Integrate App service with Sign-in with apple

[m-andersen]

Identify providers are easy to add but we have big problems trying to find out how to add Sign-in with Apple, which is now a requirement for all new apps. This link describes Azure AD B2C, but is that the same as Azure Active Directory? And how to link all this together like with Facebook. https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple

I would like to eventually see the a token and sid:xxx from EasyAuth with Sign-in with apple. Is that possible to have all these providers be compatible or what should we expect?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 75e17529-8b8a-1d67-f0e1-840d1d3ca990
• Version Independent ID: 265645df-ef21-4631-1744-7014b3ee681a
• Content: Authentication and authorization - Azure App Service
• Content Source: articles/app-service/overview-authentication-authorization.md
• Service: app-service
• GitHub Login: @cephalin
• Microsoft Alias: cephalin

[RyanHill-MSFT]

Thanks for the feedback @m-andersen! We are currently investigating and will update you shortly.

[m-andersen]

Thank you. Looking strongly forward to a solution for this as we can't put our app in Apple app store until Sign-in with apple is implemented. If this takes too long we have to change our whole authentication scheme and use another auth-provider as we need to go live now.

[m-andersen]

@RyanHill-MSFT any updates?

[RyanHill-MSFT]

Hi @m-andersen my apologies for it being such a long delay. Closest workaround I've come across is possibly using a custom policies to allow your AD users to sign in to your B2C tenant. You'll still have to maintain that B2C tenant but may be the only option as I'm hearing that Sign In with Apple isn't supported for Azure AD.

[m-andersen]

@RyanHill-MSFT this question was in relation to Azure App service and auth providers as Facebook, Google is supported today but not Sign-in with apple. That is a requirements for all new apps sent to Apple app store. We have build our app using Azure app service (now called Web app) and the auth providers it supports. We need to add Sign-in with apple, but Azure App service does not support this. How can we proceed so we can launch our app?

[RyanHill-MSFT]

Hi @m-andersen I've spoken with the product team. Since Sign-in with Apple is OpenID Connect compliant, the team is currently working on this integration. It's currently in private preview but I can pass along preliminary documentation and place you in touch with the team as they gain better understanding from customers using this feature.

Email me at AzCommunity[at]microsoft[dot]com ATTN: Ryan.

[RyanHill-MSFT]

please-close

[yonkahlon]

Hi @RyanHill-MSFT

Any update on when this will arrive? I believe the deadline Apple has set is for June 30, 2020

[TimurSadykov]

@RyanHill-MSFT +1 on update request

[masonmc]

@RyanHill-MSFT +1, would love at least an ETA, ideally before 6/30... thank you in advance!

[RyanHill-MSFT]

I've contacted the product team and they're trying to make Public Preview with the next release. Due to the current situation, deployments have been delayed so they can't give an exact ETA. Hopefully it will be soon but can't guarantee any dates.

[m-andersen]

We did not have time to wait for a solution for App Service. We are also surprised that one of the biggest cloud providers do not have this in place by now. We decided to abandon Microsoft EasyAuth totally and switched to Firebase, which have had support for apple login since november last year. This is unfortunately not the last time Microsoft has disappointed us as a startup company.

[vignatov]

Is there any update on this?

[m-andersen]

Is there any update on this?

I recommend switching auth part to Firebase. We did that. It is easy to integrate and supports so many more identity providers.

[vignatov]

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

[m-andersen]

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

Your choice. Using Firebase auth is for free, which is the only thing that must be added on top of App service. Other services might cost something.

[vignatov]

Firebase is free if you do less than 10k auth/month and quite expensive if you do more than that. It is a trap for startups.

[RyanHill-MSFT]

I wanted to provide an update for everyone. The product team is close to a public preview of sign-in with apple integration. The COVID-19 has affected build and schedule release timelines and we do apologize for these delays. I can't give an exact ETA but hopefully it will be this month.

/cc @vignatov @m-andersen @masonmc @zababahin

[NunoBem]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

[RyanHill-MSFT]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple

We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

@NunoBem the product team has a public preview ready for release. Release schedules have been muddled due to the current pandemic. Not that it's an excuse but a reason for such delays. Reach out to me at AzCommunity[at]microsoft[dot]com so I can provide you the document on how to use OpenID configuration so you can get your app certified. I certainly apologize for this gap but rest assured the team is working to get the gap filled.

[m-andersen]

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase? @NunoBem we integrated firebase auth to the server. However, you will have to find your own solution if you need to migrate existing users. We were not public yet so we were in luck user IDs on server could change without everything broke

[RyanHill-MSFT]

Hi @m-andersen, I've just sent you an email outlining how to configure your Azure App with Sign-In with Apple. Should you run into issues, please feel free to let me know.

[RyanHill-MSFT]

We've released https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect that provides instructions for configuring Sign-in with Apple with app services. If you run into issues, please let me know.

/cc @m-andersen @NunoBem @vignatov @masonmc @zababahin @yonkahlon

[NunoBem]

@RyanHill-MSFT I tried following the guide: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple and then compare with the doc you sent to make adjustments. But I'm unable to make this work. I implemented the Azure Functions in the sample, has I don't use App Service, but that seems to be the case for the doc you sent.

Can't the sample be updated? Will Sign in with Apple be an "Identity provider"?

Even if I make this work, the app should be rejected has this is the typical response: "Your app uses Sign in with Apple as a login option but does not use Sign in with Apple button design, branding and/or user interface elements appropriately as described in the Sign in With Apple Human Interface Guidelines."

This is very chaotic for an identity management service. I'm counting the days I'm unable to update our app to our customers.

[RyanHill-MSFT]

@RyanHill-MSFT I tried following the guide: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple and then compare with the doc you sent to make adjustments. But I'm unable to make this work. I implemented the Azure Functions in the sample, has I don't use App Service, but that seems to be the case for the doc you sent.

Can't the sample be updated? Will Sign in with Apple be an "Identity provider"?

Even if I make this work, the app should be rejected has this is the typical response: "Your app uses Sign in with Apple as a login option but does not use Sign in with Apple button design, branding and/or user interface elements appropriately as described in the Sign in With Apple Human Interface Guidelines."

This is very chaotic for an identity management service. I'm counting the days I'm unable to update our app to our customers.

Hi @NunoBem, I'll follow up with regards to getting the sample code update. Were you not able to add the configuration to your function app? Your function app won't have any impact on the human interface guidelines because that should come from your iOS app, not the function app.

[RyanHill-MSFT]

Closing as Configure an OpenID Connect provider (Preview) - Azure App Service has be released. If any issues, please submit issues against that doc.

[gfaraj]

Hi @RyanHill-MSFT thanks for the update. If I'm looking at this document correctly, I have two questions:

1. I have configured other providers through the Azure portal and from what I'm reading, it looks like if I enable file-based configuration for Apple login, I will lose those other providers I already set up. Is there a way to export/copy the current config to easily re-construct the file?

2. I'm not seeing what I have to do to validate provider tokens when using client-based authentication. Basically the info provided in the Validate tokens from providers section in this document: https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

Any direction will be greatly appreciated.

[RyanHill-MSFT]

Hi @RyanHill-MSFT thanks for the update. If I'm looking at this document correctly, I have two questions:

1. I have configured other providers through the Azure portal and from what I'm reading, it looks like if I enable file-based configuration for Apple login, I will lose those other providers I already set up. Is there a way to export/copy the current config to easily re-construct the file?
2. I'm not seeing what I have to do to validate provider tokens when using client-based authentication. Basically the info provided in the Validate tokens from providers section in this document: https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to Any direction will be greatly appreciated.

Hi @gfaraj

1. As of right now, there isn't any translation. The however is working bring that feature in a future iteration (no timeline yet).
2. If you're referring to a client directed flow on OIDC provider, that isn't supported as OIDC doesn't provide a protocol flow. If it were a different validation flow you were referring to, could elaborate?

[gfaraj]

Yep, I'm referring to client-directed flow. In my React Native app, I have log-in with Facebook and Google integrated using a client-directed flow by posting to the appropriate /.auth/login end-point.

I have integrated this package into my app that correctly signs in a user with Apple in the client: https://github.com/invertase/react-native-apple-authentication

I was expecting/hoping I could perform the same kind of client-directed flow with Apple, considering I have access to this identity token: https://github.com/invertase/react-native-apple-authentication/blob/master/docs/interfaces/_lib_index_d_.rnappleauth.appleauthrequestresponse.md#identitytoken

There's no way to pass this token to the Functions app to receive an Azure auth token that I can use as the X-ZUMO-AUTH header?

[gfaraj]

Any direction would be appreciated @RyanHill-MSFT , this is delaying our iOS launch. Thanks!

[RyanHill-MSFT]

@gfaraj, OIDC client flow isn't supported but I'm working with the product group for any feasible alternative.

[RyanHill-MSFT]

@gfaraj you should be able to use the following flow. Send your request with your identityToken to

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken,"access_token":"<token>"}

and use the authorization token in the X-ZUMO-AUTH header. If you run into issues using this client flow, send me any error messages you receive, and I'll pass along to the rest of time.

[gfaraj]

Ohhh that's awesome.

This still requires switching to a file configuration for the providers and configuring an OpenID Connect provider with "apple" as the name, right?

Also, for passing that access_token field, does this sound like the correct value? https://github.com/invertase/react-native-apple-authentication/blob/master/docs/interfaces/_lib_index_d_.rnappleauth.appleauthrequestresponse.md#authorizationcode

Thanks so much!

[RyanHill-MSFT]

@gfaraj good news, you don't need access_token for POST request. So, all you need to do is

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken}

With regards to your first question, that is correct. In order to use Apple sign in, you need to switch to file configuration. That means any configurations done in EasyAuth will be ignored and you'll have to add those existing settings to the file base configuration.

[gfaraj]

Excellent! Really appreciate your quick help on this! Will be testing this soon.

[gfaraj]

Hey @RyanHill-MSFT I'm getting a 404 / Not Found error on the login URL you indicated:

https://<appname>.azurewebsites.net/.auth/login/apple

Here's a log from my app:

Making sure that file-based config is enabled:

Confirming that the auth.json exists in my app:

I also confirmed that my other providers (facebook and google) are working correctly and respond to their respective /.auth/login endpoints.

Do you think I missed something? Thanks!

[gfaraj]

By the way, for anyone else struggling with this, I used the Azure CLI (in cmd.exe) to update the auth settings, like this:

az rest --method put --url https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-name>/providers/Microsoft.Web/sites/<site-name>/config/authsettings?api-version=2018-02-01 --body "{\"properties\":{\"enabled\":\"true\",\"isAuthFromFile\":\"true\",\"authFilePath\":\"auth.json\"}}"

I spent way too much time on figuring this out since I was not familiar with this API prior to this, so hopefully this will save someone else some time.

[RyanHill-MSFT]

Not that I can see @gfaraj. Send me your app name to AzCommunity@microsoft.com ATTN: Ryan so we can look into it.

[gfaraj]

Email sent. Thanks a lot for looking into this!

[rustem08]

Hello, @RyanHill-MSFT . I have some issue with apple auth too.

1. I configure the app service for apple auth by this instruction: https://docs.microsoft.com/ru-ru/azure/app-service/configure-authentication-provider-openid-connect My auth.json config looks like: { "platform": { "enabled": true }, "globalValidation": { "redirectToProvider": "apple", "unauthenticatedClientAction": "RedirectToLoginPage" }, "identityProviders": { "openIdConnectProviders": { "apple": { "registration": { "clientId": "<Service ID from Apple>", "clientCredential": { "secretSettingName": "APPLE_GENERATED_CLIENT_SECRET" }, "openIdConnectConfiguration": { "wellKnownOpenIdConfiguration": "https://appleid.apple.com/.well-known/openid-configuration" } }, "login": { "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "scope": [], "loginParameterNames": [] } } }, "login": { "tokenStore": { "enabled": true }, "allowedExternalRedirectUrls": [ "fbox://easyauth.callback", "https://localhost:44312", "https://&lt;my web site>.azurewebsites.net", "https://&lt;my web site2>.azurewebsites.net/", "https://&lt;my app service>.azurewebsites.net" ] }
   }

2. APPLE_GENERATED_CLIENT_SECRET parameter is configure at the application settings. Value of the parameter is value from the apple *.p8 key file.

3. Next one, I enable file-based auth by command az rest --method put --uri https://management.azure.com/subscriptions/ <my_service_plan>/resourceGroups/ <my resource group >/providers/Microsoft.Web/sites/ <my app service>/config/authsettings?api-version=2018-02-01 --body "{\"properties\":{\"enabled\":\"true\",\"isAuthFromFile\":\"true\",\"authFilePath\":\"auth.json\"}}" and then restart the app service.

4. At the App service Authentication/Authorizasion tab the "File-based configuration has been enabled for this app. To re-enable configuration from the portal, please set 'isAuthFromFile' to be false. Click to learn more." is appeared.

5. Then I try to auth from apple from my app via https:// <my app service>.azurewebsites.net/.auth/login/apple request.

6. The app service redirects request to https://appleid.apple.com/auth/authorize?response_type=code&client_id= <my service ID from apple >&redirect_uri=https%3A%2F%2F <my app service> .azurewebsites.net%2F.auth%2Flogin%2Fapple%2Fcallback&nonce=7b5969df3fd14d2297d8e72576f57865_20200904053946&state=fbox%3A%2F%2Feasyauth.callback%2F

7. I login at the apple page and apple redirects me to https:// <my app service>.azurewebsites.net/.auth/login/apple/callback?state=fbox://easyauth.callback/&code=cc075180b755442d199dd281d33a0f6c5.0.rruyv.hDK1raqetlpqJsHyVvf1hQ and I see Http_error 500.

8. At the app service Log stream I see looks like 2020-09-04T05:38:37 Welcome, you are now connected to log-streaming service. The default timeout is 2 hours. Change the timeout with the App Setting SCM_LOGSTREAM_TIMEOUT (in seconds). <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

   HTTP Error 500.74 - Internal Server Error

   The page cannot be displayed because an internal server error has occurred.

   Most likely causes:

   • IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.
   • IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.
   • IIS was not able to process configuration for the Web site or application.
   • The authenticated user does not have permission to use this DLL.
   • The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.

   Things you can try:

   • Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.
   • Check the event logs to see if any additional information was logged.
   • Verify the permissions for the DLL.
   • Install the .NET Extensibility feature if the request is mapped to a managed handler.
   • Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.

   Detailed Error Information:

   Module	EasyAuthModule_32bit
   Notification	BeginRequest
   Handler	ExtensionlessUrlHandler-Integrated-4.0
   Error Code	0x80004005

   Requested URL	https:// <My App Service name without .azurewebsites.net> :80/.auth/login/apple/callback?state=fbox://easyauth.callback/&code=cc075180b755442d199dd281d33a0f6c5.0.rruyv.hDK1raqetlpqJsHyVvf1hQ
   Physical Path	D:\home\site\wwwroot\.auth\login\apple\callback
   Logon Method	Not yet determined
   Logon User	Not yet determined

   More Information:

   This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.

   View more information »

   Microsoft Knowledge Base Articles:

[RyanHill-MSFT]

Hi @rustem08, can you email me at AzCommunity[at]microsoft[dot]com ATTN Ryan so I can take a closer look. Please include your subscription id and app name.

[rustem08]

Email sent. Thank you.

[PaulARoy]

I am also getting an error 500 with a similar configuration. Were you able to solve this?

Thanks

[rustem08]

@PaulARoy just check your apple secret. It is not value from the *.p8 file. You must make it by yourself. I made it from the console app. Example of the code https://github.com/azure-ad-b2c/samples/blob/master/policies/sign-in-with-apple/source-code/B2CSignInWithApple/SigninWithApple_ClientSecret/run.csx

https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple#signing-the-client-secret-jwt

And now I have another issue. I have successful login, but no redirection to my app.

[PaulARoy]

Thank you, this is of great help. I'm looking into it.

I also have trouble on existing providers for redirections. Easy Auth Detector (from Diagnose & Solve Problems) does not seem to find redirect urls.

[rustem08]

@PaulARoy you can see some logs at the Log Streamafter enabling it at the App Service logs.

[NunoBem]

To who may concern.

Months ago I was struggling with this. Microsoft (@RyanHill-MSFT ) sent a document, to who was trying handle this. It didn't worked for me.

So after some time, I managed to make this example work: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple with this functions https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple/source-code/B2CSignInWithApple.

Following the tutorial, you configure in Azure AD B2C > Identity providers a new social login with "OpenID Connect". In the configuration, you add a token generated from 1 of the Azure Functions and the other to serve has a Metadata url:

After that, had to go to Azure AD B2C > User flows > B2C_1_SignInSignUp > Page layouts and created a "Custom page" to insert in CSS an Apple icon and colors, has the Apple design guidelines indicate.

It worked. BUT. Apple doesn't allow it.

When a user "Sign in with Apple", it isn't associate to any user on Azure AD B2C, so it asks to register the user (name, email, etc.), has a local account. In Apple guidelines this can't happen. They should just get in the app.

I gave up and removed the social login from my app... solution??

[RyanHill-MSFT]

To who may concern.

Months ago I was struggling with this. Microsoft (@RyanHill-MSFT ) sent a document, to who was trying handle this. It didn't worked for me.

So after some time, I managed to make this example work: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple with this functions https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple/source-code/B2CSignInWithApple.

Following the tutorial, you configure in Azure AD B2C > Identity providers a new social login with "OpenID Connect". In the configuration, you add a token generated from 1 of the Azure Functions and the other to serve has a Metadata url:

After that, had to go to Azure AD B2C > User flows > B2C_1_SignInSignUp > Page layouts and created a "Custom page" to insert in CSS an Apple icon and colors, has the Apple design guidelines indicate.

It worked. BUT. Apple doesn't allow it.

When a user "Sign in with Apple", it isn't associate to any user on Azure AD B2C, so it asks to register the user (name, email, etc.), has a local account. In Apple guidelines this can't happen. They should just get in the app.

I gave up and removed the social login from my app... solution??

@NunoBem send me an email so we can work more closely with you AzCommunity[at]mirosoft[dot]com ATTN Ryan

[taimila]

I have added Sign in with Apple support to Xamarin.Forms app that has an Azure AppService (mobile backend) as a backend service. So far, I have been successful to get login part working, but I’m struggling with session refreshing. I am using client flow.

What works now:

1. App gets IdToken from Apple using Apple’s SDK on iOS 13
2. I send that IdToken to AppService’s /.auth/login/apple endpoint and get session token in a response
3. I use session token in X-ZUMO-AUTH header to call my backend’s APIs successfully

In order to get step 2 working I switched AppService to use file based authentication configuration and created a file as described here. However, I have not put JWT token (client secret) into AppService application settings under key: AUTH_APPLE_CLIENT_SECRET as instructed here. However, the /.auth/login/apple endpoint seems to work fine without it. Is this as it should be? If so, what is the purpose of JWT token (client secret) from Apple?

Now, it’s great that user can authenticate using native experience of Sign in with Apple and use the app, but the session only lives for a short while (as long as session token from /.auth/login/apple endpoints lives). I’ve read that /.auth/refresh endpoint should allow the app silently refresh the session as long as Token Store feature is enabled. I have enabled the feature in my authentication configuration file, but for some reason /.auth/refresh endpoints returns 404 not found on my AppService (Also /.auth/me is 404). Should it work when using file based auth configuration? And if it should, does it support sign in with Apple?

To sum up all of this into one question: How to silently refresh session when user has used Apple as IDP?

[gfaraj]

I had the same issue with short-lasting tokens for Apple and from what I heard from the devs, they don't support token refresh for Open ID Connect providers yet. That's why you get a 404 response.

They were going to look into allowing more longer-lasting auth tokens but I haven't heard back, this was back in August. Hopefully they'll add some support for this soon.