Thanks for the feedback @m-andersen! We are currently investigating and will update you shortly.

Thank you. Looking strongly forward to a solution for this as we can't put our app in Apple app store until Sign-in with apple is implemented. If this takes too long we have to change our whole authentication scheme and use another auth-provider as we need to go live now.

@RyanHill-MSFT any updates?

Hi @m-andersen my apologies for it being such a long delay. Closest workaround I've come across is possibly using a custom policies to allow your AD users to sign in to your B2C tenant. You'll still have to maintain that B2C tenant but may be the only option as I'm hearing that Sign In with Apple isn't supported for Azure AD.

@RyanHill-MSFT this question was in relation to Azure App service and auth providers as Facebook, Google is supported today but not Sign-in with apple. That is a requirements for all new apps sent to Apple app store. We have build our app using Azure app service (now called Web app) and the auth providers it supports.
We need to add Sign-in with apple, but Azure App service does not support this. How can we proceed so we can launch our app?

Hi @m-andersen I've spoken with the product team. Since Sign-in with Apple is OpenID Connect compliant, the team is currently working on this integration. It's currently in private preview but I can pass along preliminary documentation and place you in touch with the team as they gain better understanding from customers using this feature.

Email me at AzCommunity[at]microsoft[dot]com ATTN: Ryan.

please-close

Hi @RyanHill-MSFT

Any update on when this will arrive? I believe the deadline Apple has set is for June 30, 2020

@RyanHill-MSFT +1 on update request

@RyanHill-MSFT +1, would love at least an ETA, ideally before 6/30... thank you in advance!

I've contacted the product team and they're trying to make _Public Preview_ with the next release. Due to the current situation, deployments have been delayed so they can't give an exact ETA. Hopefully it will be soon but can't guarantee any dates.

We did not have time to wait for a solution for App Service. We are also surprised that one of the biggest cloud providers do not have this in place by now.
We decided to abandon Microsoft EasyAuth totally and switched to Firebase, which have had support for apple login since november last year.
This is unfortunately not the last time Microsoft has disappointed us as a startup company.

Is there any update on this?

Is there any update on this?

I recommend switching auth part to Firebase. We did that. It is easy to integrate and supports so many more identity providers.

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

Firebase is interesting, but quite a bit pricier in our case. If MS does it this month I would prefer to wait than to jump the gun. The only thing which does not work now is EasyAuth integration, we need to know if it is going to be supported or we should find alternative solution.

Your choice. Using Firebase auth is for free, which is the only thing that must be added on top of App service. Other services might cost something.

Firebase is free if you do less than 10k auth/month and quite expensive if you do more than that. It is a trap for startups.

I wanted to provide an update for everyone. The product team is close to a public preview of sign-in with apple integration. The COVID-19 has affected build and schedule release timelines and we do apologize for these delays. I can't give an exact ETA but hopefully it will be this month.

/cc @vignatov @m-andersen @masonmc @zababahin

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple
We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple

We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?

@NunoBem the product team has a public preview ready for release. Release schedules have been muddled due to the current pandemic. Not that it's an excuse but a reason for such delays. Reach out to me at _AzCommunity[at]microsoft[dot]com_ so I can provide you the document on how to use OpenID configuration so you can get your app certified. I certainly apologize for this gap but rest assured the team is working to get the gap filled.

@RyanHill-MSFT I just got my app update rejected by Apple.

Guideline 4.8 - Design - Sign in with Apple
We noticed that your app uses a third-party login service but does not offer Sign in with Apple.

Some search took me here. How is this issue Closed? The deadline was 30Jun, there's no solution?

@m-andersen can we migrate "easily" our users to Firebase?
@NunoBem we integrated firebase auth to the server. However, you will have to find your own solution if you need to migrate existing users. We were not public yet so we were in luck user IDs on server could change without everything broke

Hi @m-andersen, I've just sent you an email outlining how to configure your Azure App with Sign-In with Apple. Should you run into issues, please feel free to let me know.

We've released https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect that provides instructions for configuring Sign-in with Apple with app services. If you run into issues, please let me know.

/cc @m-andersen @NunoBem @vignatov @masonmc @zababahin @yonkahlon

@RyanHill-MSFT I tried following the guide: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple
and then compare with the doc you sent to make adjustments. But I'm unable to make this work. I implemented the Azure Functions in the sample, has I don't use App Service, but that seems to be the case for the doc you sent.

Can't the sample be updated? Will Sign in with Apple be an "Identity provider"?

Even if I make this work, the app should be rejected has this is the typical response: "Your app uses Sign in with Apple as a login option but does not use Sign in with Apple button design, branding and/or user interface elements appropriately as described in the Sign in With Apple Human Interface Guidelines."

This is very chaotic for an identity management service. I'm counting the days I'm unable to update our app to our customers.

@RyanHill-MSFT I tried following the guide: https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple
and then compare with the doc you sent to make adjustments. But I'm unable to make this work. I implemented the Azure Functions in the sample, has I don't use App Service, but that seems to be the case for the doc you sent.

Can't the sample be updated? Will Sign in with Apple be an "Identity provider"?

Even if I make this work, the app should be rejected has this is the typical response: "Your app uses Sign in with Apple as a login option but does not use Sign in with Apple button design, branding and/or user interface elements appropriately as described in the Sign in With Apple Human Interface Guidelines."

This is very chaotic for an identity management service. I'm counting the days I'm unable to update our app to our customers.

Hi @NunoBem, I'll follow up with regards to getting the sample code update. Were you not able to add the configuration to your function app? Your function app won't have any impact on the human interface guidelines because that should come from your iOS app, not the function app.

Closing as Configure an OpenID Connect provider (Preview) - Azure App Service has be released. If any issues, please submit issues against that doc.

Hi @RyanHill-MSFT thanks for the update. If I'm looking at this document correctly, I have two questions:

1. I have configured other providers through the Azure portal and from what I'm reading, it looks like if I enable file-based configuration for Apple login, I will lose those other providers I already set up. Is there a way to export/copy the current config to easily re-construct the file?

2. I'm not seeing what I have to do to validate provider tokens when using client-based authentication. Basically the info provided in the Validate tokens from providers section in this document:
   https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

Any direction will be greatly appreciated.

Hi @RyanHill-MSFT thanks for the update. If I'm looking at this document correctly, I have two questions:

1. I have configured other providers through the Azure portal and from what I'm reading, it looks like if I enable file-based configuration for Apple login, I will lose those other providers I already set up. Is there a way to export/copy the current config to easily re-construct the file?
2. I'm not seeing what I have to do to validate provider tokens when using client-based authentication. Basically the info provided in the Validate tokens from providers section in this document:
   https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to
   Any direction will be greatly appreciated.

Hi @gfaraj

1. As of right now, there isn't any translation. The however is working bring that feature in a future iteration (no timeline yet).
2. If you're referring to a client directed flow on OIDC provider, that isn't supported as OIDC doesn't provide a protocol flow. If it were a different validation flow you were referring to, could elaborate?

Yep, I'm referring to client-directed flow. In my React Native app, I have log-in with Facebook and Google integrated using a client-directed flow by posting to the appropriate /.auth/login end-point.

I have integrated this package into my app that correctly signs in a user with Apple in the client:
https://github.com/invertase/react-native-apple-authentication

I was expecting/hoping I could perform the same kind of client-directed flow with Apple, considering I have access to this identity token:
https://github.com/invertase/react-native-apple-authentication/blob/master/docs/interfaces/_lib_index_d_.rnappleauth.appleauthrequestresponse.md#identitytoken

There's no way to pass this token to the Functions app to receive an Azure auth token that I can use as the X-ZUMO-AUTH header?

Any direction would be appreciated @RyanHill-MSFT , this is delaying our iOS launch. Thanks!

@gfaraj, OIDC client flow isn't supported but I'm working with the product group for any feasible alternative.

@gfaraj you should be able to use the following flow. Send your request with your identityToken to

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken,"access_token":"<token>"}

and use the authorization token in the X-ZUMO-AUTH header. If you run into issues using this client flow, send me any error messages you receive, and I'll pass along to the rest of time.

Ohhh that's awesome.

This still requires switching to a file configuration for the providers and configuring an OpenID Connect provider with "apple" as the name, right?

Also, for passing that access_token field, does this sound like the correct value?
https://github.com/invertase/react-native-apple-authentication/blob/master/docs/interfaces/_lib_index_d_.rnappleauth.appleauthrequestresponse.md#authorizationcode

Thanks so much!

@gfaraj good news, you don't need access_token for POST request. So, all you need to do is

POST https://<appname>.azurewebsites.net/.auth/login/apple HTTP/1.1
Content-Type: application/json

{"id_token": identityToken}

With regards to your first question, that is correct. In order to use Apple sign in, you need to switch to file configuration. That means any configurations done in EasyAuth will be ignored and you'll have to add those existing settings to the file base configuration.

Excellent! Really appreciate your quick help on this! Will be testing this soon.

Hey @RyanHill-MSFT I'm getting a 404 / Not Found error on the login URL you indicated:

https://<appname>.azurewebsites.net/.auth/login/apple

Here's a log from my app:

Making sure that file-based config is enabled:

Confirming that the auth.json exists in my app:

I also confirmed that my other providers (facebook and google) are working correctly and respond to their respective /.auth/login endpoints.

Do you think I missed something? Thanks!

By the way, for anyone else struggling with this, I used the Azure CLI (in cmd.exe) to update the auth settings, like this:

az rest --method put --url https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-name>/providers/Microsoft.Web/sites/<site-name>/config/authsettings?api-version=2018-02-01 --body "{\"properties\":{\"enabled\":\"true\",\"isAuthFromFile\":\"true\",\"authFilePath\":\"auth.json\"}}"

I spent way too much time on figuring this out since I was not familiar with this API prior to this, so hopefully this will save someone else some time.

Not that I can see @gfaraj. Send me your app name to [email protected]_ ATTN: Ryan so we can look into it.

Email sent. Thanks a lot for looking into this!

Hello, @RyanHill-MSFT .
I have some issue with apple auth too.

1. I configure the app service for apple auth by this instruction:
   https://docs.microsoft.com/ru-ru/azure/app-service/configure-authentication-provider-openid-connect
   My auth.json config looks like:
   {
   "platform": {
   "enabled": true
   },
   "globalValidation": {
   "redirectToProvider": "apple",
   "unauthenticatedClientAction": "RedirectToLoginPage"
   },
   "identityProviders": {
   "openIdConnectProviders": {
   "apple": {
   "registration": {
   "clientId": "<Service ID from Apple>",
   "clientCredential": {
   "secretSettingName": "APPLE_GENERATED_CLIENT_SECRET"
   },
   "openIdConnectConfiguration": {
   "wellKnownOpenIdConfiguration": "https://appleid.apple.com/.well-known/openid-configuration"
   }
   },
   "login": {
   "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
   "scope": [],
   "loginParameterNames": []
   }
   }
   },
   "login": {
   "tokenStore": {
   "enabled": true
   },
   "allowedExternalRedirectUrls": [
   "fbox://easyauth.callback",
   "https://localhost:44312",
   "https://<my web site>.azurewebsites.net",
   "https://<my web site2>.azurewebsites.net/",
   "https://<my app service>.azurewebsites.net"
   ]
   }
   }

2. APPLE_GENERATED_CLIENT_SECRET parameter is configure at the application settings. Value of the parameter is value from the apple *.p8 key file.

3. Next one, I enable file-based auth by command
   az rest --method put --uri https://management.azure.com/subscriptions/ <my_service_plan>/resourceGroups/ <my resource group >/providers/Microsoft.Web/sites/ <my app service>/config/authsettings?api-version=2018-02-01 --body "{\"properties\":{\"enabled\":\"true\",\"isAuthFromFile\":\"true\",\"authFilePath\":\"auth.json\"}}"
   and then restart the app service.

4. At the App service Authentication/Authorizasion tab the "File-based configuration has been enabled for this app. To re-enable configuration from the portal, please set 'isAuthFromFile' to be false. Click to learn more." is appeared.

5. Then I try to auth from apple from my app via https:// <my app service>.azurewebsites.net/.auth/login/apple request.

6. The app service redirects request to
   https://appleid.apple.com/auth/authorize?response_type=code&client_id= <my service ID from apple >&redirect_uri=https%3A%2F%2F <my app service> .azurewebsites.net%2F.auth%2Flogin%2Fapple%2Fcallback&nonce=7b5969df3fd14d2297d8e72576f57865_20200904053946&state=fbox%3A%2F%2Feasyauth.callback%2F

7. I login at the apple page and apple redirects me to https:// <my app service>.azurewebsites.net/.auth/login/apple/callback?state=fbox://easyauth.callback/&code=cc075180b755442d199dd281d33a0f6c5.0.rruyv.hDK1raqetlpqJsHyVvf1hQ
   and I see Http_error 500.

8. At the app service Log stream I see looks like
   2020-09-04T05:38:37 Welcome, you are now connected to log-streaming service. The default timeout is 2 hours. Change the timeout with the App Setting SCM_LOGSTREAM_TIMEOUT (in seconds).
   
   
   

   HTTP Error 500.74 - Internal Server Error

   The page cannot be displayed because an internal server error has occurred.

   Most likely causes:

   • IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.
   • IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.
   • IIS was not able to process configuration for the Web site or application.
   • The authenticated user does not have permission to use this DLL.
   • The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.

   Things you can try:

   • Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.
   • Check the event logs to see if any additional information was logged.
   • Verify the permissions for the DLL.
   • Install the .NET Extensibility feature if the request is mapped to a managed handler.
   • Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.