On my Azure App Service with Apple EasyAuth, how do I refresh my token or obtain a long-lived token?

Question

I have an app (React Native) that communicates a backend API on Azure. I've enabled EasyAuth with Apple login. I'm using the provider SDK flow described by the Azure docs:

1. The user touches the Sign In button
2. The user authenticates to Apple directly, on my phone conveniently with Touch ID
3. The app gets the identityToken from the credentials retrieved from Apple
4. The app sends a POST request to myapi.azurewebsites.net/.auth/login/apple, with {id_token: identityToken}
5. The App Service returns a JWT
6. I use the API with the JWT provided in the X-ZUMO-AUTH header.

However, both the identity token and the JWT expire after a day, which means the user needs to log in again. How can I refresh my tokens, without the user having to sign in again?

The Azure docs are very brief on refreshing tokens, it simply says "send a GET request to /.auth/refresh". Now, with cookies in a browser that might indeed work, but from an app, we need a bit more. What I tried, but what didn't work:

1. GET https://myapi.azurewebsites.net/.auth/refresh -H "Authorization: Bearer **apple id token**", returned 401
2. GET https://myapi.azurewebsites.net/.auth/refresh -H "Authorization: Bearer **Azure JWT**", returned 401
3. GET https://myapi.azurewebsites.net/.auth/refresh -H "X-ZUMO-AUTH; **Azure JWT**", returned 403
4. POST https://myapi.azurewebsites.net/.auth/refresh -H "Content-Type: application/json" -d '{"id_token": **apple id token**}', returned 401

For now, I simply require the user to login after a day (after the tokens expired), but I don't like that UX. It feels like this shouldn't be rocket science, and I'm missing something simple. What's a better way? Who managed this, and how?

Answer 1

@Gijs Peters Thanks for reaching us through multiple forums- It seems the issue is resolved by you here-

Glad that you were able to resolve your issue and I appreciate your effort in sharing the solution.

Your contribution will undoubtedly assist others facing similar challenges.

I am resharing your answer here! As the Microsoft Q&A community follows a policy where the question author cannot accept their own answer

Feel free to consider "Accepting" the answer if you find it suitable.

Azure App Service does not (yet) support storing and managing Apple refresh tokens. You need to implement this on your own. Fortunately, this is straightforward. The process is this:

1. Authenticate to Apple on the device with expo-apple-authentication. The signin method returns an authorizationCode.
2. Send this authorization code to a custom backend endpoint. Do this immediately, this code is valid for 5 minutes.
3. From this backend endpoint, send a request to https://appleid.apple.com/auth/token with the authorization code and your client secret. Apple returns a refresh token and an identity token. Return these to the client app.
4. On the app, store the refresh token in persistent storage, and keep the identity token somewhere in memory. It expires after 24 hours.
5. Follow the normal auth flow for Azure App Service, with a request first to https://myapi.azurewebsites.net/.auth/login/apple to get the ZUMO JWT, and provide this JWT in subsequent requests to your server.

On refresh:

1. On the app, load the refresh token from persistent storage.
2. Send the refresh token to another custom backend endpoint.
3. From this backend endpoint, send a request to https://appleid.apple.com/auth/token with the refresh token and your client secret. Apple returns an identity token. Return this to the client app.
4. Follow the normal auth flow for Azure App Service, with a request first to https://myapi.azurewebsites.net/.auth/login/apple to get the ZUMO JWT, and provide this JWT in subsequent requests to your server.

This link provides details on how to implement the refresh and refresh token requests.

Note that you do not need a backend endpoint per se, but you have to store your Apple client secret somewhere securely, and this secret needs to be refreshed at least every 6 months.