ir-engine · hanzlamateen · Aug 27, 2024 · Jul 22, 2024 · Jul 31, 2024 · Aug 6, 2024
diff --git a/...es/05_infrastructure/03_devopsDeployment/04_AppleSSOSetup/01_setupAppleOAuth.md b/...es/05_infrastructure/03_devopsDeployment/04_AppleSSOSetup/01_setupAppleOAuth.md
@@ -0,0 +1,63 @@
+---
+sidebar_label: Set up Apple SSO for users
+---
+
+# Set up Apple SSO for users
+
+Just as we have other OAuth providers that allow users to sign in using their accounts created on other well known platforms, we also have enabled Apple SSO support for IR Studio. This guide lays out the blueprints to enable it for any particular application.
+
+## Prerequisites
+
+- Apple Developer Account
+- An Apple Account added into the developer account with all the right permissions to be able to edit and update app details.
+- An app where you want to enable Apple SSO, **IR Engine** in our case.
+
+Go to [Apple Developer Account](https://idmsa.apple.com/IDMSWebAuth/signin?appIdKey=891bd3417a7776362562d2197f89480a8547b108fd934911bcbea0110d07f757&path=%2Faccount%2F&rv=1) and sign in with and apple Developer account which should have been added to the developer account previously and must have the right permissions. There, you will need to create an App ID, a Service ID and later on a Private Key, these will give you the credentials that you can then use in your app to be able to let users log in using their Apple IDs.
+
+## Create an App ID
+
+In the Apple Developer account, do the following:
+
+1. Go to section named as **Certificates, Ids & Profiles** and click **Identifiers**.
+2. Create a new identifier by clicking the small **+** icon icon besides the identifiers headline. If you do not see that, your logged in user might not have the necessary permissions to add the app ID. Ensure your users have the right permissions before moving ahead.
+3. Click **App IDs** and click **Continue**.
+4. Click **App** in next window and click **Continue**.
+5. Fill in the form that opens up.
+   1. Enter the description.
+   2. Enter the Bundle ID which could be a reverse-domain styled string i.e. `com.domainname.appname`
+   3. Scroll down to **Capabilities** section and check **Sign In with Apple**. Click **Continue**.
+   4. Verify details and click **Register**.
+
+## Create a Service ID
+
+In the Apple Developer account, do the following:
+
+1. Go to section named as **Certificates, Ids & Profiles** and click **Identifiers**.
+2. Click the **+** button beside identifiers.
+3. Click **Service IDs** and click **Continue**.
+   - Enter the description.
+   - Enter the **Bundle ID** which are a reverse-domain styled string i.e., `com.domainname.appname`.
+   - Click "**Continue**" and "**Register**".
+4. Edit the service ID that you just created. Check **Sign In with Apple** and click on the **Configure** button besides the checked option.
+   - You will see a screen for **Web Auhentication Configuration**. Select the App ID we created previously as the **Primary App ID**. You can add the domains e.g, `ir-engine-qat-dev-api.theinfinitereality.io` and the **Return URLs** e.g, `https://ir-engine-qat-dev-api.theinfinitereality.io/oauth/apple/callback` on which the user will be redirected once it is authentication by Apple.
+5. Click **Continue**, verify the details and click **Save**.
+
+:::note
+The Service ID that you just created will serve as your Client ID while sending authentication requests from your app.
+:::
+
+## Create the Secret Key
+
+We will also need to create a secret key that we can then use to generate the **Client Secret** which again will be used while sending an authentication request to Apple.
+
+1. Go to **Certificates**, **Identifiers & Profiles** > **Keys**.
+2. Click the **+** button beside the keys.
+3. Give a **Key Name** and check the **Sign In With Apple** checkbox.
+4. Click **Configure** next to the **Sign In With Apple** checkbox and select the App ID we previously created under the **Choose a Primary App ID** key.
+5. Click **Save**, verify the details and click **Register**.
+6. Download the Key and keep it in a safe and secure place. **Warning**: You can only download the key once.
+7. Click **Done**.
+
+:::note
+You can keep one App ID and a Secret Key and multiple Service IDs for each environment. But a better practice would be to decouple the App IDs, Service ID and Secret Key for each environments.
+:::
diff --git a/..._infrastructure/03_devopsDeployment/04_AppleSSOSetup/02_generateClientSecret.md b/..._infrastructure/03_devopsDeployment/04_AppleSSOSetup/02_generateClientSecret.md
@@ -0,0 +1,47 @@
+# Generate Client Secret for Apple SSO
+
+We will need to generate a Client Secret for Apple to be able to send authentication requests to Apple.
+
+## Prerequisites
+
+You must have the following credentials already with you.
+
+- **Developer Account's secret Key file**: This refers to the file you create on Apple Developer account. The path of the file looks something simiar to `/home/SecretFiles/AuthKey_M98LQ25T3Z.p8`
+- **Key ID**: Key ID of the Secret key that you generate on Apple Developer account, e.g., `M98LQ25T3Z`. Note that the key identifier in your secret key file name matches the Key ID.
+- **Team ID**: The team ID of the developer account. It can be obtained from your App ID, e.g., `ZLWKHWSK48`.
+- **Client ID**: This is the service ID that you have created which can now be used as a client ID. e.g. `com.ir-engine.qat-dev.id`.
+
+## Generate the Client Secret
+
+You can make a request to Apple with the required credentials and generate the Client Secret. You can use the script written in the IR Engine's repository under `scripts/generate-apple-sso-token.ts` and generate an Apple key secret by running the following command on the root folder. Please refer to the prerequisites section for details of the values being used in the command below.
+
+```shell
+npm run generate-apple-client-secret -- --secretKeyPath <Secret_Key_Path>  --keyId <Secret_Key_ID> --teamId <Developer_Account_Team_ID> --clientId <ClientID_For_ServiceID>
+```
+
+For instance:
+
+```shell
+npm run generate-apple-client-secret -- --secretKeyPath '/home/SecretFiles/AuthKey_M98LQ25T3Z.p8'  --keyId 'M98LQ25T3Z' --teamId 'ZLWKHWSK48'--clientId 'com.ir-engine.qat-dev.id'
+```
+
+:::note
+The Client Secret's expiry could at maximum be set to 6 months, so we will have to regenerate it after that.
+:::
+
+## Updating the Client Secret in IR Studio
+
+Every 6 months, when the Client Secret expires, you have to get it updated in the running instances of IR Studio as per the following.
+
+1. Generate a new Client Secret as mentioned above.
+2. On the deployed instance, go to '/admin/settings#authentication'.
+3. Update the Apple Client Secret and hit save, it should take a couple of minutes to restart the API pods and should be done then.
+4. Also update the Client Secret value in the "Values.yaml" file for both the main release and builder. You can use the following command as reference for updating the Client Secret in Values.yaml files of the deployments. Run the command separately for Main and Builder release while updating the corresponding values accordingly.
+
+```shell
+helm repo update && helm upgrade --reuse-values --set api.extraEnv.APPLE_CALLBACK_URL=\<CallbackURL> --set api.extraEnv.APPLE_CLIENT_ID=\<ClientID> --set api.extraEnv.APPLE_CLIENT_SECRET=\<ClientSecret> --set media.extraEnv.APPLE_CALLBACK_URL=\<CallbackURL> --set media.extraEnv.APPLE_CLIENT_ID=\<ClientID> --set media.extraEnv.APPLE_CLIENT_SECRET="\<ClientSecret>" \<Main and builder Release Name> etherealengine/etherealengine
+```
+
+## Future Work and Recommendations
+
+We could always make the client Secret generation automatic, provided that the Secret Key is placed in a separate and securely accessible location which then can be used to generate Client secrets on the go. We could update the App's code to be able to dynamically generate and save the client secret so you do not have to manually get it updated every 6 months. At the moment we are figuring out to place the Secret file in a secure yet accessable location and we can then update our code to generate the Client secret automatically.