In the closed issue Sign in with Apple Oauth2 Support #9047, it was (correctly) stated that basic support for "Sign In With Apple" is available in Spring Security's OAuth2 module via simple YAML declarations of "provider" and "registration" in application.yaml.
However, there is an issue with the "client-secret" in that configuration, because unlike other OAuth/OpenID providers, Apple uses a non-static client secret, which in their case must be the string representation of a JWT with an expiration date of at most 6 months in the future (see https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens). Consequently it's not feasible to statically configure the client secret, as it would require re-configuring and restarting the application with a fresh secret at least twice a year.
Now, even when overriding via a custom ClientRegistration implementation for this purpose, the problem remains – as far as I can tell, the org.springframework.security.oauth2.client.registration.Builder class only supports a static secret as well.
I guess what would be needed was a more dynamic approach, allowing the builder to provide a fresh client secret at runtime rather than accepting one upon application startup to support Apple's and similar implementations.
Comment From: jzheaux
Hi, @thomas-corte, thanks for the additional detail. Does it appear to you that https://github.com/spring-projects/spring-security/issues/8175 would resolve your concern? If so, I think we can close this ticket as a duplicate, and I'd encourage you to contribute to that ticket instead.
Comment From: thomas-corte
Hello @jzheaux, thanks for the quick reply – yes, it seems that #8175 covers what's required for making "Sign In with Apple" work, so this may be closed as a duplicate. I'll add a comment to the other issue.