Apple currently has requirements of being able to delete a user account and revoke token permissions to have an app on their store:
Endpoint Doc: https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens
Additional Info: https://developer.apple.com/forums/thread/708415
Following the guide here:
the idp_access_token claim yields a string value like "af42702403427436e915f761ddd1e0ed4.0.srrst.aOw1NWI0uV78qwwNrzV7VA" which is not a valid token for apple's auth revoke endpoint's parameters.
Here is a code Snippet of the apple claims provider in the TrustFrameworkExtensions.xml:
<ClaimsProvider>
<Domain>apple.com</Domain> <DisplayName>Sign in with Apple</DisplayName> <TechnicalProfiles>
<TechnicalProfile Id="Apple-OIDC">
<DisplayName>Sign in with Apple</DisplayName>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="ProviderName">apple</Item>
<Item Key="authorization_endpoint">https://appleid.apple.com/auth/authorize</Item>
<Item Key="AccessTokenEndpoint">https://appleid.apple.com/auth/token</Item>
<Item Key="JWKS">https://appleid.apple.com/auth/keys</Item>
<Item Key="issuer">https://appleid.apple.com</Item>
<Item Key="scope">name email openid</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">code</Item>
<Item Key="external_user_identity_claim_id">sub</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="client_id">xxxxx</Item>
<Item Key="IdTokenAudience">xxxxx</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="ReadBodyClaimsOnIdpRedirect">user.email user.name.firstName user.name.lastName</Item>
</Metadata>
<CryptographicKeys><Key Id="client_secret" StorageReferenceId="xxxxx" /> </CryptographicKeys>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" Required = "true"/>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="user.email" Required = "true"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="user.name.firstName" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="user.name.lastName" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="https://appleid.apple.com/" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Info on editing Open Id Technical Profiles can be found here:
Trying to modify the item "MetaData" of the technical profile's MetaData element to include the "v2.0" Open Id Configurations URL as discussed here https://learn.microsoft.com/en-us/answers/questions/750245/azure-ad-b2c-how-to-get-idp-access-token-for-apple.html results in an "access_denied" error during the b2c authentication with apple.
Not sure how I can get a valid Apple Access token to be passed through. Any thoughts on the matter would be appreciated. If I proceed to delete the user from b2c and am unable to revoke the apple tokens and reset the "sign in with apple" state then the next time a user uses that apple account to create a b2c account then the email and names claims won't be passed through because from apple's perspective they only send that info once and that authorization hasn't been revoked.
