signin_with_apple.rb

require 'apple_id'

# NOTE: in debugging mode, you can see all HTTPS request & response in the log.
# AppleID.debug!

pem = <<-PEM
-----BEGIN PRIVATE KEY-----
  :
  :
-----END PRIVATE KEY-----
PEM
private_key = OpenSSL::PKey::EC.new pem

client = AppleID::Client.new(
  identifier: '<YOUR-CLIENT-ID>',
  team_id: '<YOUR-TEAM-ID>',
  key_id: '<YOUR-KEY-ID>',
  private_key: private_key,
  redirect_uri: '<YOUR-REDIRECT-URI>'
)

authorization_uri = client.authorization_uri(scope: [:email, :name])
puts authorization_uri
`open "#{authorization_uri}"`

print 'code: ' and STDOUT.flush
code = gets.chop

client.authorization_code = code
response = client.access_token!

response.id_token.verify!(
  client: client,
  access_token: response.access_token,

  # NOTE:
  #  When verifying signature, one http request to Apple's JWKs are required.
  #  You can skip ID Token signature verification when you got the token directly from the token endpoint in TLS channel.
  verify_signature: false
)
puts response.id_token.sub # => OpenID Connect Subject Identifier (= Apple User ID)
puts response.id_token.original_jwt.pretty_generate