Post-GA Revisit of "Sign In with Apple" for Azure AD B2C
Published Dec 31 2019 07:00 AM 7,584 Views
Senior Member

A couple of months back I did a little walkthrough of "Sign in with Apple" in an Azure AD B2C context, it being in a new preview and all:


But I didn't really follow up on that when it went GA back in October.


So, let's revisit this one.


I will assume you have performed the setup in the Apple Developer Portal as described here (follow along to you get to the "Creating the OIDC metadata endpoint" which will not be neccessary):


We were able to make it work in general so no complaints there, but there were some minor things with the setup that could be improved upon.


Apple didn't really conform to the OpenID Connect specs during the preview - yes, they were fairly similar but not quite there. While Apple still has a different implementation (like not providing a metadata endpoint) they have fixed most things.


What we did to get around the missing metadata was to provide an Azure Function that acted as an endpoint, but we can move this inside the policy instead (coding the necessary values into the xml). Let's update the claims provider:



    <TechnicalProfile Id="AppleID">
      <DisplayName>Sign in with Apple</DisplayName>
      <Protocol Name="OpenIdConnect" />
        <Item Key="client_id">%apple-client-id%</Item>
        <Item Key="UsePolicyInRedirectUri">0</Item>
        <Item Key="authorization_endpoint"><a href="<a href="#" target="_blank"></Item</a>" target="_blank"><a href="#" target="_blank"></Item</a</a>>>
        <Item Key="AccessTokenEndpoint"><a href="<a href="#" target="_blank"></Item</a>" target="_blank"><a href="#" target="_blank"></Item</a</a>>>
        <Item Key="JWKS"><a href="<a href="#" target="_blank"></Item</a>" target="_blank"><a href="#" target="_blank"></Item</a</a>>>
        <Item Key="issuer"><a href="<a href="#" target="_blank"></Item</a>" target="_blank"><a href="#" target="_blank"></Item</a</a>>>
        <Item Key="IdTokenAudience">%apple-client-id%</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">name email</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AppleIDAppSecret" />
      <InputClaims />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />





This actually fixes one of the other quirks we saw at the same time too. We were not able to extract the email address of the user even if they consented, but this can now be retrieved.


We're still not able to extract the name directly from Apple's token - that seems to be a limitation in B2C at the moment as the name is in the following format according to Apple:


  "name": ​


      "firstName": string,

      "lastName": string

    }, ​

    "email": string ​



And that doesn't seem to be what AAD B2C expects so there's a mismatch. (I've tried getting around this in various ways, but haven't succeeded yet. If you know how let me know in the comments.)


You should still request both name and email in the scope for future proofing though as Apple doesn't seem to support changing this after the initial consent.


For the sake of simplicity we're not embedding this into any existing journeys like I have done before so add something like this to have a dediated Apple user journey:





<UserJourney Id="SuSiApple">
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
        <ClaimsProviderSelection TargetClaimsExchangeId="AppleExchange" />
    <OrchestrationStep Order="2" Type="ClaimsExchange">
        <ClaimsExchange Id="AppleExchange" TechnicalProfileReferenceId="AppleID" />
    <OrchestrationStep Order="3" Type="ClaimsExchange">
        <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
    <OrchestrationStep Order="4" Type="ClaimsExchange">
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
    <OrchestrationStep Order="5" Type="ClaimsExchange">
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
        <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
<ClientDefinition ReferenceId="DefaultWeb" />




And to top it off add a new RP:





xmlns:xsi="<a href="<a href="#" target="_blank"></a>" target="_blank"><a href="#" target="_blank"></a</a>>" 
xmlns:xsd="<a href="<a href="#" target="_blank"></a>" target="_blank"><a href="#" target="_blank"></a</a>>" 
xmlns="<a href="<a href="#" target="_blank"></a>" target="_blank"><a href="#" target="_blank"></a</a>>" 
PublicPolicyUri="<a href="<a href="#" target="_blank"></a>" target="_blank"><a href="#" target="_blank"></a</a>>" 
    <DefaultUserJourney ReferenceId="SuSiApple" />
        <Parameter Name="ui_locales">{Culture:RFC5646}</Parameter>
    <TechnicalProfile Id="PolicyProfile">
      <Protocol Name="OpenIdConnect" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" />        
      <SubjectNamingInfo ClaimType="sub" />



That should give you a fairly working sample of Apple in your app. (You might want to go over additional claims needed an such.)


The beauty now that the experience is GA is that Apple have (unsurprisingly) adapted the UX to the device you are using. For instance it will work in Chrome on a Windows PC - you'll receive a code on your phone/pad/watch that you need to manually type in. But if you for instance do it on an iPhone with FaceID you just give the device an approving look and you're in - that's about as smooth as it gets:


SignIn on iPhone with FaceIdSignIn on iPhone with FaceId


Will this appeal to everyone? No, but if you are all in on the iOS ecosystem it's not a bad SignIn flow.


If you want to test this in an app there's a known-good sample here:


(Custom Policies not added to repo while publishing this post, but hoping to get that fixed soon.)


And if you don't want to mess around with the code you can just create a container-based Azure App Service and pull in the Docker images I've built (policies uploaded separately, and config still needed for web app):

Version history
Last update:
‎Dec 31 2019 06:54 AM
Updated by: