Sign in with Apple is sometimes failing, returning AADB2C90289

[kevcrooks]

We have created a custom policy (and also a user flow) for "Sign in with Apple" following the instructions here: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple

This was originally working fine for us, however recently Apple have started rejecting our app, because the Sign in with Apple is returning an error. They were able to reproduce this using a JWT test user flow:

Our first thought was a problem with the secret key that's generated, but we have checked/refreshed this, and also the sign in is working fine for a majority of users and devices. We have so far not been able to reproduce this failure with any device, however the app review board are consistently seeing the error (I think they're using an iPad Air 3 OS 14.3).

Our current theory is the way newer devices perform sign in with Apple is using the device itself to authenticate (e.g. by PIN or fingerprint), via a device pop-up, instead of a username/password field on an Apple page in the browser, so are wondering if this could be a cause of the problem.

Does anyone have ideas for why this error would occur only some of the time, or how we can reproduce and fix?

The other theory is if it could happen if the /.well-known/openid-configuration not being accessible from the test devices? We are very stuck, as the problem seems to be halfway between Azure and Apple, and without being able to reproduce ourselves, we'd like to know what to try next?

[kevcrooks]

I've been looking through the documentation some more, and in the section: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple#structuring-the-client-secret-jwt

it has an example with the nbf claim, whereas the Apple documentation says this should be iat - can the Azure function sample be updated to fix this (I don't know if that will be the cause of our problem though).

Additionally, it's not clear whether for sub we are supposed to use the id of the service (i.e. com.your-company.b2cservice1 in the sample) or the app id (i.e. com.your-company.b2capp in the sample)?

[raphaelpinel]

We are encountering the same problem. Any updates on this?

[kevcrooks]

@raphaelpinel no news yet, we have raised this internally with both Azure B2C and Apple, as it's not clear where the problem lies. The initial thought from both sides was that our secret key was incorrect (but this should cause logins always to fail, instead of sporadically).

One thing to note is that the Azure signing function given here: https://github.com/xamarin/xamarin-macios/blob/main/docs/website/optimizations.md#seal-and-devirtualize doesn't exactly match the specification, which says to have the iat claim instead of exp - so we adjusted the jwt to match exactly, but it's not clear if this would have fixed/broken the underlying issue.

We have seen the logs of errors, but haven't reproduced locally (only Apple internally have seen the problem), so if you are able to reproduce locally, you might have more info to go on than us?

[rcnjstudent]

I had the same issue a few months back and logged in an early Issue thread, going to repost what worked for me: https://github.com/azure-ad-b2c/samples/issues/104#issuecomment-678671770

"I had the same issue and was fighting with this for two weeks getting frustrated. I figured out the solution to this though, at least for what was happening with me. There's a flaw in the documentation screenshot for the Secret Key Generation where they show the appleServiceId value as being "com.yourcompany.app1" however, this is incorrect. You should be putting the actual Service Identifier, so in their example's case it's "com.your-company.b2cservice1". Additionally, I mistakenly took my Token Key ID and used that as the Team ID (which is on one of the main screens in the Apple Developer site), which also caused the issue.

Once I fixed that the service worked for me, albeit partially. For some reason, their callback URL doesn't capture the First Name, Last Name, Email ID of the user (and that's only sent the first time they successfully log in). I basically just get their Unique NameIdentifier which is just a large random string of numbers and letters."

It's important to also note that you do not get the FirstName/LastName data from the Apple callback because AzureB2C schema doesn't pick it up since it doesn't follow the standard OpenID schema. They know about this and it looks like the one guy from Microsoft knew how to fix it, but this still hasn't been fixed months later. I don't understand why since it looks like a simple fix on their part, and they are a $1 trillion+ company, so you would think they could have a few people get this fixed already.