To configure Apple as a social login provider in Ory using YAML, you need to add the Apple provider configuration to your Ory Identities config file (typically identity-config.yaml). The key part is to include the apple_private_key as a multiline string using the YAML pipe (|) syntax. Here’s an example configuration:

yaml selfservice:   methods:     oidc:       config:         providers:           - id: apple # This must be "apple" for web browser flows             provider: apple             client_id: ... # Replace with your Apple Services ID             apple_team_id: ... # Replace with your Apple Team ID             apple_private_key_id: ... # Replace with your Apple private key identifier             apple_private_key: |               -----BEGIN PRIVATE KEY-----               YOUR_PRIVATE_KEY_CONTENT               LINE_2_OF_PRIVATE_KEY               ...               -----END PRIVATE KEY-----             issuer_url: <https://appleid.apple.com>             mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"             # Alternatively, use a URL:             # mapper_url: <https://storage.googleapis.com/your-bucket/your-mapping.jsonnet>             scope:               - email       enabled: true

Important notes: - The

apple_private_key

field must be a properly formatted multiline string. Use the

|

character in YAML to indicate this, and paste the entire private key (including the BEGIN/END lines) with each line on its own line. - If you paste the private key as a single line or with incorrect spacing, Ory may not be able to decode it. This is a common issue when using the Ory Console UI, but it works correctly when using a YAML file and the CLI to update the config [Cannot add Apple private key in Ory Console UI](https://github.com/ory/network/issues/166). - After editing your YAML file, update your Ory project configuration using the CLI:

sh ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

For a full step-by-step guide, including how to obtain the required Apple credentials, see the official documentation [Apple social sign-in](https://www.ory.sh/docs/kratos/social-signin/apple#webbrowser).