASSWORD_appleRedirectUri` - - `SERVERPOD_PASSWORD_appleWebRedirectUri` (optional, for Web support when using server callback route) - `SERVERPOD_PASSWORD_appleTeamId` - `SERVERPOD_PASSWORD_appleKeyId` - `SERVERPOD_PASSWORD_appleKey` + - `SERVERPOD_PASSWORD_appleWebRedirectUri` (optional, for Web support when using server callback route) - `SERVERPOD_PASSWORD_appleAndroidPackageIdentifier` (optional, for Android support) ::: @@ -133,11 +134,14 @@ Finally, run `serverpod generate` to generate the client code and create a migra - `serviceIdentifier`: Required. The service identifier for the Sign in with Apple project. - `bundleIdentifier`: Required. The bundle ID of the Apple-native app using Sign in with Apple. - `redirectUri`: Required. The redirect URL used for 3rd party platforms (e.g., Android, Web). -- `webRedirectUri`: Optional. The URL where the browser is redirected after the server receives Apple's callback on Web. Required for Web support when using the server callback route. - `teamId`: Required. The team identifier of the parent Apple Developer account. - `keyId`: Required. The ID of the key associated with the Sign in with Apple service. - `key`: Required. The secret contents of the private key file received from Apple. -- `androidPackageIdentifier`: Optional. The Android package identifier for the app. Required for Apple Sign In to work on Android. When configured, the callback route automatically redirects Android clients back to the app using an intent URI. + +When using Web or Android, you can also configure the following optional parameters: + +- `webRedirectUri`: The URL where the browser is redirected after the server receives Apple's callback on Web. Required for Web support when using the server callback route. +- `androidPackageIdentifier`: The Android package identifier for the app. Required for Apple Sign In to work on Android. When configured, the callback route automatically redirects Android clients back to the app using an intent URI. For more details on configuration options, see the [configuration section](./configuration). From 07a25089e771f81d15d379f055d67030fbdd8caf Mon Sep 17 00:00:00 2001 From: Marcelo Soares Date: Tue, 10 Mar 2026 12:08:13 -0300 Subject: [PATCH 3/4] fix: Reorder one last entry to move optional to last --- .../11-authentication/04-providers/04-apple/01-setup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md index bcebb6f7..93ee3be2 100644 --- a/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md +++ b/docs/06-concepts/11-authentication/04-providers/04-apple/01-setup.md @@ -31,13 +31,14 @@ development: appleServiceIdentifier: 'com.example.service' appleBundleIdentifier: 'com.example.app' appleRedirectUri: 'https://example.com/auth/callback' - appleWebRedirectUri: 'https://example.com/auth/apple-complete' appleTeamId: 'ABC123DEF4' appleKeyId: 'XYZ789ABC0' appleKey: | -----BEGIN PRIVATE KEY----- MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQg... -----END PRIVATE KEY----- + # Optional: Required only for Web support when using server callback route. + appleWebRedirectUri: 'https://example.com/auth/apple-complete' # Optional: Required only if you want Apple Sign In to work on Android. appleAndroidPackageIdentifier: 'com.example.app' ``` From 2ed4bf3dfcbc28d456ea4969e0bb3da22fd73280 Mon Sep 17 00:00:00 2001 From: Marcelo Soares Date: Tue, 10 Mar 2026 12:09:57 -0300 Subject: [PATCH 4/4] chore: Copy the to the versioned docs for 3.4.0 --- .../04-providers/04-apple/01-setup.md | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/versioned_docs/version-3.4.0/06-concepts/11-authentication/04-providers/04-apple/01-setup.md b/versioned_docs/version-3.4.0/06-concepts/11-authentication/04-providers/04-apple/01-setup.md index 32ad40bc..93ee3be2 100644 --- a/versioned_docs/version-3.4.0/06-concepts/11-authentication/04-providers/04-apple/01-setup.md +++ b/versioned_docs/version-3.4.0/06-concepts/11-authentication/04-providers/04-apple/01-setup.md @@ -37,6 +37,8 @@ development: -----BEGIN PRIVATE KEY----- MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQg... -----END PRIVATE KEY----- + # Optional: Required only for Web support when using server callback route. + appleWebRedirectUri: 'https://example.com/auth/apple-complete' # Optional: Required only if you want Apple Sign In to work on Android. appleAndroidPackageIdentifier: 'com.example.app' ``` @@ -74,6 +76,8 @@ void run(List args) async { teamId: pod.getPassword('appleTeamId')!, keyId: pod.getPassword('appleKeyId')!, key: pod.getPassword('appleKey')!, + // Optional: Required only for Web support when using server callback route. + webRedirectUri: pod.getPassword('appleWebRedirectUri'), // Optional: Required only for Android support. androidPackageIdentifier: pod.getPassword('appleAndroidPackageIdentifier'), ), @@ -101,6 +105,7 @@ You can use the `AppleIdpConfigFromPasswords` constructor in replacement of the - `appleTeamId` - `appleKeyId` - `appleKey` + - `appleWebRedirectUri` (optional, for Web support when using server callback route) - `appleAndroidPackageIdentifier` (optional, for Android support) Or the following environment variables: @@ -111,6 +116,7 @@ Or the following environment variables: - `SERVERPOD_PASSWORD_appleTeamId` - `SERVERPOD_PASSWORD_appleKeyId` - `SERVERPOD_PASSWORD_appleKey` + - `SERVERPOD_PASSWORD_appleWebRedirectUri` (optional, for Web support when using server callback route) - `SERVERPOD_PASSWORD_appleAndroidPackageIdentifier` (optional, for Android support) ::: @@ -132,7 +138,11 @@ Finally, run `serverpod generate` to generate the client code and create a migra - `teamId`: Required. The team identifier of the parent Apple Developer account. - `keyId`: Required. The ID of the key associated with the Sign in with Apple service. - `key`: Required. The secret contents of the private key file received from Apple. -- `androidPackageIdentifier`: Optional. The Android package identifier for the app. Required for Apple Sign In to work on Android. When configured, the callback route automatically redirects Android clients back to the app using an intent URI. + +When using Web or Android, you can also configure the following optional parameters: + +- `webRedirectUri`: The URL where the browser is redirected after the server receives Apple's callback on Web. Required for Web support when using the server callback route. +- `androidPackageIdentifier`: The Android package identifier for the app. Required for Apple Sign In to work on Android. When configured, the callback route automatically redirects Android clients back to the app using an intent URI. For more details on configuration options, see the [configuration section](./configuration). @@ -169,7 +179,14 @@ No additional client-side Android configuration is needed beyond what the [sign_ ### Web -For web, configure the redirect URI in your Apple Developer Portal to match your server's callback route (e.g., `https://example.com/auth/callback`). +Apple Sign In on Web uses a server callback first, then redirects the browser to your web app. + +To enable this: + +1. Configure the redirect URI in your Apple Developer Portal to match your server's callback route (e.g., `https://example.com/auth/callback`). +2. Set `webRedirectUri` in `AppleIdpConfig` (or `appleWebRedirectUri` in `passwords.yaml`) to the Web URL that should receive the callback parameters (e.g., `https://example.com/auth/apple-complete`). + +If `webRedirectUri` is not configured, Web callbacks to the server route will fail. ## Present the authentication UI