Home
%26gt%3B%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22IdTokenAudience%22%3E%25apple-client-id%25%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22response_types%22%3Ecode%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22scope%22%3Ename%20email%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22response_mode%22%3Eform_post%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22HttpBinding%22%3EPOST%3C%2FITEM%3E%0A%20%20%20%20%20%20%0A%20%20%20%20%20%20%3CCRYPTOGRAPHICKEYS%3E%0A%20%20%20%20%20%20%20%20%3CKEY%20id%3D%22client_secret%22%20storagereferenceid%3D%22B2C_1A_AppleIDAppSecret%22%3E%3C%2FKEY%3E%0A%20%20%20%20%20%20%3C%2FCRYPTOGRAPHICKEYS%3E%0A%20%20%20%20%20%20%3CINPUTCLAIMS%3E%3C%2FINPUTCLAIMS%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22authenticationSource%22%20defaultvalue%3D%22socialIdpAuthentication%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22identityProvider%22%20partnerclaimtype%3D%22iss%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22socialIdpUserId%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22displayName%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22signInName%22%20partnerclaimtype%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATIONS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateRandomUPNUserName%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateUserPrincipalName%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateAlternativeSecurityId%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateSubjectClaimFromAlternativeSecurityId%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMSTRANSFORMATIONS%3E%0A%20%20%20%20%20%20%3CUSETECHNICALPROFILEFORSESSIONMANAGEMENT%20referenceid%3D%22SM-SocialLogin%22%3E%3C%2FUSETECHNICALPROFILEFORSESSIONMANAGEMENT%3E%0A%20%20%20%20%0A%20%20%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20actually%20fixes%20one%20of%20the%20other%20quirks%20we%20saw%20at%20the%20same%20time%20too.%20We%20were%20not%20able%20to%20extract%20the%20email%20address%20of%20the%20user%20even%20if%20they%20consented%2C%20but%20this%20can%20now%20be%20retrieved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20still%20not%20able%20to%20extract%20the%20name%20directly%20from%20Apple's%20token%20-%20that%20seems%20to%20be%20a%20limitation%20in%20B2C%20at%20the%20moment%20as%20the%20name%20is%20in%20the%20following%20format%20according%20to%20Apple%3A%3C%2FP%3E%3CP%3E%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%22name%22%3A%20%E2%80%8B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22firstName%22%3A%20string%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22lastName%22%3A%20string%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%20%E2%80%8B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22email%22%3A%20string%20%E2%80%8B%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20that%20doesn't%20seem%20to%20be%20what%20AAD%20B2C%20expects%20so%20there's%20a%20mismatch.%20(I've%20tried%20getting%20around%20this%20in%20various%20ways%2C%20but%20haven't%20succeeded%20yet.%20If%20you%20know%20how%20let%20me%20know%20in%20the%20comments.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20still%20request%20both%20name%20and%20email%20in%20the%20scope%20for%20future%20proofing%20though%20as%20Apple%20doesn't%20seem%20to%20support%20changing%20this%20after%20the%20initial%20consent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20sake%20of%20simplicity%20we're%20not%20embedding%20this%20into%20any%20existing%20journeys%20like%20I%20have%20done%20before%20so%20add%20something%20like%20this%20to%20have%20a%20dediated%20Apple%20user%20journey%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EB2C_1A_TrustFrameworkExtensions_Dev.xml%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%3CUSERJOURNEY%20id%3D%22SuSiApple%22%3E%0A%20%20%3CORCHESTRATIONSTEPS%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%221%22%20type%3D%22CombinedSignInAndSignUp%22%20contentdefinitionreferenceid%3D%22api.signuporsignin%22%3E%0A%20%20%20%20%20%20%3CCLAIMSPROVIDERSELECTIONS%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSPROVIDERSELECTION%20targetclaimsexchangeid%3D%22AppleExchange%22%3E%3C%2FCLAIMSPROVIDERSELECTION%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSPROVIDERSELECTIONS%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%222%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AppleExchange%22%20technicalprofilereferenceid%3D%22AppleID%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%20%20%20%20%20%20%20%20%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%223%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AADUserReadUsingAlternativeSecurityId%22%20technicalprofilereferenceid%3D%22AAD-UserReadUsingAlternativeSecurityId-NoError%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%224%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CPRECONDITIONS%3E%0A%20%20%20%20%20%20%20%20%3CPRECONDITION%20type%3D%22ClaimsExist%22%20executeactionsif%3D%22true%22%3E%0A%20%20%20%20%20%20%20%20%20%20%3CVALUE%3EobjectId%3C%2FVALUE%3E%0A%20%20%20%20%20%20%20%20%20%20%3CACTION%3ESkipThisOrchestrationStep%3C%2FACTION%3E%0A%20%20%20%20%20%20%20%20%3C%2FPRECONDITION%3E%0A%20%20%20%20%20%20%3C%2FPRECONDITIONS%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22SelfAsserted-Social%22%20technicalprofilereferenceid%3D%22SelfAsserted-Social%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%225%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CPRECONDITIONS%3E%0A%20%20%20%20%20%20%20%20%3CPRECONDITION%20type%3D%22ClaimsExist%22%20executeactionsif%3D%22true%22%3E%0A%20%20%20%20%20%20%20%20%20%20%3CVALUE%3EobjectId%3C%2FVALUE%3E%0A%20%20%20%20%20%20%20%20%20%20%3CACTION%3ESkipThisOrchestrationStep%3C%2FACTION%3E%0A%20%20%20%20%20%20%20%20%3C%2FPRECONDITION%3E%0A%20%20%20%20%20%20%3C%2FPRECONDITIONS%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AADUserWrite%22%20technicalprofilereferenceid%3D%22AAD-UserWriteUsingAlternativeSecurityId%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%226%22%20type%3D%22SendClaims%22%20cpimissuertechnicalprofilereferenceid%3D%22JwtIssuer%22%3E%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%20%20%20%0A%20%20%3C%2FORCHESTRATIONSTEPS%3E%0A%3CCLIENTDEFINITION%20referenceid%3D%22DefaultWeb%22%3E%3C%2FCLIENTDEFINITION%3E%0A%3C%2FUSERJOURNEY%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20to%20top%20it%20off%20add%20a%20new%20RP%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EB2C_1A_SignUp_SignIn_Apple.xml%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E%3CTRUSTFRAMEWORKPOLICY%20xsi%3D%22%26lt%3Ba%20href%3D%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%3C%2FA%3E%26gt%3B%22%20%0Axmlns%3Axsd%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%3C%2FA%3E%26gt%3B%22%20%0Axmlns%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%3C%2FA%3E%26gt%3B%22%20%0APolicySchemaVersion%3D%220.3.0.0%22%20%0ATenantId%3D%22yortenant.onmicrosoft.com%22%20%0APolicyId%3D%22B2C_1A_Signup_Signin_Apple%22%20%0APublicPolicyUri%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%3C%2FA%3E%26gt%3B%22%20%0ATenantObjectId%3D%22tenant_id%22%26gt%3B%0A%20%20%3CBASEPOLICY%3E%0A%20%20%20%20%3CTENANTID%3Eyourtenant.onmicrosoft.com%3C%2FTENANTID%3E%0A%20%20%20%20%3CPOLICYID%3EB2C_1A_TrustFrameworkExtensions_Dev%3C%2FPOLICYID%3E%0A%20%20%3C%2FBASEPOLICY%3E%0A%20%20%3CRELYINGPARTY%3E%0A%20%20%20%20%3CDEFAULTUSERJOURNEY%20referenceid%3D%22SuSiApple%22%3E%3C%2FDEFAULTUSERJOURNEY%3E%0A%20%20%20%20%3CUSERJOURNEYBEHAVIORS%3E%0A%20%20%20%20%20%20%3CCONTENTDEFINITIONPARAMETERS%3E%0A%20%20%20%20%20%20%20%20%3CPARAMETER%20name%3D%22ui_locales%22%3E%7BCulture%3ARFC5646%7D%3C%2FPARAMETER%3E%0A%20%20%20%20%20%20%3C%2FCONTENTDEFINITIONPARAMETERS%3E%0A%20%20%20%20%20%20%3CSCRIPTEXECUTION%3EAllow%3C%2FSCRIPTEXECUTION%3E%0A%20%20%20%20%3C%2FUSERJOURNEYBEHAVIORS%3E%0A%20%20%20%20%3CTECHNICALPROFILE%20id%3D%22PolicyProfile%22%3E%0A%20%20%20%20%20%20%3CDISPLAYNAME%3EPolicyProfile%3C%2FDISPLAYNAME%3E%0A%20%20%20%20%20%20%3CPROTOCOL%20name%3D%22OpenIdConnect%22%3E%3C%2FPROTOCOL%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22displayName%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22givenName%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22surname%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22objectId%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22identityProvider%22%3E%3C%2FOUTPUTCLAIM%3E%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%3CSUBJECTNAMINGINFO%20claimtype%3D%22sub%22%3E%3C%2FSUBJECTNAMINGINFO%3E%0A%20%20%20%20%3C%2FTECHNICALPROFILE%3E%0A%20%20%3C%2FRELYINGPARTY%3E%0A%3C%2FTRUSTFRAMEWORKPOLICY%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20should%20give%20you%20a%20fairly%20working%20sample%20of%20Apple%20in%20your%20app.%20(You%20might%20want%20to%20go%20over%20additional%20claims%20needed%20an%20such.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20beauty%20now%20that%20the%20experience%20is%20GA%20is%20that%20Apple%20have%20(unsurprisingly)%20adapted%20the%20UX%20to%20the%20device%20you%20are%20using.%20For%20instance%20it%20will%20work%20in%20Chrome%20on%20a%20Windows%20PC%20-%20you'll%20receive%20a%20code%20on%20your%20phone%2Fpad%2Fwatch%20that%20you%20need%20to%20manually%20type%20in.%20But%20if%20you%20for%20instance%20do%20it%20on%20an%20iPhone%20with%20FaceID%20you%20just%20give%20the%20device%20an%20approving%20look%20and%20you're%20in%20-%20that's%20about%20as%20smooth%20as%20it%20gets%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20461px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F163402iCDC681A7D0C77456%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SiwA_iPhone.png%22%20title%3D%22SiwA_iPhone.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESignIn%20on%20iPhone%20with%20FaceId%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20this%20appeal%20to%20everyone%3F%20No%2C%20but%20if%20you%20are%20all%20in%20on%20the%20iOS%20ecosystem%20it's%20not%20a%20bad%20SignIn%20flow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20test%20this%20in%20an%20app%20there's%20a%20known-good%20sample%20here%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%22%20href%3D%22https%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Custom%20Policies%20not%20added%20to%20repo%20while%20publishing%20this%20post%2C%20but%20hoping%20to%20get%20that%20fixed%20soon.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20if%20you%20don't%20want%20to%20mess%20around%20with%20the%20code%20you%20can%20just%20create%20a%20container-based%20Azure%20App%20Service%20and%20pull%20in%20the%20Docker%20images%20I've%20built%20(policies%20uploaded%20separately%2C%20and%20config%20still%20needed%20for%20web%20app)%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%22%20href%3D%22https%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%3C%2FA%3E%3C%2FP%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1083814%22%20slang%3D%22en-US%22%3EPost-GA%20Revisit%20of%20%22Sign%20In%20with%20Apple%22%20for%20Azure%20AD%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1083814%22%20slang%3D%22en-US%22%3E%3CP%3EA%20couple%20of%20months%20back%20I%20did%20a%20little%20walkthrough%20of%20%22Sign%20in%20with%20Apple%22%20in%20an%20Azure%20AD%20B2C%20context%2C%20it%20being%20in%20a%20new%20preview%20and%20all%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-developer-community-blog%2Fquot-sign-in-with-apple-quot-custom-policy-for-azure-ad-b2c%2Fba-p%2F766575%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-developer-community-blog%2Fquot-sign-in-with-apple-quot-custom-policy-for-azure-ad-b2c%2Fba-p%2F766575%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-developer-community-blog%2Fquot-sign-in-with-apple-quot-custom-policy-for-azure-ad-b2c%2Fba-p%2F766575%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20didn't%20really%20follow%20up%20on%20that%20when%20it%20went%20GA%20back%20in%20October.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20let's%20revisit%20this%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20assume%20you%20have%20performed%20the%20setup%20in%20the%20Apple%20Developer%20Portal%20as%20described%20here%20(follow%20along%20to%20you%20get%20to%20the%20%22Creating%20the%20OIDC%20metadata%20endpoint%22%20which%20will%20not%20be%20neccessary)%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fgithub.com%2Fazure-ad-b2c%2Fsamples%2Ftree%2Fmaster%2Fpolicies%2Fsign-in-with-apple%22%20href%3D%22https%3A%2F%2Fgithub.com%2Fazure-ad-b2c%2Fsamples%2Ftree%2Fmaster%2Fpolicies%2Fsign-in-with-apple%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fgithub.com%2Fazure-ad-b2c%2Fsamples%2Ftree%2Fmaster%2Fpolicies%2Fsign-in-with-apple%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20were%20able%20to%20make%20it%20work%20in%20general%20so%20no%20complaints%20there%2C%20but%20there%20were%20some%20minor%20things%20with%20the%20setup%20that%20could%20be%20improved%20upon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApple%20didn't%20really%20conform%20to%20the%20OpenID%20Connect%20specs%20during%20the%20preview%20-%20yes%2C%20they%20were%20fairly%20similar%20but%20not%20quite%20there.%20While%20Apple%20still%20has%20a%20different%20implementation%20(like%20not%20providing%20a%20metadata%20endpoint)%20they%20have%20fixed%20most%20things.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20we%20did%20to%20get%20around%20the%20missing%20metadata%20was%20to%20provide%20an%20Azure%20Function%20that%20acted%20as%20an%20endpoint%2C%20but%20we%20can%20move%20this%20inside%20the%20policy%20instead%20(coding%20the%20necessary%20values%20into%20the%20xml).%20Let's%20update%20the%20claims%20provider%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EB2C_1A_TrustFrameworkExtensions_Dev.xml%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E%3CCLAIMSPROVIDER%3E%20%20%20%20%20%20%0A%20%20%3CDOMAIN%3EApple%3C%2FDOMAIN%3E%0A%20%20%3CDISPLAYNAME%3EApple%3C%2FDISPLAYNAME%3E%0A%20%20%3CTECHNICALPROFILES%3E%0A%20%20%20%20%3CTECHNICALPROFILE%20id%3D%22AppleID%22%3E%0A%20%20%20%20%20%20%3CDISPLAYNAME%3ESign%20in%20with%20Apple%3C%2FDISPLAYNAME%3E%0A%20%20%20%20%20%20%3CPROTOCOL%20name%3D%22OpenIdConnect%22%3E%3C%2FPROTOCOL%3E%0A%20%20%20%20%20%20%26lt%3Bmetadata%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22client_id%22%3E%25apple-client-id%25%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22UsePolicyInRedirectUri%22%3E0%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22authorization_endpoint%22%3E%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Fauthorize%3C%2FA%3E%3C%2FITEM%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22https%3A%2F%2Fappleid.apple.com%2Fauth%2Fauthorize%26lt%3B%2FItem%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Fauthorize%3C%2FA%3E%3C%2FTECHNICALPROFILE%3E%26gt%3B%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22AccessTokenEndpoint%22%3E%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Ftoken%3C%2FA%3E%3C%2FITEM%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22https%3A%2F%2Fappleid.apple.com%2Fauth%2Ftoken%26lt%3B%2FItem%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Ftoken%3C%2FA%3E%3C%2FTECHNICALPROFILES%3E%26gt%3B%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22JWKS%22%3E%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Fkeys%3C%2FA%3E%3C%2FITEM%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22https%3A%2F%2Fappleid.apple.com%2Fauth%2Fkeys%26lt%3B%2FItem%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%2Fauth%2Fkeys%3C%2FA%3E%3C%2FCLAIMSPROVIDER%3E%26gt%3B%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22issuer%22%3E%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%3C%2FA%3E%3C%2FITEM%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22https%3A%2F%2Fappleid.apple.com%26lt%3B%2FItem%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fappleid.apple.com%3C%2FA%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%26gt%3B%26gt%3B%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22IdTokenAudience%22%3E%25apple-client-id%25%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22response_types%22%3Ecode%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22scope%22%3Ename%20email%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22response_mode%22%3Eform_post%3C%2FITEM%3E%0A%20%20%20%20%20%20%20%20%3CITEM%20key%3D%22HttpBinding%22%3EPOST%3C%2FITEM%3E%0A%20%20%20%20%20%20%0A%20%20%20%20%20%20%3CCRYPTOGRAPHICKEYS%3E%0A%20%20%20%20%20%20%20%20%3CKEY%20id%3D%22client_secret%22%20storagereferenceid%3D%22B2C_1A_AppleIDAppSecret%22%3E%3C%2FKEY%3E%0A%20%20%20%20%20%20%3C%2FCRYPTOGRAPHICKEYS%3E%0A%20%20%20%20%20%20%3CINPUTCLAIMS%3E%3C%2FINPUTCLAIMS%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22authenticationSource%22%20defaultvalue%3D%22socialIdpAuthentication%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22identityProvider%22%20partnerclaimtype%3D%22iss%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22socialIdpUserId%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22displayName%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22signInName%22%20partnerclaimtype%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATIONS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateRandomUPNUserName%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateUserPrincipalName%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateAlternativeSecurityId%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIMSTRANSFORMATION%20referenceid%3D%22CreateSubjectClaimFromAlternativeSecurityId%22%3E%3C%2FOUTPUTCLAIMSTRANSFORMATION%3E%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMSTRANSFORMATIONS%3E%0A%20%20%20%20%20%20%3CUSETECHNICALPROFILEFORSESSIONMANAGEMENT%20referenceid%3D%22SM-SocialLogin%22%3E%3C%2FUSETECHNICALPROFILEFORSESSIONMANAGEMENT%3E%0A%20%20%20%20%0A%20%20%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20actually%20fixes%20one%20of%20the%20other%20quirks%20we%20saw%20at%20the%20same%20time%20too.%20We%20were%20not%20able%20to%20extract%20the%20email%20address%20of%20the%20user%20even%20if%20they%20consented%2C%20but%20this%20can%20now%20be%20retrieved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20still%20not%20able%20to%20extract%20the%20name%20directly%20from%20Apple's%20token%20-%20that%20seems%20to%20be%20a%20limitation%20in%20B2C%20at%20the%20moment%20as%20the%20name%20is%20in%20the%20following%20format%20according%20to%20Apple%3A%3C%2FP%3E%3CP%3E%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%22name%22%3A%20%E2%80%8B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22firstName%22%3A%20string%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22lastName%22%3A%20string%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%20%E2%80%8B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22email%22%3A%20string%20%E2%80%8B%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20that%20doesn't%20seem%20to%20be%20what%20AAD%20B2C%20expects%20so%20there's%20a%20mismatch.%20(I've%20tried%20getting%20around%20this%20in%20various%20ways%2C%20but%20haven't%20succeeded%20yet.%20If%20you%20know%20how%20let%20me%20know%20in%20the%20comments.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20still%20request%20both%20name%20and%20email%20in%20the%20scope%20for%20future%20proofing%20though%20as%20Apple%20doesn't%20seem%20to%20support%20changing%20this%20after%20the%20initial%20consent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20sake%20of%20simplicity%20we're%20not%20embedding%20this%20into%20any%20existing%20journeys%20like%20I%20have%20done%20before%20so%20add%20something%20like%20this%20to%20have%20a%20dediated%20Apple%20user%20journey%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EB2C_1A_TrustFrameworkExtensions_Dev.xml%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%3CUSERJOURNEY%20id%3D%22SuSiApple%22%3E%0A%20%20%3CORCHESTRATIONSTEPS%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%221%22%20type%3D%22CombinedSignInAndSignUp%22%20contentdefinitionreferenceid%3D%22api.signuporsignin%22%3E%0A%20%20%20%20%20%20%3CCLAIMSPROVIDERSELECTIONS%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSPROVIDERSELECTION%20targetclaimsexchangeid%3D%22AppleExchange%22%3E%3C%2FCLAIMSPROVIDERSELECTION%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSPROVIDERSELECTIONS%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%222%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AppleExchange%22%20technicalprofilereferenceid%3D%22AppleID%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%20%20%20%20%20%20%20%20%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%223%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AADUserReadUsingAlternativeSecurityId%22%20technicalprofilereferenceid%3D%22AAD-UserReadUsingAlternativeSecurityId-NoError%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%224%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CPRECONDITIONS%3E%0A%20%20%20%20%20%20%20%20%3CPRECONDITION%20type%3D%22ClaimsExist%22%20executeactionsif%3D%22true%22%3E%0A%20%20%20%20%20%20%20%20%20%20%3CVALUE%3EobjectId%3C%2FVALUE%3E%0A%20%20%20%20%20%20%20%20%20%20%3CACTION%3ESkipThisOrchestrationStep%3C%2FACTION%3E%0A%20%20%20%20%20%20%20%20%3C%2FPRECONDITION%3E%0A%20%20%20%20%20%20%3C%2FPRECONDITIONS%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22SelfAsserted-Social%22%20technicalprofilereferenceid%3D%22SelfAsserted-Social%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%225%22%20type%3D%22ClaimsExchange%22%3E%0A%20%20%20%20%20%20%3CPRECONDITIONS%3E%0A%20%20%20%20%20%20%20%20%3CPRECONDITION%20type%3D%22ClaimsExist%22%20executeactionsif%3D%22true%22%3E%0A%20%20%20%20%20%20%20%20%20%20%3CVALUE%3EobjectId%3C%2FVALUE%3E%0A%20%20%20%20%20%20%20%20%20%20%3CACTION%3ESkipThisOrchestrationStep%3C%2FACTION%3E%0A%20%20%20%20%20%20%20%20%3C%2FPRECONDITION%3E%0A%20%20%20%20%20%20%3C%2FPRECONDITIONS%3E%0A%20%20%20%20%20%20%3CCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%20%20%3CCLAIMSEXCHANGE%20id%3D%22AADUserWrite%22%20technicalprofilereferenceid%3D%22AAD-UserWriteUsingAlternativeSecurityId%22%3E%3C%2FCLAIMSEXCHANGE%3E%0A%20%20%20%20%20%20%3C%2FCLAIMSEXCHANGES%3E%0A%20%20%20%20%20%20%3C%2FORCHESTRATIONSTEP%3E%0A%20%0A%20%20%20%20%3CORCHESTRATIONSTEP%20order%3D%226%22%20type%3D%22SendClaims%22%20cpimissuertechnicalprofilereferenceid%3D%22JwtIssuer%22%3E%3C%2FORCHESTRATIONSTEP%3E%0A%20%20%20%20%20%20%20%0A%20%20%3C%2FORCHESTRATIONSTEPS%3E%0A%3CCLIENTDEFINITION%20referenceid%3D%22DefaultWeb%22%3E%3C%2FCLIENTDEFINITION%3E%0A%3C%2FUSERJOURNEY%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20to%20top%20it%20off%20add%20a%20new%20RP%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EB2C_1A_SignUp_SignIn_Apple.xml%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E%3CTRUSTFRAMEWORKPOLICY%20xsi%3D%22%26lt%3Ba%20href%3D%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%3C%2FA%3E%26gt%3B%22%20%0Axmlns%3Axsd%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%3C%2FA%3E%26gt%3B%22%20%0Axmlns%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fonline%2Fcpim%2Fschemas%2F2013%2F06%3C%2FA%3E%26gt%3B%22%20%0APolicySchemaVersion%3D%220.3.0.0%22%20%0ATenantId%3D%22yortenant.onmicrosoft.com%22%20%0APolicyId%3D%22B2C_1A_Signup_Signin_Apple%22%20%0APublicPolicyUri%3D%22%3CA%20href%3D%22%26lt%3Ba%20href%3D%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%3C%2FA%3E%22%20target%3D%22_blank%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%26lt%3B%2Fa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fyourtenant.onmicrosoft.com%2FB2C_1A_Signup_Signin_Apple%3C%2FA%3E%26gt%3B%22%20%0ATenantObjectId%3D%22tenant_id%22%26gt%3B%0A%20%20%3CBASEPOLICY%3E%0A%20%20%20%20%3CTENANTID%3Eyourtenant.onmicrosoft.com%3C%2FTENANTID%3E%0A%20%20%20%20%3CPOLICYID%3EB2C_1A_TrustFrameworkExtensions_Dev%3C%2FPOLICYID%3E%0A%20%20%3C%2FBASEPOLICY%3E%0A%20%20%3CRELYINGPARTY%3E%0A%20%20%20%20%3CDEFAULTUSERJOURNEY%20referenceid%3D%22SuSiApple%22%3E%3C%2FDEFAULTUSERJOURNEY%3E%0A%20%20%20%20%3CUSERJOURNEYBEHAVIORS%3E%0A%20%20%20%20%20%20%3CCONTENTDEFINITIONPARAMETERS%3E%0A%20%20%20%20%20%20%20%20%3CPARAMETER%20name%3D%22ui_locales%22%3E%7BCulture%3ARFC5646%7D%3C%2FPARAMETER%3E%0A%20%20%20%20%20%20%3C%2FCONTENTDEFINITIONPARAMETERS%3E%0A%20%20%20%20%20%20%3CSCRIPTEXECUTION%3EAllow%3C%2FSCRIPTEXECUTION%3E%0A%20%20%20%20%3C%2FUSERJOURNEYBEHAVIORS%3E%0A%20%20%20%20%3CTECHNICALPROFILE%20id%3D%22PolicyProfile%22%3E%0A%20%20%20%20%20%20%3CDISPLAYNAME%3EPolicyProfile%3C%2FDISPLAYNAME%3E%0A%20%20%20%20%20%20%3CPROTOCOL%20name%3D%22OpenIdConnect%22%3E%3C%2FPROTOCOL%3E%0A%20%20%20%20%20%20%3COUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22displayName%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22givenName%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22surname%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22email%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22objectId%22%20partnerclaimtype%3D%22sub%22%3E%3C%2FOUTPUTCLAIM%3E%0A%20%20%20%20%20%20%20%20%3COUTPUTCLAIM%20claimtypereferenceid%3D%22identityProvider%22%3E%3C%2FOUTPUTCLAIM%3E%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%3C%2FOUTPUTCLAIMS%3E%0A%20%20%20%20%20%20%3CSUBJECTNAMINGINFO%20claimtype%3D%22sub%22%3E%3C%2FSUBJECTNAMINGINFO%3E%0A%20%20%20%20%3C%2FTECHNICALPROFILE%3E%0A%20%20%3C%2FRELYINGPARTY%3E%0A%3C%2FTRUSTFRAMEWORKPOLICY%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20should%20give%20you%20a%20fairly%20working%20sample%20of%20Apple%20in%20your%20app.%20(You%20might%20want%20to%20go%20over%20additional%20claims%20needed%20an%20such.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20beauty%20now%20that%20the%20experience%20is%20GA%20is%20that%20Apple%20have%20(unsurprisingly)%20adapted%20the%20UX%20to%20the%20device%20you%20are%20using.%20For%20instance%20it%20will%20work%20in%20Chrome%20on%20a%20Windows%20PC%20-%20you'll%20receive%20a%20code%20on%20your%20phone%2Fpad%2Fwatch%20that%20you%20need%20to%20manually%20type%20in.%20But%20if%20you%20for%20instance%20do%20it%20on%20an%20iPhone%20with%20FaceID%20you%20just%20give%20the%20device%20an%20approving%20look%20and%20you're%20in%20-%20that's%20about%20as%20smooth%20as%20it%20gets%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20461px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F163402iCDC681A7D0C77456%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SiwA_iPhone.png%22%20title%3D%22SiwA_iPhone.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ESignIn%20on%20iPhone%20with%20FaceId%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20this%20appeal%20to%20everyone%3F%20No%2C%20but%20if%20you%20are%20all%20in%20on%20the%20iOS%20ecosystem%20it's%20not%20a%20bad%20SignIn%20flow.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20test%20this%20in%20an%20app%20there's%20a%20known-good%20sample%20here%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%22%20href%3D%22https%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fahelland%2FIdentity-CodeSamples-v2%2Ftree%2Fmaster%2Faad-b2c-custom_policies-dotnet-core%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Custom%20Policies%20not%20added%20to%20repo%20while%20publishing%20this%20post%2C%20but%20hoping%20to%20get%20that%20fixed%20soon.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20if%20you%20don't%20want%20to%20mess%20around%20with%20the%20code%20you%20can%20just%20create%20a%20container-based%20Azure%20App%20Service%20and%20pull%20in%20the%20Docker%20images%20I've%20built%20(policies%20uploaded%20separately%2C%20and%20config%20still%20needed%20for%20web%20app)%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%22%20href%3D%22https%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhub.docker.com%2Fr%2Fahelland%2Faad-b2c-custom_policies-dotnet-core-linux%3C%2FA%3E%3C%2FP%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1083814%22%20slang%3D%22en-US%22%3E%3CP%3ERevisiting%20the%20Sign%20in%20with%20Apple%20opportunities%20for%20custom%20policies%20in%20Azure%20AD%20B2C.%3C%2FP%3E%3CP%3EIf%20you%20or%20your%20customers%20want%20to%20provide%20end%20users%20the%20option%20of%20signing%20in%20to%20a%20web%20page%20through%20using%20their%20Apple%20Ids%20it%20can%20be%20done%20through%20the%20magic%20of%20custom%20policies.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1083814%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Developer%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

A couple of months back I did a little walkthrough of "Sign in with Apple" in an Azure AD B2C context, it being in a new preview and all:

https://techcommunity.microsoft.com/t5/azure-developer-community-blog/quot-sign-in-with-apple-quot-c...

 

But I didn't really follow up on that when it went GA back in October.

 

So, let's revisit this one.

 

I will assume you have performed the setup in the Apple Developer Portal as described here (follow along to you get to the "Creating the OIDC metadata endpoint" which will not be neccessary):

https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-apple

 

We were able to make it work in general so no complaints there, but there were some minor things with the setup that could be improved upon.

 

Apple didn't really conform to the OpenID Connect specs during the preview - yes, they were fairly similar but not quite there. While Apple still has a different implementation (like not providing a metadata endpoint) they have fixed most things.

 

What we did to get around the missing metadata was to provide an Azure Function that acted as an endpoint, but we can move this inside the policy instead (coding the necessary values into the xml). Let's update the claims provider:

B2C_1A_TrustFrameworkExtensions_Dev.xml

 

<ClaimsProvider>      
  <Domain>Apple</Domain>
  <DisplayName>Apple</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="AppleID">
      <DisplayName>Sign in with Apple</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="client_id">%apple-client-id%</Item>
        <Item Key="UsePolicyInRedirectUri">0</Item>
        <Item Key="authorization_endpoint"><a href="<a href="https://appleid.apple.com/auth/authorize</Item" target="_blank">https://appleid.apple.com/auth/authorize</Item</a>" target="_blank"><a href="https://appleid.apple.com/auth/authorize</Item</a" target="_blank">https://appleid.apple.com/auth/authorize</Item</a</a>>>
        <Item Key="AccessTokenEndpoint"><a href="<a href="https://appleid.apple.com/auth/token</Item" target="_blank">https://appleid.apple.com/auth/token</Item</a>" target="_blank"><a href="https://appleid.apple.com/auth/token</Item</a" target="_blank">https://appleid.apple.com/auth/token</Item</a</a>>>
        <Item Key="JWKS"><a href="<a href="https://appleid.apple.com/auth/keys</Item" target="_blank">https://appleid.apple.com/auth/keys</Item</a>" target="_blank"><a href="https://appleid.apple.com/auth/keys</Item</a" target="_blank">https://appleid.apple.com/auth/keys</Item</a</a>>>
        <Item Key="issuer"><a href="<a href="https://appleid.apple.com</Item" target="_blank">https://appleid.apple.com</Item</a>" target="_blank"><a href="https://appleid.apple.com</Item</a" target="_blank">https://appleid.apple.com</Item</a</a>>>
        <Item Key="IdTokenAudience">%apple-client-id%</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">name email</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AppleIDAppSecret" />
      </CryptographicKeys>
      <InputClaims />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

 

 

 

 

This actually fixes one of the other quirks we saw at the same time too. We were not able to extract the email address of the user even if they consented, but this can now be retrieved.

 

We're still not able to extract the name directly from Apple's token - that seems to be a limitation in B2C at the moment as the name is in the following format according to Apple:

{

  "name": ​

    {

      "firstName": string,

      "lastName": string

    }, ​

    "email": string ​

}

 

And that doesn't seem to be what AAD B2C expects so there's a mismatch. (I've tried getting around this in various ways, but haven't succeeded yet. If you know how let me know in the comments.)

 

You should still request both name and email in the scope for future proofing though as Apple doesn't seem to support changing this after the initial consent.

 

For the sake of simplicity we're not embedding this into any existing journeys like I have done before so add something like this to have a dediated Apple user journey:

B2C_1A_TrustFrameworkExtensions_Dev.xml

 

 

 

<UserJourney Id="SuSiApple">
  <OrchestrationSteps>
    <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
      <ClaimsProviderSelections>
        <ClaimsProviderSelection TargetClaimsExchangeId="AppleExchange" />
      </ClaimsProviderSelections>
    </OrchestrationStep>
    <OrchestrationStep Order="2" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AppleExchange" TechnicalProfileReferenceId="AppleID" />
      </ClaimsExchanges>
    </OrchestrationStep>        
    <OrchestrationStep Order="3" Type="ClaimsExchange">
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="4" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
      </ClaimsExchanges>
    </OrchestrationStep>
    <OrchestrationStep Order="5" Type="ClaimsExchange">
      <Preconditions>
        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
          <Value>objectId</Value>
          <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
      </Preconditions>
      <ClaimsExchanges>
        <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
      </ClaimsExchanges>
      </OrchestrationStep>
 
    <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
       
  </OrchestrationSteps>
<ClientDefinition ReferenceId="DefaultWeb" />
</UserJourney>

 

 

 

And to top it off add a new RP:

B2C_1A_SignUp_SignIn_Apple.xml

 

 

 

<TrustFrameworkPolicy 
xmlns:xsi="<a href="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" target="_blank"><a href="http://www.w3.org/2001/XMLSchema-instance</a" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a</a>>" 
xmlns:xsd="<a href="<a href="http://www.w3.org/2001/XMLSchema" target="_blank">http://www.w3.org/2001/XMLSchema</a>" target="_blank"><a href="http://www.w3.org/2001/XMLSchema</a" target="_blank">http://www.w3.org/2001/XMLSchema</a</a>>" 
xmlns="<a href="<a href="http://schemas.microsoft.com/online/cpim/schemas/2013/06" target="_blank">http://schemas.microsoft.com/online/cpim/schemas/2013/06</a>" target="_blank"><a href="http://schemas.microsoft.com/online/cpim/schemas/2013/06</a" target="_blank">http://schemas.microsoft.com/online/cpim/schemas/2013/06</a</a>>" 
PolicySchemaVersion="0.3.0.0" 
TenantId="yortenant.onmicrosoft.com" 
PolicyId="B2C_1A_Signup_Signin_Apple" 
PublicPolicyUri="<a href="<a href="http://yourtenant.onmicrosoft.com/B2C_1A_Signup_Signin_Apple" target="_blank">http://yourtenant.onmicrosoft.com/B2C_1A_Signup_Signin_Apple</a>" target="_blank"><a href="http://yourtenant.onmicrosoft.com/B2C_1A_Signup_Signin_Apple</a" target="_blank">http://yourtenant.onmicrosoft.com/B2C_1A_Signup_Signin_Apple</a</a>>" 
TenantObjectId="tenant_id">
  <BasePolicy>
    <TenantId>yourtenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions_Dev</PolicyId>
  </BasePolicy>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="SuSiApple" />
    <UserJourneyBehaviors>
      <ContentDefinitionParameters>
        <Parameter Name="ui_locales">{Culture:RFC5646}</Parameter>
      </ContentDefinitionParameters>
      <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" />        
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

 

 

That should give you a fairly working sample of Apple in your app. (You might want to go over additional claims needed an such.)

 

The beauty now that the experience is GA is that Apple have (unsurprisingly) adapted the UX to the device you are using. For instance it will work in Chrome on a Windows PC - you'll receive a code on your phone/pad/watch that you need to manually type in. But if you for instance do it on an iPhone with FaceID you just give the device an approving look and you're in - that's about as smooth as it gets:

 

SignIn on iPhone with FaceIdSignIn on iPhone with FaceId

 

Will this appeal to everyone? No, but if you are all in on the iOS ecosystem it's not a bad SignIn flow.

 

If you want to test this in an app there's a known-good sample here:

https://github.com/ahelland/Identity-CodeSamples-v2/tree/master/aad-b2c-custom_policies-dotnet-core

 

(Custom Policies not added to repo while publishing this post, but hoping to get that fixed soon.)

 

And if you don't want to mess around with the code you can just create a container-based Azure App Service and pull in the Docker images I've built (policies uploaded separately, and config still needed for web app):

https://hub.docker.com/r/ahelland/aad-b2c-custom_policies-dotnet-core-linux