On June 11, 2025, Apple silently updated its OpenID Connect (OIDC) discovery endpoint. This change broke Sign in with
Apple for many apps that correctly validated OIDC tokens.
The redirect lasted less than 24 hours. But it exposed a deeper issue: identity infrastructure is brittle, and when
upstream providers change behavior unexpectedly, compliant clients fail.
This is a technical breakdown of what went wrong, why it's only partially fixed, and why relying on hardened open source
infrastructure like Ory is the safer long-term bet.
What Apple changed
Originally, this endpoint:
https:
started redirecting to:
https:
The discovery document at account.apple.com declares the issuer as https://account.apple.com. But Apple’s ID tokens
and client credentials flows still use https://appleid.apple.com in the iss claim and signing infrastructure.
OIDC-compliant clients immediately broke because the issuer in the token didn’t match the one in the discovery metadata.
What’s the state now?
As of June 12:
- Apple removed the redirect
- Both discovery endpoints are now accessible
https://appleid.apple.com/.well-known/openid-configuration declares issuer: https://appleid.apple.comhttps://account.apple.com/.well-known/openid-configuration declares issuer: https://account.apple.com- Tokens from both still use
iss: https://appleid.apple.com
This is a partial rollback. The ecosystem is now in an inconsistent state. Using the account.apple.com issuer causes
compliant clients to reject valid tokens, because they appear to come from the wrong issuer.
Apple has provided no changelog, no migration path, and no official guidance.
Why this kind of issue is common
OIDC is strict by design. Clients are expected to:
- Fetch the discovery document
- Read the
issuer field
- Validate that the
iss field in tokens matches the issuer
- Download the public keys from
${issuer}/.well-known/jwks.json to verify tokens
This trust chain breaks instantly if any part is misaligned. Apple's change violated this contract. Apps broke not
because they were fragile—but because they were correct.
Why established platforms are safer than rolling your own
This incident is exactly why companies choose open-source, production-grade identity infrastructure instead of writing
their own login logic or using one-off libraries. Even if you're Apple. Take OpenAI. They rely
on Ory to manage authentication and identity across
hundreds of millions of users.
If you're building auth yourself, you're responsible for:
- Monitoring changes from Apple, Google, Microsoft, and others
- Updating token verification logic under pressure
- Patching breaking changes that hit production without notice
With Ory, that burden is offloaded to a system built for scale, correctness, and long-term maintainability. You get all
the flexibility of open source with the confidence that you're not the first one to hit edge cases like
this.
For auth that is worry free and never breaks, get started with Ory.
