Closed m-andersen closed 4 years ago
RyanHill-MSFT
commented
4 years ago @gfaraj I've reached out to the product team for any updates.
EDIT: The token refresh isn't supported with generic OIDC, but the team is working on a solution to address this limitation. When more details are available, we'll share them.
/cc @mattchenderson
taimila
commented
4 years ago Thank you for your replies @gfaraj and @RyanHill-MSFT. Is this issue the best place to follow the progress on this matter or is there some better forum for that?
RyanHill-MSFT
commented
4 years ago Thank you for your replies @gfaraj and @RyanHill-MSFT. Is this issue the best place to follow the progress on this matter or is there some better forum for that?
@gfaraj For now, this is the best place due to the visibility from the community.
PaulARoy
commented
4 years ago @rustem08 generating the jwt for client secret worked like a charm!
but short-lived tokens make it a bit hard to use…
NunoBem
commented
3 years ago @taimila @gfaraj @PaulARoy do you guys have an ios app, and if so, after de "Sign in with Apple" it asks to register the user, and if so, have Apple allow it?
It worked. BUT. Apple doesn't allow it.
When a user "Sign in with Apple", it isn't associate to any user on Azure AD B2C, so it asks to register the user (name, email, etc.), has a local account. In Apple guidelines this can't happen. They should just get in the app.
I gave up and removed the social login from my app... solution??
PaulARoy
commented
3 years ago Yes we have an iOS App. Apple explicitly says we should not ask for name and email again so we didn't try to push it.
NunoBem
commented
3 years ago Yes we have an iOS App. Apple explicitly says we should not ask for name and email again so we didn't try to push it.
@PaulARoy so you "deleted" your social logins (or never implemented) on your iOS App?
tiszaiz
commented
3 years ago Hi, I am trying to add Apple Sign-In to a Xamarin.Forms app.
AppleSignInAuthenticator.AuthenticateAsync()Is there a way to add extra allowedAudiences to the apple openIdConnectProvider?
I have switched to the file based auth configuration and the /.auth/login/apple and /.auth/login/google endpoints are working fine.
PaulARoy
commented
3 years ago Yes we have an iOS App. Apple explicitly says we should not ask for name and email again so we didn't try to push it.
@PaulARoy so you "deleted" your social logins (or never implemented) on your iOS App?
Not at all, I'm simply stuck because I can't push updates for the moment. I have thousand of users from social media, I can't remove them. But Apple doesn't plan to remove apps that are not compliant (to my knowledge), it simply won't accept new updates / new apps that do not respect this.
gfaraj
commented
3 years ago @taimila @gfaraj @PaulARoy do you guys have an ios app, and if so, after de "Sign in with Apple" it asks to register the user, and if so, have Apple allow it?
It worked. BUT. Apple doesn't allow it. When a user "Sign in with Apple", it isn't associate to any user on Azure AD B2C, so it asks to register the user (name, email, etc.), has a local account. In Apple guidelines this can't happen. They should just get in the app. I gave up and removed the social login from my app... solution??
@NunoBem I'm not exactly sure what your question means. I do have an iOS app with Sign In with Apple, but I don't use AD B2C, I just use App Service authentication and manage the users myself.
NunoBem
commented
3 years ago @taimila @gfaraj @PaulARoy do you guys have an ios app, and if so, after de "Sign in with Apple" it asks to register the user, and if so, have Apple allow it?
It worked. BUT. Apple doesn't allow it. When a user "Sign in with Apple", it isn't associate to any user on Azure AD B2C, so it asks to register the user (name, email, etc.), has a local account. In Apple guidelines this can't happen. They should just get in the app. I gave up and removed the social login from my app... solution??
@NunoBem I'm not exactly sure what your question means. I do have an iOS app with Sign In with Apple, but I don't use AD B2C, I just use App Service authentication and manage the users myself.
@gfaraj this issue was opened for Azure AD B2C, check the opening:
Identify providers are easy to add but we have big problems trying to find out how to add Sign-in with Apple, which is now a requirement for all new apps. This link describes Azure AD B2C, but is that the same as Azure Active Directory? And how to link all this together like with Facebook.
@PaulARoy I had critical updates so I removed the social login only from iOS to update.. and now is a mess.. I'm trying to stall until a B2C solution is available. @RyanHill-MSFT I didn't get a reply, and we all still can't implement this in B2C either way.
mauro-dasilva
commented
3 years ago @RyanHill-MSFT Thanks for all the support you have been providing to the community. I was wondering if there was any update on the short lived session tokens? With your help, we have the integration working with Apple, but the token only lasts a day so it makes it impractical to use as our end user needs to sign in every day to use the application. If you have any update on this would be greatly appreciated.
RyanHill-MSFT
commented
3 years ago @RyanHill-MSFT Thanks for all the support you have been providing to the community. I was wondering if there was any update on the short lived session tokens? With your help, we have the integration working with Apple, but the token only lasts a day so it makes it impractical to use as our end user needs to sign in every day to use the application. If you have any update on this would be greatly appreciated.
stay tuned til after the holiday 😉...
RyanHill-MSFT
commented
3 years ago Hello everyone! We know this has not been the best experience, but I do want to extend my sincere thanks for your patience. If you haven't already, please see this announcement. The team is continuing to deliver features and bug fixes. If you see any issues, please feel free to comment below or reach out to me (AzCommunity[at]microsoft[dot]com ATTN: Ryan).
v.1.4.2 has been flighted and you can verify your host has the bits by hitting /.auth/version after an authenticated request.
@RyanHill-MSFT I didn't get a reply, and we all still can't implement this in B2C either way.
@NunoBem please reach out to me via the email so I can work more closely with you.
gfaraj
commented
3 years ago Excellent news Ryan! I'll try it out as soon as I can and report back status. Thanks for the update!
gfaraj
commented
3 years ago Hey @RyanHill-MSFT - I upgraded to the new Authentication configuration in the portal and now it's saying that I need to modify 'configFilePath':
Clicking that takes me to a section for setting up file-configuration, so I assume it means I need to update 'authFilePath' to empty string and probably 'isAuthFromFile' to False. I tried that and I get:
"Message": "Cannot execute the request for site FooBar because the site is running on auth version v2.",
So I'm kind of stuck in a limbo now, and I'm not sure how to resolve this. Please advise! Thank you.
gfaraj
commented
3 years ago @RyanHill-MSFT I found what 'configFilePath' meant, which was located in the /config/web object, so I cleared it. I thought v2 had Apple support but it looks like it still doesn't?? I know the upgrade tool said it was not reversible, but is there any way to go back to my v1 file configuration? Or is there a way to configure an Apple provider through v2? If not, any ETA on that?
RyanHill-MSFT
commented
3 years ago @gfaraj using Apple as a provider is down through a config file, not the UI. See https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple on steps for creating the auth.json and setting it to be used by your app service. Let me know if you run into any issues for if something isn't clear.
gfaraj
commented
3 years ago @RyanHill-MSFT Yep, I had all that set up through a file, but I mistakenly upgraded to v2 and now I don't know how to go back to V1/config file. Any pointers?
RyanHill-MSFT
commented
3 years ago The file isn't versioned. V2 more than likely is referring to the config file. Under Diagnose and solve problems, search for Easy Auth, you see any config errors there?
gfaraj
commented
3 years ago Couldn't find Easy Auth there:
gfaraj
commented
3 years ago Looks like just setting this back to "auth.json" did the trick to revert the configuration to the file-based config. 🔥
RyanHill-MSFT
commented
3 years ago Sorry about that @gfaraj, I will need to follow up with the team to see if the detector is configured for function apps. But I'm glad you found it. The detector would have directed you to misconfiguration with the config file. Just make sure that enabled under platform is set to true in your auth.json file.
One more thing. Your screen shot above is reference for the auth.json itself, see here for a reference. If you ever need to back to using the portal, open Azure Resource Manager and under Microsoft.Web/sites/<siteName>/config/authsettings set
as stated in Step 2 for enabling file-based configuration.
gfaraj
commented
3 years ago Sounds good, thank you @RyanHill-MSFT! I'm facing another issue with Sign in with Apple currently. I have auth.json setup for an apple Open ID Connnect provider that works well with my native app. However, I'm trying to add a companion website where I'd like users to be able to sign in for the same app as well.
So I created a Service ID in my Apple Developer account that points "Sign in with Apple" to the primary app id:
When I send the id token returned by Apple to the Azure app service, I get a 401 response:
My auth.json references the primary app id in the clientId property, which may be the issue.
Is there a way to support this scenario?
RyanHill-MSFT
commented
3 years ago I will need follow up with the team @gfaraj, but just make sure I'm understanding, Sign-In with Apple with your native app. Your native app calls app service back end? And you're creating a website and trying to utilize the same sign in flow as the native app?
gfaraj
commented
3 years ago That's correct @RyanHill-MSFT, sorry for the late reply.
By the way, I tried adding another provider in my auth.json called "appleweb" with the same configuration above, just differing on the clientId. Using that new provider, app service login returns 200. The problem is that this causes the claims in the Function app to identify a user that had previously logged in with the native app as a different user if they sign in with the website.
Ideally, if I could specify multiple clientId's in the provider definition of the auth.json, so that we can group the native app and the web app with the same provider, that would be perfect.
Please let me know what you find out from the team. Thanks!
gfaraj
commented
3 years ago @RyanHill-MSFT Were you able to find out anything about this? Thanks!
gfaraj
commented
3 years ago @RyanHill-MSFT Just checking in here to see if there's any updates. Thanks!
RyanHill-MSFT
commented
3 years ago @RyanHill-MSFT Just checking in here to see if there's any updates. Thanks!
Hi @gfaraj, I sent you an email back on 6/7 asking for additional information. I'll send it again just in case you missed.
gfaraj
commented
3 years ago Oh, sorry about that, I probably missed it, thanks!
RyanHill-MSFT
commented
3 years ago Oh, sorry about that, I probably missed it, thanks!
No worries 😊
TrevorHerr
commented
3 years ago @gfaraj can you keep us in the loop. We about to implement a similar scenario (native iOS app + web with Apple Login) and want to know it's going to work before we go with App Services.
ETsunami
commented
3 years ago @RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!
RyanHill-MSFT
commented
3 years ago @RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!
Can you describe your Auth setup? If you rather discuss offline, send me an email to AzCommunity[at]microsoft[dot]com ATTN: Ryan
NunoBem
commented
3 years ago @RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!
I gave up on the social logins because of that. So I'm just using the local (email). But they now have Apple Login has a preview, did you manage to try it?
PaulARoy
commented
3 years ago @RyanHill-MSFT @NunoBem @PaulARoy Is there a way any of you have found to get past the app store Sign in with Apple requirements with Azure B2C that isn't getting rid of social logins? Any guidance would be appreciated, thanks!
I implemented it myself with a custom .auth endpoint. I tried the preview but there was no way to get the name from it.
burrowj
commented
3 years ago Can I ask if anyone has got this to work?
I have been through the setup here https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple
and I get a 401 response when post to
https://myserver/.auth/login/apple
with the id_token set in the body
Thanks John
burrowj
commented
3 years ago @gfaraj did you get this to work? We seem to have got to the same error
gfaraj
commented
3 years ago Sorry @burrowj but no, we haven't found a suitable solution for this. We currently have a separate apple-web provider with the client id for the web app, but this does not work well with the native app.
I haven't gotten a response from Microsoft on this, unfortunately.
burrowj
commented
3 years ago Microsoft seem to have shutdown, at least in this space. I'm not getting any responses either so far. I've managed to get the native app to work to a point. Could well be something on my end but its hard to troubleshoot. Going to check out Okta to see what they can offer. Thanks for getting back to me.
RyanHill-MSFT
commented
3 years ago Not shutdown, I assure you @burrowj and @gfaraj. I truly apologize for the delayed response. You have not been forgotten; I assure you. @burrowj, send me an email to AzCommunity[at]microsoft[dot]com ATTN: Ryan so we can continue offline.
burrowj
commented
3 years ago For anyone else that is wasting a lot of time trying to work out client directed flow and Azure Authentication I will post my findings here in an attempt to save other people time. This first one was reported to Microsoft 2 weeks ago by Ryan but the documentation is still not updated so no doubt people are still wasting there time. It also seems that the requested place for posting issues
https://github.com/Azure/app-service-announcements-discussions/issues/235
is not being monitored
So far we have worked out that the documentation here https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-file-based is wrong.
Configuration file reference "unauthenticatedClientAction": "RedirectToLoginPage|AllowAnonymous|Return401|Return403",
should be
"unauthenticatedClientAction": "RedirectToLoginPage|AllowAnonymous|RejectWith401|RejectWith404",
gfaraj
commented
3 years ago @gfaraj I've reached out to the product team for any updates.
EDIT: The token refresh isn't supported with generic OIDC, but the team is working on a solution to address this limitation. When more details are available, we'll share them.
/cc @mattchenderson
Hi @RyanHill-MSFT -- do we have any updates on the short-lived tokens when using the Apple OIDC provider?
lukewar
commented
2 years ago Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.
I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to /.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.
POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1 Content-Type: application/json {"id_token": identityToken}
But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send authorization_code together with id_token in /.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens
@taimila I think that my question relates to you post from some time ago https://github.com/MicrosoftDocs/azure-docs/issues/47611#issuecomment-704845997, did you manage to get refresh working?
BTW: If anyone else is struggling with getting 401 when making /.auth/login/apple call I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651
RyanHill-MSFT
commented
2 years ago Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.
I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to
/.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1 Content-Type: application/json {"id_token": identityToken}But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send
authorization_codetogether withid_tokenin/.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens@taimila I think that my question relates to you post from some time ago #47611 (comment), did you manage to get refresh working?
BTW: If anyone else is struggling with getting 401 when making
/.auth/login/applecall I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651
Thanks for the feedback @lukewar. We'll get the docs updated for providing those missing steps. As for a Preview -> GA timeline, I don't have any information but will ask for update. I'll also highlight your submitted feedback item to product group.
lukewar
commented
2 years ago Thank you @RyanHill-MSFT, very much appreciated ❤️. From experience I know that those things tend to take time. Do you think that you would be able to provide resolution steps to the refreshing session issue? Or maybe provide a point of contact to product team who could help resolve that problem? I tried reaching out here but didn't hear back.
RyanHill-MSFT
commented
2 years ago Thank you @RyanHill-MSFT, very much appreciated ❤️. From experience I know that those things tend to take time. Do you think that you would be able to provide resolution steps to the refreshing session issue? Or maybe provide a point of contact to product team who could help resolve that problem? I tried reaching out here but didn't hear back.
@luewar, send me an email to AzCommunity[at]microsoft[dot]com so I work more closely with you regarding the token refresh issue.
HeinA
commented
2 years ago Hey @RyanHill-MSFT I was integrating "Sing in with Apple" and I was struggling with many similar things people have been mentioning in this thread. How long do you think this feature will be in Preview mode, it's been some time since the original release.
I would kindly suggest that, the documentation requires an update. While this doc is pretty good https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-apple outlining all the steps, I could not find any documentation on how to structure calls to
/.auth/login/apple, as this doc does not mention it: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out#client-directed-sign-in. After finding this thread, and your response (thank you 🙇), I learned which parameter I should send.POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1 Content-Type: application/json {"id_token": identityToken}But token refresh issue still stands. This release mentions that is is supported but I could not find any docs how to set it up. If I understand the auth flow correctly, I believe that to make it work one needs to send
authorization_codetogether withid_tokenin/.auth/login/apple, though any mention of it is missing in: https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#refresh-auth-tokens@taimila I think that my question relates to you post from some time ago #47611 (comment), did you manage to get refresh working?
BTW: If anyone else is struggling with getting 401 when making
/.auth/login/applecall I have discovered that webapp's/functionapp's OS seems to be a factor as well. For apps using Linux OS this returns 401 while for apps configured with Windows it works fine. I've described the issue in mode detail here: https://feedback.azure.com/d365community/idea/f406a46f-5748-ec11-a819-0022484bf651
'ello
I have an App Service Running Windows, but I also get a 401 when trying to authorize
I would really appreciate some help with this
Cheerz!
RyanHill-MSFT
commented
2 years ago @HeinA which authentication flow are you using? At what point are you getting the 401?
HeinA
commented
2 years ago @HeinA which authentication flow are you using? At what point are you getting the 401?
Hey. This happen when I try to post the id_token to /.auth/login/apple from a Unity app (client directed flow)
Identify providers are easy to add but we have big problems trying to find out how to add Sign-in with Apple, which is now a requirement for all new apps. This link describes Azure AD B2C, but is that the same as Azure Active Directory? And how to link all this together like with Facebook. https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple
I would like to eventually see the a token and sid:xxx from EasyAuth with Sign-in with apple. Is that possible to have all these providers be compatible or what should we expect?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.