Issue with Azure Entra External ID and Apple ID Federation – "invalid_request invalid web redirect url"

Developer Tools & Services Apple Developer Program
clarkent711
clarkent711 OP
Created 17h
Replies 0
Boosts 0
Views 137
Participants 1

I'm currently coding an application using Azure Entra External ID (B2C) with User Flows and multiple identity providers configured.

So far, I’ve successfully linked Microsoft, Google, and Facebook. However, when configuring Apple as an identity provider, the User Flow fails with the following error:

  • "invalid_request invalid web redirect url"

Following the Microsoft Learn guide (https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-apple-federation-customers), I completed the following:

Create an Apple application

  1. Sign in to the Apple Developer Portal with your account credentials.
  2. From the menu, select Certificates, IDs, & Profiles, and then select (+).
  3. In the Register a New Identifier section, select App IDs, and then select Continue.
  4. For Select a type, select App, and then select Continue.
  5. To Register your App ID:
  • Enter a Description.
  • Enter the Bundle ID, such as com.contoso.azure-ad. Explicit naming such as com.myappdomain.myappname recommended.
  • For Capabilities, select Sign in with Apple from the capabilities list.
  • Take note of your Team ID (App ID Prefix) from this step. You'll need it later.
  • Select Continue and then Register.
  1. From the menu, select Certificates, IDs, & Profiles, and then select (+).
  2. In the Register a new identifier section, select Services IDs, and then select Continue.
  3. In Register a Services ID:
  • Enter a Description. The description is shown to the user on the consent screen.
  • Enter the Identifier, such as com.contoso.entra-service. Explicit naming such as com.myappdomain.myappname.service is recommended. Take note of your Service ID identifier. The identifier is your Client ID.
  • Select Continue, and then select Register.
  1. From Identifiers, select the Service ID identifier you created.
  2. Select Sign In with Apple, and then select Configure.
  • Select the Primary App ID you want to configure Sign in with Apple with.
  • In Domains and Subdomains, enter the following by replacing

<tenant-id> with your tenant ID or your primary domain name, and

<tenant-name> with your tenant name. All characters should be in lower-case. As an example:

<tenant-name>.ciamlogin.com

<tenant-id>.ciamlogin.com

  • In Return URLs, enter the following by replacing <tenant-id>with your tenant ID or your primary domain name, and <tenant-name> with your tenant name. All characters should be in lower-case.

As an example:

https://<tenant-id>.ciamlogin.com/<tenant-id>/federation/oauth2

https://<tenant-id>.ciamlogin.com/<tenant-name>/federation/oauth2

https://<tenant-name>.ciamlogin.com/<tenant-id>/federation/oauth2

  • Select Next, and then select Done.

  • When the pop-up window is closed, select Continue, and then select Save.

Create an Apple client secret

  1. From the Apple Developer portal menu, select Keys, and then select (+).
  2. To Register a New Key:
  • Type a Key Name.
  • Select Sign in with Apple, and then select Configure.
  • For the Primary App ID, select the app you created previously, and then select Save.
  1. Select Continue, and then select Register to finish the key registration process.
  2. Take note of the Key ID. This key is required when you configure the identity provider.
  3. To Download Your Key, select Download to download the .p8 file that contains your key.
  4. Select Done.

Configure Apple federation in Microsoft Entra External ID

After you create the Apple app, in this step you set the Apple app details in Microsoft Entra External ID. You can use the Microsoft Entra admin center to do so. To configure Apple federation in the Microsoft Entra admin center, follow these steps:

  1. Sign in to the Microsoft Entra admin center.
  2. Browse to Entra ID > External Identities > All identity providers.
  3. Under the Built-in tab, select Apple.
  4. The Name Apple is autopopulated. It cannot be changed.
  5. Enter the following details:
  • Client (Apple service) ID: The client ID of the Apple application you created in the previous step.
  • Apple developer team ID: The Apple developer team ID related to the Apple application you created in the previous step.
  • Key ID: The key ID of the Apple application you created in the previous step.
  • Client secret (.p8) key: The client secret key of the Apple application you created in the previous step.
  1. Select Save. You’ll see Apple listed as a configured identity provider.

Add Apple identity provider to a user flow

At this point, the Apple identity provider has been set up in your Microsoft Entra External ID, but it's not yet available in any of the sign-in pages. To add the Apple identity provider to a user flow:

  1. In your customer tenant, browse to Entra ID > External Identities > User flows.
  2. Select the user flow where you want to add the Apple identity provider.
  3. Under Settings, select Identity providers.
  4. Under Other Identity Providers, select Apple.
  5. Select Save.

❌ The Issue

After completing all steps, Apple still fails during sign-in, while the other providers work correctly. The error message I receive is:

  • "invalid_request invalid web redirect url"

Request for Help

I'm unsure where the misconfiguration may lie — whether it's with:

  • The Return URLs entered in the Apple Developer portal,
  • The Client ID or other fields in the Entra portal,
  • Or something else I’ve overlooked.

If anyone has successfully configured Apple ID federation with Azure Entra External ID (B2C) and encountered this error, I'd really appreciate any insights or suggestions.

Thank you!

Replies  0
Boosts  0
Views  137
Participants  1
Issue with Azure Entra External ID and Apple ID Federation – "invalid_request invalid web redirect url"
First post date Last post date
 
 
Q