How Apple broke "Sign in with Apple" with an unannounced and silent redirect
Ory OSS 25.4.0 brings OAuth 2.0 device authorization flow, SMS login, token chain revocation and more — giving developers and IAM builders a solid foundation for IAM.
On June 11, 2025, Apple silently updated its OpenID Connect (OIDC) discovery endpoint. This change broke Sign in with Apple for many apps that correctly validated OIDC tokens.
The redirect lasted less than 24 hours. But it exposed a deeper issue: identity infrastructure is brittle, and when upstream providers change behavior unexpectedly, compliant clients fail.
This is a technical breakdown of what went wrong, why it's only partially fixed, and why relying on hardened open source infrastructure like Ory is the safer long-term bet.
Originally, this endpoint:
https://appleid.apple.com/.well-known/openid-configuration
started redirecting to:
https://account.apple.com/.well-known/openid-configuration
The discovery document at account.apple.com declares the issuer as https://account.apple.com. But Apple’s ID tokens
and client credentials flows still use https://appleid.apple.com in the iss claim and signing infrastructure.
OIDC-compliant clients immediately broke because the issuer in the token didn’t match the one in the discovery metadata.
As of June 12:
https://appleid.apple.com/.well-known/openid-configuration declares issuer: https://appleid.apple.comhttps://account.apple.com/.well-known/openid-configuration declares issuer: https://account.apple.comiss: https://appleid.apple.comThis is a partial rollback. The ecosystem is now in an inconsistent state. Using the account.apple.com issuer causes
compliant clients to reject valid tokens, because they appear to come from the wrong issuer.
Apple has provided no changelog, no migration path, and no official guidance.
OIDC is strict by design. Clients are expected to:
issuer fieldiss field in tokens matches the issuer${issuer}/.well-known/jwks.json to verify tokensThis trust chain breaks instantly if any part is misaligned. Apple's change violated this contract. Apps broke not because they were fragile—but because they were correct.
This incident is exactly why companies choose open-source, production-grade identity infrastructure instead of writing their own login logic or using one-off libraries. Even if you're Apple. Take OpenAI. They rely on Ory to manage authentication and identity across hundreds of millions of users.
If you're building auth yourself, you're responsible for:
With Ory, that burden is offloaded to a system built for scale, correctness, and long-term maintainability. You get all the flexibility of open source with the confidence that you're not the first one to hit edge cases like this.
For auth that is worry free and never breaks, get started with Ory.