Integrate App service with Sign-in with apple

[m-andersen]

Identify providers are easy to add but we have big problems trying to find out how to add Sign-in with Apple, which is now a requirement for all new apps. This link describes Azure AD B2C, but is that the same as Azure Active Directory? And how to link all this together like with Facebook.
https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple

I would like to eventually see the a token and sid:xxx from EasyAuth with Sign-in with apple. Is that possible to have all these providers be compatible or what should we expect?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 75e17529-8b8a-1d67-f0e1-840d1d3ca990
• Version Independent ID: 265645df-ef21-4631-1744-7014b3ee681a
• Content: Authentication and authorization - Azure App Service
• Content Source: articles/app-service/overview-authentication-authorization.md
• Service: app-service
• GitHub Login: @cephalin
• Microsoft Alias: cephalin

[RyanHill-MSFT]

Thanks for the feedback @m-andersen! We are currently investigating and will update you shortly.

[m-andersen]

Thank you. Looking strongly forward to a solution for this as we can't put our app in Apple app store until Sign-in with apple is implemented. If this takes too long we have to change our whole authentication scheme and use another auth-provider as we need to go live now.

[m-andersen]

@RyanHill-MSFT any updates?

[RyanHill-MSFT]

Hi @m-andersen my apologies for it being such a long delay. Closest workaround I've come across is possibly using a custom policies to allow your AD users to sign in to your B2C tenant. You'll still have to maintain that B2C tenant but may be the only option as I'm hearing that Sign In with Apple isn't supported for Azure AD.

[m-andersen]

@RyanHill-MSFT this question was in relation to Azure App service and auth providers as Facebook, Google is supported today but not Sign-in with apple. That is a requirements for all new apps sent to Apple app store. We have build our app using Azure app service (now called Web app) and the auth providers it supports.
We need to add Sign-in with apple, but Azure App service does not support this. How can we proceed so we can launch our app?

[RyanHill-MSFT]

Hi @m-andersen I've spoken with the product team. Since Sign-in with Apple is OpenID Connect compliant, the team is currently working on this integration. It's currently in private preview but I can pass along preliminary documentation and place you in touch with the team as they gain better understanding from customers using this feature.

Email me at AzCommunity[at]microsoft[dot]com ATTN: Ryan.

[RyanHill-MSFT]

#please-close

[yonkahlon]

Hi @RyanHill-MSFT

Any update on when this will arrive? I believe the deadline Apple has set is for June 30, 2020

[TimurSadykov]

@RyanHill-MSFT +1 on update request

[masonmc]

@RyanHill-MSFT +1, would love at least an ETA, ideally before 6/30... thank you in advance!

[RyanHill-MSFT]

I've contacted the product team and they're trying to make Public Preview with the next release. Due to the current situation, deployments have been delayed so they can't give an exact ETA. Hopefully it will be soon but can't guarantee any dates.

[m-andersen]

We did not have time to wait for a solution for App Service. We are also surprised that one of the biggest cloud providers do not have this in place by now.
We decided to abandon Microsoft EasyAuth totally and switched to Firebase, which have had support for apple login since november last year.
This is unfortunately not the last time Microsoft has disappointed us as a startup company.

[vignatov]

Is there any update on this?

[m-andersen]

Is there any update on this?

I recommend switching auth part to Firebase. We did that. It is easy to integrate and supports so many more identity providers.

[vignatov]

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

[m-andersen]

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

Your choice. Using Firebase auth is for free, which is the only thing that must be added on top of App service. Other services might cost something.

[vignatov]

Firebase is free if you do less than 10k auth/month and quite expensive if you do more than that. It is a trap for startups.

[RyanHill-MSFT]

I wanted to provide an update for everyone. The product team is close to a public preview of sign-in with apple integration. The COVID-19 has affected build and schedule release timelines and we do apologize for these delays. I can't give an exact ETA but hopefully it will be this month.

/cc @vignatov @m-andersen @masonmc @zababahin

[NunoBem]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple
We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

[RyanHill-MSFT]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple

We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

@NunoBem the product team has a public preview ready for release. Release schedules have been muddled due to the current pandemic. Not that it's an excuse but a reason for such delays. Reach out to me at AzCommunity[at]microsoft[dot]com so I can provide you the document on how to use OpenID configuration so you can get your app certified. I certainly apologize for this gap but rest assured the team is working to get the gap filled.

[m-andersen]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple
We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?
@NunoBem we integrated firebase auth to the server. However, you will have to find your own solution if you need to migrate existing users. We were not public yet so we were in luck user IDs on server could change without everything broke

[RyanHill-MSFT]

Hi @m-andersen, I've just sent you an email outlining how to configure your Azure App with Sign-In with Apple. Should you run into issues, please feel free to let me know.

[gfaraj]

@RyanHill-MSFT Just checking in here to see if there's any updates. Thanks!

[RyanHill-MSFT]

@RyanHill-MSFT Just checking in here to see if there's any updates. Thanks!

Hi @gfaraj, I sent you an email back on 6/7 asking for additional information. I'll send it again just in case you missed.

[gfaraj]

Oh, sorry about that, I probably missed it, thanks!

[RyanHill-MSFT]

Oh, sorry about that, I probably missed it, thanks!

No worries 😊

[TrevorHerr]

@gfaraj can you keep us in the loop. We about to implement a similar scenario (native iOS app + web with Apple Login) and want to know it's going to work before we go with App Services.

[ETsunami]

@RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!

[RyanHill-MSFT]

@RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!

Can you describe your Auth setup? If you rather discuss offline, send me an email to AzCommunity[at]microsoft[dot]com ATTN: Ryan

[NunoBem]

@RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!

I gave up on the social logins because of that. So I'm just using the local (email). But they now have Apple Login has a preview, did you manage to try it?

[PaulARoy]

@RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!

I implemented it myself with a custom .auth endpoint.
I tried the preview but there was no way to get the name from it.

[burrowj]

Can I ask if anyone has got this to work?

I have been through the setup here
https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple

and I get a 401 response when post to

https://myserver/.auth/login/apple

with the id_token set in the body

Thanks
John

[burrowj]

@gfaraj did you get this to work? We seem to have got to the same error

[gfaraj]

Sorry @burrowj but no, we haven't found a suitable solution for this. We currently have a separate apple-web provider with the client id for the web app, but this does not work well with the native app.

I haven't gotten a response from Microsoft on this, unfortunately.

[burrowj]

Microsoft seem to have shutdown, at least in this space. I'm not getting any responses either so far. I've managed to get the native app to work to a point. Could well be something on my end but its hard to troubleshoot.
Going to check out Okta to see what they can offer.
Thanks for getting back to me.

[RyanHill-MSFT]

Not shutdown, I assure you @burrowj and @gfaraj. I truly apologize for the delayed response. You have not been forgotten; I assure you. @burrowj, send me an email to AzCommunity[at]microsoft[dot]com ATTN: Ryan so we can continue offline.

[burrowj]

For anyone else that is wasting a lot of time trying to work out client directed flow and Azure Authentication I will post my findings here in an attempt to save other people time. This first one was reported to Microsoft 2 weeks ago by Ryan but the documentation is still not updated so no doubt people are still wasting there time. It also seems that the requested place for posting issues

Azure/app-service-announcements-discussions#235

is not being monitored

So far we have worked out that the documentation here
https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-file-based
is wrong.

Configuration file reference
"unauthenticatedClientAction": "RedirectToLoginPage|AllowAnonymous|Return401|Return403",

should be

"unauthenticatedClientAction": "RedirectToLoginPage|AllowAnonymous|RejectWith401|RejectWith404",

[gfaraj]

@gfaraj I've reached out to the product team for any updates.

EDIT: The token refresh isn't supported with generic OIDC, but the team is working on a solution to address this limitation. When more details are available, we'll share them.

/cc @mattchenderson

Hi @RyanHill-MSFT -- do we have any updates on the short-lived tokens when using the Apple OIDC provider?

[lukewar]

Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.

I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to /.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken}

But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send authorization_code together with id_token in /.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens

@taimila I think that my question relates to you post from some time ago #47611 (comment), did you manage to get refresh working?

BTW: If anyone else is struggling with getting 401 when making /.auth/login/apple call I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651

[RyanHill-MSFT]

Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.

I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to /.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken}

But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send authorization_code together with id_token in /.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens

@taimila I think that my question relates to you post from some time ago #47611 (comment), did you manage to get refresh working?

BTW: If anyone else is struggling with getting 401 when making /.auth/login/apple call I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651

Thanks for the feedback @lukewar. We'll get the docs updated for providing those missing steps. As for a Preview -> GA timeline, I don't have any information but will ask for update. I'll also highlight your submitted feedback item to product group.

[lukewar]

Thank you @RyanHill-MSFT, very much appreciated ❤️.
From experience I know that those things tend to take time. Do you think that you would be able to provide resolution steps to the refreshing session issue? Or maybe provide a point of contact to product team who could help resolve that problem? I tried reaching out here but didn't hear back.

[RyanHill-MSFT]

Thank you @RyanHill-MSFT, very much appreciated ❤️. From experience I know that those things tend to take time. Do you think that you would be able to provide resolution steps to the refreshing session issue? Or maybe provide a point of contact to product team who could help resolve that problem? I tried reaching out here but didn't hear back.

@luewar, send me an email to AzCommunity[at]microsoft[dot]com so I work more closely with you regarding the token refresh issue.

[HeinA]

Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.

I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to /.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken}

But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send authorization_code together with id_token in /.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens

@taimila I think that my question relates to you post from some time ago #47611 (comment), did you manage to get refresh working?

BTW: If anyone else is struggling with getting 401 when making /.auth/login/apple call I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651

'ello

I have an App Service Running Windows, but I also get a 401 when trying to authorize

I would really appreciate some help with this

Cheerz!

[RyanHill-MSFT]

@HeinA which authentication flow are you using? At what point are you getting the 401?

[HeinA]

@HeinA which authentication flow are you using? At what point are you getting the 401?

Hey. This happen when I try to post the id_token to /.auth/login/apple from a Unity app (client directed flow)

[HeinA]

@HeinA which authentication flow are you using? At what point are you getting the 401?

Got it sorted out. It was a miconfiguration on the App Service side.

Thanx for your prompt response though!

Regards

[HeinA]

Hey @RyanHill-MSFT

I'm now also having difficulty in refreshing the Apple token. May I also contact you at the above mentioned email address to resolve this issue?

Thanx

[RyanHill-MSFT]

Hey @RyanHill-MSFT

I'm now also having difficulty in refreshing the Apple token. May I also contact you at the above mentioned email address to resolve this issue?

Thanx

Yes you can @HeinA

[StuartFeldt]

@gfaraj I've reached out to the product team for any updates.
EDIT: The token refresh isn't supported with generic OIDC, but the team is working on a solution to address this limitation. When more details are available, we'll share them.
/cc @mattchenderson

Hi @RyanHill-MSFT -- do we have any updates on the short-lived tokens when using the Apple OIDC provider?

@RyanHill-MSFT Any update on token refresh for Apple OIDC provider?

[masonmc]

some notes for others still struggling:

this definitely worked for me. I was getting a 401 ("you do not have permission to view this page") when I passed the token I got from the Apple API calls up to /.auth/login/apple.

My 401 was caused by an incorrect Apple Client Secret JWT (the JWT you construct using the p8 you downloaded from apple). Remember, these expire every 6 months, so if it was working, and now it's broke, that might be why!

Follow the instructions at: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple

To generate the JWT you'll need some code, your team ID, your key ID, your p8, and your client ID.

Your Team ID and KeyId are these:

Make a new C# console app, and enable (fancy! new!) immediate execution (https://learn.microsoft.com/en-us/dotnet/csharp/fundamentals/program-structure/top-level-statements).

Use this sample code (this is the JWT generation sample code from the above link, + I added some Console.WriteLine() calls):

using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;

void GetAppleClientSecret(string teamId, string clientId, string keyId, string p8key)
{
    string audience = "https://appleid.apple.com";

    string issuer = teamId;
    string subject = clientId;
    string kid = keyId;

    IList<Claim> claims = new List<Claim> {
        new Claim ("sub", subject)
    };

    CngKey cngKey = CngKey.Import(Convert.FromBase64String(p8key), CngKeyBlobFormat.Pkcs8PrivateBlob);

    SigningCredentials signingCred = new SigningCredentials(
        new ECDsaSecurityKey(new ECDsaCng(cngKey)),
        SecurityAlgorithms.EcdsaSha256
    );

    JwtSecurityToken token = new JwtSecurityToken(
        issuer,
        audience,
        claims,
        DateTime.Now,
        DateTime.Now.AddDays(180),
        signingCred
    );
    token.Header.Add("kid", kid);
    token.Header.Remove("typ");

    Console.WriteLine($"token:\n\n{token}");
    JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

    Console.WriteLine("\n\n");
    Console.WriteLine("\n----- done.  Put the following into Azure, client secret setting:\n\n");
    Console.WriteLine(tokenHandler.WriteToken(token));
}

GetAppleClientSecret(
    teamId: "(see above, the 10-character ID in the top-right of developer.apple.com, next to your name)",
    clientId: "(your client ID.  I used the ID of my actual app (com.xxx.xxxapp).  I didn't use the services ID.  I'm not sure it matters, so long as what's specified here matches what's configured in the azure portal.)",
    keyId: "(see above. This key should have Sign in with Apple as an Enabled Service)",
    p8key: "(you downloaded this from apple, default filename is AuthKey_(keyId).p8.  Paste in the chars between the ---BEGIN and ---END PRIVATE KEY, no line breaks.)"
);

Console.ReadLine(); // so the console stays up, allowing you to copy the key out!

I'm using these nugets:

The JWT you need is exactly that last outputted string (it'll start with eyJ... probably), with NO LINE BREAKS:

(By the way, you can paste that JWT into https://www.jstoolset.com/jwt to verify it and make note of the expiration date).

Next, go to the configuration page of your mobile app in azure, and create a new application setting. Name it anything, I named mine "signInWithAppleClientSecret", and I set its value to the JWT (again, careful there's no line breaks, leading/trailing spaces, etc. It must be exact).

Don't forget to hit save, up top!

Then, go to the Authentication page of your mobile app in azure, and Add Provider, Apple.

Your client ID in this config must match the clientID in the JWT (aka the 2nd argument to GetAppleClientSecret()). For "Client Secret Setting Name," choose the application setting you just made (i.e. signInWithAppleClientSecret).

RESTART your azure app.

On the client side, the correct way to pass what you get from the Apple SDK is, as others have pointed out, via id_token. This little detail is missing from the docs.

{"id_token": (identityToken) }

where (identityToken) is the "IdentityToken" property of the ASAuthorizationAppleIdCredential you (hopefully!) got back from your call to ASAuthorization's GetCredential method (inside your DidComplete).

Here's my (chopped up!) client side code, confirmed working:

public class SignInWithAppleLoginResults
    {
        public bool IsSuccess;
        public string Message { get; set; }
        public string IdToken { get; set; }
    }

.....
public async Task<SignInWithAppleLoginResults> SignInWithAppleAsync()
{
                _signInWithAppleCompletionTask = new TaskCompletionSource<SignInWithAppleLoginResults>();

                var appleIdProvider = new ASAuthorizationAppleIdProvider();
                var request = appleIdProvider.CreateRequest();
                request.RequestedScopes = new[] { ASAuthorizationScope.Email, ASAuthorizationScope.FullName };

                var authorizationController = new ASAuthorizationController(new ASAuthorizationRequest[] { request });
                authorizationController.Delegate = this;
                authorizationController.PresentationContextProvider = this;
                authorizationController.PerformRequests();

                var appleAuth = await _signInWithAppleCompletionTask.Task;

                if (appleAuth.IsSuccess == false)
                {
                    throw new Exception(appleAuth.Message);
                }

                // now we have the apple token... give it to azure to finish off the login.
                JObject zumoPayload = new JObject
                {
                    ["id_token"] = appleAuth.IdToken
                };

                var signedInUser = await MobileService.LoginAsync("apple", zumoPayload);
                if (signedInUser != null) Log.Information($"you are now signed-in as {signedInUser.UserId}"); 
                // UserId will be sid:xxxxx..., and you'll have an azure token!
                
                ..... // other app-specific code to get real name etc from azure, snipped
}

And then the didComplete, for the Apple SDK:

        [Export("authorizationController:didCompleteWithAuthorization:")]
        public void DidComplete(ASAuthorizationController controller, ASAuthorization authorization)
        {
            var results = new SignInWithAppleLoginResults()

            if (authorization.GetCredential<ASAuthorizationAppleIdCredential>() is ASAuthorizationAppleIdCredential appleIdCredential)
            {
                results.IdToken = appleIdCredential.IdentityToken.ToString();
                results.IsSuccess = true;
                results.Message = "Logged in!"; // this is specific to my app, ignore.
            }
            else 
            { 
                results.IsSuccess = false,
                results.Message = "Did not receive Apple ID credentials";
            }
            _signInWithAppleCompletionTask.TrySetResult(results);
        }

        [Export("authorizationController:didCompleteWithError:")]
        public void DidComplete(ASAuthorizationController controller, NSError error)
        {
            Log.Error($"DidComplete (apple sign in): error: {error.ToString()}");

            _signInWithAppleCompletionTask.TrySetResult(new SignInWithAppleLoginResults()
            {
                IsSuccess = false,
                Message = error.ToString()
            });
        }

I hope it helps!

[burrowj]

@masonmc did you get token refresh working for apple? my tokens are lasting 1 day