Jun 8, 2019

Enable Sign In with Apple on Azure AD B2C(without custom policy)

Hi, there.

Recently Apple revealed 'Sign In with Apple' on WWDC'19, and in this article I'm going to explain how to configure this new capability with Azure Active Directory B2C. Of course you can configure this using Identity Experience Framework(Custom Policy), but this time I use built in OpenID Connect IdP configuration(Public Preview).

First of all, let me show you video of how this works.


  • Apple Developer Account(need to subscribe for at least one year!)
  • Azure Active Directory B2C tenant
  • Azure WebApps or some web hosting service to upload metadata

Configure client on Apple Developer console

Actually, 'Sign In with Apple' uses OAuth/OpenID Connect like mechanism(it seems not an exact compliant with these protocols). So if you are familiar with these protocols, it is not difficult to implement this scenario.

You can create OAuth/OIDC client on Apple Developer console by following Okta developer blog. This is really great post!!

Steps for configuration are following;
  1. Register App Id with Sign In with Apple capability
  2. Register Services Id. -> this Id will be used as client_id
    • Verify domain ownership
    • Configure redirect uri
  3. Register Key for Sign In with Apple
  4. Download the registered key and convert it to JWT format. -> this key will be used as client_secret

Configure Identity Provider on Azure AD B2C

Before configuring Identity Provider on Azure AD B2C, you have to create discovery document(metadata) for Apple Id because Apple does not expose the document on any web so far.

I used Azure WebApps to publish metadata, but you can use any web services to expose.
Built in OIDC IdP configuration of Azure AD B2C requires,
  • Issuer
  • Authorization Endpoint
  • Token Endpoint
  • Jwks Endpoint
on the metadata, and the metadata uri must be ended with ./well-known/openid-configuration.

This is my metadata.

Now you can configure the built-in policy on Azure AD B2C console.

Add new Identity Provider.

Choose OpenID Connect(preview) for Identity provider type.

Set metadata uri, client_id, client_secret values.

Map claim type 'sub' for mandatory attributes. Actually Apple does not return name or email values on id_token.

Configure User Flow(policies) using the IdP

The last step on Azure AD B2C console is User Flow configuration as usual. This time I created Sign In and Sign Up (v2) policy using Apple IdP which I configured on previous step.

Configuring attribute flow for application.

Now all of configurations was done!

You can use the new policy for any applications registered on Azure AD B2C!