Azure-docs: invalid audience in apple token

Created on 6 Aug 2020 · 4Comments · Source: MicrosoftDocs/azure-docs

Hi MS team -

Thank you for adding the ability to support Sign In With Apple via OpenID Connect. I'm adding Sign In With Apple to an Azure / Xamarin Forms mobile app that already works using Google sign-in, and I'm almost across the finish line, but hitting a roadblock.

I've switched to file based auth management, and have configured a new OIDC provider, and named it "apple".
I am able to successfully get a token from Apple via iOS 13 native APIs. I can decrypt this token and I see "aud" = "com.mycompany.myapp" (actual names edited here to protect my client, full token JSON down below).
However, when I give this token to my Azure Mobile app (via /.auth/login/apple), it always responds with a 401 unauthorized.
viewing the streaming web logs from the azure portal (cool feature!), I see the following error:

Received request: POST https://<myappserver>.azurewebsites.net/.auth/login/apple
Warning     JWT validation failed: IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'..
2020-08-06T03:00:39  PID[9672] Information Sending response: 401.83 Unauthorized

OK so, fair enough, but then 2 questions:

1) how can I turn off the masking of PII within the azure server logs in order to see the actual audience strings it's comparing? (obviously just for debugging this)

2) more importantly, from where is it getting the ValidAudience / ValidAudiences settings?

In the auth json file, I saw that the "built-in" providers could have validation sections in their JSON, so I tried adding a "validation" section in my custom provider too:

"openIdConnectProviders": {
      "apple": {
        "registration": {
          "clientId": "com.mycompany.myapp",
          "clientCredential": {
            "secretSettingName": "signInWithAppleClientSecret"
          },
          "openIdConnectConfiguration": {
            "wellKnownOpenIdConfiguration": "https://appleid.apple.com/.well-known/openid-configuration"
          }
        },
        "login": {
          "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
          "scope": [],
          "loginParameterNames": []
        },



        "validation": {
          "allowedAudiences": [ "com.mycompany.myapp", "com.mycompany.myappClientID" ]
        }



      }
    },
    "login": {
      "routes": {
        "logoutEndpoint": ""
      },
      "tokenStore": {
        "enabled": "true"
      },
      "allowedExternalRedirectUrls": [
        "https://myapp.azurewebsites.net/.auth/login/google/callback",
        "https://myapp.azurewebsites.net/.auth/login/apple/callback",
        "myappurlscheme://easyauth.callback"
      ]
    }

I've also, in my Startup.Mobileapp.cs, hacked the actual audiences from the token into the ValidAudiences property of the AppServiceAuthenticationOptions:

var authOptions = new AppServiceAuthenticationOptions
            {
                SigningKey = ConfigurationManager.AppSettings["SigningKey"],
                ValidAudiences = new[] { ConfigurationManager.AppSettings["ValidAudience"], "com.mycompany.myapp"},
                ValidIssuers = new[] {ConfigurationManager.AppSettings["ValidIssuer"], "https://appleid.apple.com" },
                TokenHandler = config.GetAppServiceTokenHandler(),

            };

But neither have seemed to fix anything.

What am I missing here? How can I tell /.auth/login/apple that a token I send it from Apple with "aud" = "com.mycompany.myapp" is valid?

If it helps, here's the JWT I get back from Apple. It's curious that the audience is the bundle ID and not the service ID that I created in the Apple Developer Portal... Apple servers seem to always give bundle ID, even though they say they give service ID. If possible I'm thinking I'll make both IDs valid once I figure out how, just to play it safe.

Thank you!

{
  "iss": "https://appleid.apple.com",
  "aud": "com.mycompany.myapp",
  "exp": 1596677722,
  "iat": 1596677122,
  "sub": "001441.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.2253",
  "c_hash": "8xxxxxxxxxxxxxxxxxxxxw",
  "email": "[email protected]",
  "email_verified": "true",
  "auth_time": 1596677122,
  "nonce_supported": true
}

I know the server's at least parsing the token correctly because after the 600 second expiration time, the error message in the log changes - instead of invalid audience, I get token expired.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: ffd28ed3-76d0-f9d0-dbff-f29db6fe8b3d
Version Independent ID: b0ca2e70-d558-d562-2a66-0d07fef5ef6a
Content: Configure an OpenID Connect provider (Preview) - Azure App Service
Content Source: articles/app-service/configure-authentication-provider-openid-connect.md
Service: app-service
GitHub Login: @cephalin
Microsoft Alias: cephalin

Pri2 app-servicsvc cxp product-question triaged

Source

masonmc

All 4 comments

@masonmc Thanks for the feedback! We are currently investigating and will update you shortly.

BryanTrach-MSFT on 6 Aug 2020

👍1

@masonmc Have you tried seeing if the Allowed Token Audiences is selected for the Express Auth in App Services? This should be enabled and based on your error, I worry it is not.

BryanTrach-MSFT on 10 Aug 2020

Thanks for the quick reply Bryan!

I am not sure how to do that when using file-based authentication settings.

If I go into config/authsettings and change “isAuthFromFile” back to “false” I get the UI in the portal again, and I can see the Allowed Token Audiences option under AAD configuration, advanced tab. But isAuthFromFile has to be true in order to use custom OIDC providers... so how do I tweak that option when not using the portal UI, and from within the actual JSON authorization file instead?

Also, do I need to enable AAD as a whole? I only want my app to authenticate via Google and via Sign In With Apple.

Thanks!

masonmc on 10 Aug 2020

@masonmc These are good questions and I have unfortunately been unable to find the answers to them in the context of Apple ID. Let's get you a support case so you can work 1 on 1 with an engineer to troubleshoot this further. Can you please email us at [email protected] with your Azure subscription ID and the URL of this post?

We look forward to your reply. Since this will move into a support case, we will close this issue. We encourage you to share the results of the support case with the community by replying directly to this thread to help others who might encounter the same errors.

BryanTrach-MSFT on 12 Aug 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings