Add Apple ID token support to wallet WDK

Author: tolgahan-arikan

packages/wallet/wdk/src/sequence/handlers/idtoken.ts

@@ -12,13 +12,16 @@ import type { WdkEnv } from '../../env.js'
 
 type RespondFn = (idToken: string) => Promise<void>
 
-export type PromptIdTokenHandler = (kind: 'google-id-token' | `custom-${string}`, respond: RespondFn) => Promise<void>
+export type PromptIdTokenHandler = (
+  kind: 'google-id-token' | 'apple-id-token' | `custom-${string}`,
+  respond: RespondFn,
+) => Promise<void>
 
 export class IdTokenHandler extends IdentityHandler implements Handler {
   private onPromptIdToken: undefined | PromptIdTokenHandler
 
   constructor(
-    public readonly signupKind: 'google-id-token' | `custom-${string}`,
+    public readonly signupKind: 'google-id-token' | 'apple-id-token' | `custom-${string}`,
     public readonly issuer: string,
     public readonly audience: string,
     nitro: Identity.IdentityInstrument,
@@ -33,6 +36,9 @@ export class IdTokenHandler extends IdentityHandler implements Handler {
     if (this.signupKind === 'google-id-token') {
       return Kinds.LoginGoogle
     }
+    if (this.signupKind === 'apple-id-token') {
+      return Kinds.LoginApple
+    }
     return 'login-' + this.signupKind
   }
 

packages/wallet/wdk/src/sequence/manager.ts

@@ -107,6 +107,7 @@ export type ManagerOptions = {
     apple?: {
       enabled: boolean
       clientId: string
+      authMethod?: 'authcode' | 'id-token'
     }
     customProviders?: CustomIdentityProvider[]
   }
@@ -129,6 +130,7 @@ export type ResolvedIdentityOptions = {
   apple: {
     enabled: boolean
     clientId: string
+    authMethod: 'authcode' | 'id-token'
   }
   customProviders?: CustomIdentityProvider[]
 }
@@ -260,6 +262,7 @@ export const ManagerOptionsDefaults = {
     apple: {
       enabled: false,
       clientId: '',
+      authMethod: 'authcode' as const,
     },
   },
 }
@@ -716,20 +719,35 @@ export class Manager {
       }
     }
     if (ops.identity.apple?.enabled) {
-      shared.handlers.set(
-        Kinds.LoginApple,
-        new AuthCodeHandler(
-          'apple',
-          'https://appleid.apple.com',
-          'https://appleid.apple.com/auth/authorize',
-          ops.identity.apple.clientId,
-          identityInstrument,
-          modules.signatures,
-          shared.databases.authCommitments,
-          shared.databases.authKeys,
-          shared.env,
-        ),
-      )
+      if (ops.identity.apple.authMethod === 'id-token') {
+        shared.handlers.set(
+          Kinds.LoginApple,
+          new IdTokenHandler(
+            'apple-id-token',
+            'https://appleid.apple.com',
+            ops.identity.apple.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      } else {
+        shared.handlers.set(
+          Kinds.LoginApple,
+          new AuthCodeHandler(
+            'apple',
+            'https://appleid.apple.com',
+            'https://appleid.apple.com/auth/authorize',
+            ops.identity.apple.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authCommitments,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      }
     }
     if (ops.identity.customProviders?.length) {
       for (const provider of ops.identity.customProviders) {

packages/wallet/wdk/src/sequence/wallets.ts

@@ -28,13 +28,19 @@ function getSignerKindForSignup(kind: SignupArgs['kind'] | AuthCommitment['kind'
   if (kind === 'google-id-token' || kind === 'google-pkce') {
     return Kinds.LoginGoogle
   }
+  if (kind === 'apple-id-token' || kind === 'apple') {
+    return Kinds.LoginApple
+  }
   if (kind.startsWith('custom-')) {
     return kind
   }
   return ('login-' + kind) as string
 }
 
-function getIdTokenSignupHandler(shared: Shared, kind: typeof Kinds.LoginGoogle | `custom-${string}`): IdTokenHandler {
+function getIdTokenSignupHandler(
+  shared: Shared,
+  kind: typeof Kinds.LoginGoogle | typeof Kinds.LoginApple | `custom-${string}`,
+): IdTokenHandler {
   const handler = shared.handlers.get(kind)
   if (!handler) {
     throw new Error('handler-not-registered')
@@ -82,7 +88,7 @@ export type EmailOtpSignupArgs = CommonSignupArgs & {
 }
 
 export type IdTokenSignupArgs = CommonSignupArgs & {
-  kind: 'google-id-token' | `custom-${string}`
+  kind: 'google-id-token' | 'apple-id-token' | `custom-${string}`
   idToken: string
 }
 
@@ -222,7 +228,7 @@ export interface WalletsInterface {
    *   - `kind: 'mnemonic'`: Uses a mnemonic phrase as the login credential.
    *   - `kind: 'passkey'`: Prompts the user to create a WebAuthn passkey.
    *   - `kind: 'email-otp'`: Initiates an OTP flow to the user's email.
-   *   - `kind: 'google-id-token'`: Completes an OIDC ID token flow when Google is configured with `authMethod: 'id-token'`.
+   *   - `kind: 'google-id-token' | 'apple-id-token'`: Completes an OIDC ID token flow when the provider is configured with `authMethod: 'id-token'`.
    *   - `kind: 'google-pkce' | 'apple'`: Completes an OAuth redirect flow.
    *   Common options like `noGuard` or `noRecovery` can customize the wallet's security features.
    * @returns A promise that resolves to the address of the newly created wallet, or `undefined` if the sign-up was aborted.
@@ -721,16 +727,20 @@ export class Wallets implements WalletsInterface {
         }
       }
 
-      case 'google-id-token': {
-        const handler = getIdTokenSignupHandler(this.shared, Kinds.LoginGoogle)
+      case 'google-id-token':
+      case 'apple-id-token': {
+        const handler = getIdTokenSignupHandler(
+          this.shared,
+          args.kind === 'google-id-token' ? Kinds.LoginGoogle : Kinds.LoginApple,
+        )
         const [signer, metadata] = await handler.completeAuth(args.idToken)
         const loginEmail = metadata.email
         this.shared.modules.logger.log('Created new id token signer:', signer.address)
 
         return {
           signer,
           extra: {
-            signerKind: Kinds.LoginGoogle,
+            signerKind: getSignerKindForSignup(args.kind),
           },
           loginEmail,
         }

packages/wallet/wdk/test/identity-auth-dbs.test.ts

@@ -395,6 +395,42 @@ describe('Identity Authentication Databases', () => {
       expect(handlers.has('login-google-pkce')).toBe(false)
     })
 
+    it('Should register the Apple ID token handler when configured explicitly', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-apple-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          apple: {
+            enabled: true,
+            clientId: 'test-apple-client-id',
+            authMethod: 'id-token',
+          },
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('login-apple-id-token')).toBe(false)
+      expect(handlers.has('login-apple')).toBe(true)
+    })
+
     it('Should use auth databases when email authentication is enabled', async () => {
       manager = new Manager({
         stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-email-${Date.now()}`)),

packages/wallet/wdk/test/idtoken.test.ts

@@ -101,6 +101,22 @@ describe('IdTokenHandler', () => {
       expect(handler.kind).toBe(Kinds.LoginGoogle)
     })
 
+    it('Should normalize apple-id-token handlers to login-apple', () => {
+      const handler = new IdTokenHandler(
+        'apple-id-token',
+        'https://appleid.apple.com',
+        'test-apple-client-id',
+        mockNitroInstrument,
+        mockSignatures,
+        mockAuthKeys,
+      )
+
+      expect(handler.signupKind).toBe('apple-id-token')
+      expect(handler.issuer).toBe('https://appleid.apple.com')
+      expect(handler.audience).toBe('test-apple-client-id')
+      expect(handler.kind).toBe(Kinds.LoginApple)
+    })
+
     it('Should initialize without a registered UI callback', () => {
       expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
     })

packages/wallet/wdk/test/sessions-idtoken.test.ts

@@ -60,6 +60,7 @@ describe('Sessions ID token attestation', () => {
         apple: {
           enabled: true,
           clientId: 'test-apple-client-id',
+          authMethod: 'id-token',
         },
       },
     })

packages/wallet/wdk/test/wallets.test.ts

@@ -71,6 +71,48 @@ describe('Wallets', () => {
     expect(configuration.login[0]!.kind).toBe(Kinds.LoginGoogle)
   })
 
+  it('Should create a new wallet using apple-id-token when Apple ID token auth is enabled', async () => {
+    manager = newManager({
+      identity: {
+        apple: {
+          enabled: true,
+          clientId: 'test-apple-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const handler = (manager as any).shared.handlers.get(Kinds.LoginApple) as IdTokenHandler
+    const loginMnemonic = Mnemonic.random(Mnemonic.english)
+    const loginSigner = MnemonicHandler.toSigner(loginMnemonic)
+    if (!loginSigner) {
+      throw new Error('Failed to create login signer for test')
+    }
+
+    const completeAuthSpy = vi
+      .spyOn(handler, 'completeAuth')
+      .mockResolvedValue([loginSigner as unknown as IdentitySigner, { email: 'apple-user@example.com' }])
+
+    const wallet = await manager.wallets.signUp({
+      kind: 'apple-id-token',
+      idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+      noGuard: true,
+    })
+
+    expect(wallet).toBeDefined()
+    expect(completeAuthSpy).toHaveBeenCalledWith('eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.')
+    await expect(manager.wallets.has(wallet!)).resolves.toBeTruthy()
+
+    const walletEntry = await manager.wallets.get(wallet!)
+    expect(walletEntry).toBeDefined()
+    expect(walletEntry!.loginType).toBe(Kinds.LoginApple)
+    expect(walletEntry!.loginEmail).toBe('apple-user@example.com')
+
+    const configuration = await manager.wallets.getConfiguration(wallet!)
+    expect(configuration.login).toHaveLength(1)
+    expect(configuration.login[0]!.kind).toBe(Kinds.LoginApple)
+  })
+
   it('Should register and unregister Google ID token UI callbacks through the manager', async () => {
     manager = newManager({
       identity: {
@@ -140,6 +182,25 @@ describe('Wallets', () => {
     ).rejects.toThrow('handler-does-not-support-id-token')
   })
 
+  it('Should reject apple-id-token signup when Apple is configured for redirect auth', async () => {
+    manager = newManager({
+      identity: {
+        apple: {
+          enabled: true,
+          clientId: 'test-apple-client-id',
+        },
+      },
+    })
+
+    await expect(
+      manager.wallets.signUp({
+        kind: 'apple-id-token',
+        idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+        noGuard: true,
+      }),
+    ).rejects.toThrow('handler-does-not-support-id-token')
+  })
+
   it('Should reject custom ID token signup when the provider uses redirect auth', async () => {
     manager = newManager({
       identity: {