OpenID Foundation says 'Sign in with Apple' has critical gaps, urges changes

Posted:
in General Discussion
The OpenID Foundation this week issued an open letter to Apple's Software Engineering chief, Craig Federighi, arguing that the upcoming "Sign in with Apple" standard bears a lot of similarity to OpenID Connect -- but not enough for privacy, security, and development purposes.

Sign in with Apple


"The OpenID Foundation applauds Apple's efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect," the letter begins, elaborating that Connect is a "modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications," and was "developed by a large number of companies and industry experts" within the Foundation.

While Apple appears to have "largely adopted" Connect in building Sign in with Apple, there are a host of differences that shrink the places where Apple's system can be used and expose it to privacy and security threats, the Foundation said. An example of the latter is absence of PKCE in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks.

The schism also allegedly "places an unnecessary burden" on developers working with both Connect and Sign in with Apple, particularly since Apple's code isn't compatible with OpenID Connect Relying Party software.

The letter asks for Apple to "address the gaps," use the Open ID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.

Testing of Sign in with Apple will start later this summer ahead of iOS 13's fall launch window. The technology is intended to be a more privacy-focused alternative to sign-in buttons from the likes of Facebook, Google, and Twitter, but Apple has been criticized for making support mandatory if those third-party options are present.
«1

Comments

  • Reply 1 of 24
    rob53rob53 Posts: 3,311member
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    SoliroundaboutnowwilliamlondonStrangeDaysjbdragonJWSCdoozydozenlostkiwijony0
  • Reply 2 of 24
    bonobobbonobob Posts: 395member
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    The security of the login and what is done with the data that is made available by that login are two separate things. This article is about the former, not the latter. The login security is of critical importance. Screw that up, and the whole system could be compromised.
    1STnTENDERBITSwilliamlondontyler82indieshackjogulongpathcaladanianjony0
  • Reply 3 of 24
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    Based on your comment, I don't think you understand the subject matter.  Their issue with Sign in With Apple has nothing to do with logging personal data or selling anything.  It's kind of hard for you to give an opinion about OpenID's complaint when you don't seem to even know what their complaint is about.  If their complaint about the security of Apple's implementation is valid, comparing it to Google and Facebook logins won't make it any more secure.  That's simply unnecessary deflection.  The complaint is critical gaps in security, not data collection.   

    Apple will most likely address any valid security issues from OpenID's complaint before release.  
    williamlondondysamoriauraharagatorguykimberlywilliamhtyler82indieshacknoelosivanh
  • Reply 4 of 24
    mdriftmeyermdriftmeyer Posts: 7,503member
    There is absolutely nothing about OpenID/OAuth 2.0 that Apple cares about. Their solution isn't about conforming with it. Sign in with Apple has no interest in opening up its middleware to OpenID which has a history of flaws. Among the many flaws is Phishing.

    Sorry, but when SIgn in with Apple arrives it'll be whined about that the FBI and others can't hack into it as well.
    dewmeStrangeDaysjbdragonmacplusplusJWSCMacProgilly33doozydozenlongpathcornchip
  • Reply 5 of 24
    mac_dogmac_dog Posts: 1,083member
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    It’s foolish to pin all your hopes on Apple “finding the issues”. Apple should pay attention and start with those issues—unless they are the wiser. 

    And, quite frankly, I couldn’t care less how Facebook and google are conducting their business. I just care that Apple gets it right. 
    tyler82williamlondoncaladanian
  • Reply 6 of 24
    macguimacgui Posts: 2,469member
    I don't care that it places an unnecessary burden on devs.
    I don't care that devs have to right new code for Apple alone.
    I don't care that  OpenID says Apple's implementation 'has gaps'.
    I don't care that Apple makes it mandatory to use Sign In with Apple if Sign in with Google/FB is used.
    -(Actually, I do. I like that.)
    I don't care what Google, FB, and others do.

    I just want Apple to get it right.
    Who knows— when the do, others may follow suit.
    jbdragondhawkins541longpathlostkiwijony0
  • Reply 7 of 24
    StrangeDaysStrangeDays Posts: 13,102member
    mac_dog said:
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    It’s foolish to pin all your hopes on Apple “finding the issues”. Apple should pay attention and start with those issues—unless they are the wiser. 

    And, quite frankly, I couldn’t care less how Facebook and google are conducting their business. I just care that Apple gets it right. 
    You’re making the curious assumption that OpenID is correct in their analysis or that their goals are Apple’s goals. 

    Just because someone says Apple is doing it wrong doesn’t mean they are. 
    jbdragonAppleExposedJWSCwilliamlondongilly33cornchip
  • Reply 8 of 24
    dewmedewme Posts: 5,750member
    There is absolutely nothing about OpenID/OAuth 2.0 that Apple cares about. Their solution isn't about conforming with it. Sign in with Apple has no interest in opening up its middleware to OpenID which has a history of flaws. Among the many flaws is Phishing.

    Sorry, but when SIgn in with Apple arrives it'll be whined about that the FBI and others can't hack into it as well.
    This is my takeaway also. The bulk of their concern seems to be driven by the fact that Apple is not being subservient to the OpenID Foundation and is not yet signed up to be a member and adopter of OpenID Connect. Discounting their concern about developers potentially having to support multiple "standards" their most strident technical claim is disclaimed with the caveat: "which could nominally leave people exposed to code injection and replay attacks." This is far weaker than if had they stated something to the effect that "we have inspected or benchmarked Apple's implementation and observed that it contained obvious security flaws (which we have reported directly to Apple because we believe user security and privacy concerns transcend organizational boundaries and special interests). Well, maybe they wouldn't have said the last part... 

    I'm not totally bashing the OpenID Foundation taking a stand on this. There are always struggles between proprietary implementations, derivative implementations, and by-the-book standard implementations of cross cutting technology. Standards organizations tend to be slow and plodding with few concerns about the competitive relationships that exist between members of the standards creation committee. Individual companies like to move quickly and are not only concerned about time-to-market but also beating their competitors to market and with product features. Having competitors working cooperatively on standards development is always a dicey proposition, and what's stated publicly for general consumption, e.g., "Yes of course, we at Company A fully support XYX Standard," doesn't always equate to what is happening within individual organizations who are always looking for a competitive advantage and Plan B if the standard gets too bogged down or never comes to fruition. That being said, security and privacy standards should probably be elevated as much as possible above these traditional concerns to ensure lossless and uncompromised interoperability between proprietary or derivative implementations and standards-based implementations. I'm sure Apple will engage with the OpenID Foundation at a mutually beneficial level once they demonstrate that "Sign in with Apple" has the technical chops to live up to the requirements that it must meet. Whether Apple and OpenID Foundation ever consummate their relationship with a full Kumbaya outcome that OpenID seeks is still questionable. Apple has too much riding on the (bottom) line to rely exclusively on a full stack solution that others have their fingers deeply embedded within.
    jbdragonrandominternetpersonnoeloslongpathlostkiwi
  • Reply 9 of 24
    Rayz2016Rayz2016 Posts: 6,957member
    I like the way they begin with an advert for themselves. 
    jbdragonJWSCmatrix077andrewj5790williamlondon
  • Reply 10 of 24
    kimberlykimberly Posts: 434member
    mac_dog said:
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.
    It’s foolish to pin all your hopes on Apple “finding the issues”. Apple should pay attention and start with those issues—unless they are the wiser. 

    And, quite frankly, I couldn’t care less how Facebook and google are conducting their business. I just care that Apple gets it right. 
    You’re making the curious assumption that OpenID is correct in their analysis or that their goals are Apple’s goals. 

    Just because someone says Apple is doing it wrong doesn’t mean they are. 
    @mac_dog isn't assuming anything. Just 2 sentences that state the bleeding obvious.
    gatorguyindieshackwilliamlondon
  • Reply 11 of 24
    Oh look, the has-been that nobody uses or cares about (OpenID) is criticizing the new kid (Apple) who’s going to obliterate them literally months after it comes out.
    JWSCAppleExposedwilliamlondoncornchiplostkiwi
  • Reply 12 of 24
    tyler82tyler82 Posts: 1,112member
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.

    They didn’t find the group FaceTime bug. 

    Or the High Sierra root access bug. 
    edited June 2019 williamlondon
  • Reply 13 of 24
    I trust OpenID if they say there are security holes. And given the importance and visibility to Apple, I’m sure they’ll address the security issues before releasing SIWA. 

    ‘As for compatibility with generic OpenID?  Nice for OpenID, but it would only muddy the waters when it comes to customers understanding what SIWA is all about. Id be surprised if Apple makes that a priority. 
    williamlondon
  • Reply 14 of 24
    noelosnoelos Posts: 127member
    OpenID, despite being a standard is implemented quite inconsistently (just look at Google & Microsoft differences; from memory Facebook is OpenID-like but not actually a true OpenID implementation).

    Being compliant with and industry standard and interoperable is also an advantage in adoption. Apple are in the unusual position of being able to force developers of thousands of apps to adopt SIWA but if they want webapp developers or other platforms to adopt it too they’ll probably have more luck if it is straight OpenID. 
  • Reply 15 of 24
    ktappektappe Posts: 824member
    rob53 said:
    I'm sure Apple and developers will find most of the issues before its released.
    Did you read the article? These aren't bugs, they are design flaws. It's not a matter of "finding" them, it's a matter of acknowledging the shortcomings of the implementation and publishing a roadmap to close them in future releases.
    williamlondon
  • Reply 16 of 24
    ktappektappe Posts: 824member
    Rayz2016 said:
    I like the way they begin with an advert for themselves. 
    No, they are explaining who they are to anyone reading who might not know yet. It's prudent.
    joguwilliamlondongatorguy
  • Reply 17 of 24
    indieshackindieshack Posts: 336member
    @mac_dog isn't assuming anything. Just 2 sentences that state the bleeding obvious.
    Plus 1 for using the expression "bleeding obvious" :)
    williamlondon
  • Reply 18 of 24
    mdriftmeyermdriftmeyer Posts: 7,503member
    noelos said:
    OpenID, despite being a standard is implemented quite inconsistently (just look at Google & Microsoft differences; from memory Facebook is OpenID-like but not actually a true OpenID implementation).

    Being compliant with and industry standard and interoperable is also an advantage in adoption. Apple are in the unusual position of being able to force developers of thousands of apps to adopt SIWA but if they want webapp developers or other platforms to adopt it too they’ll probably have more luck if it is straight OpenID. 
    They want people who use Apple's platform and third party apps to sign in with their secure sign-in to the App Store, etc., Apple Music, etc. In short, just Apple Services. So not they don't need to conform. People who are advertising with this will most certainly have tie-ins with Apple Books, News+, Music, AppStore, etc.
  • Reply 19 of 24
    matrix077matrix077 Posts: 868member
    I won’t trust my data and privacy on something that begins with “Open”. 
  • Reply 20 of 24
    jogujogu Posts: 9member
    I trust OpenID if they say there are security holes. And given the importance and visibility to Apple, I’m sure they’ll address the security issues before releasing SIWA. 

    ‘As for compatibility with generic OpenID?  Nice for OpenID, but it would only muddy the waters when it comes to customers understanding what SIWA is all about. Id be surprised if Apple makes that a priority. 
    None of this really matters to customers (beyond as you say, the 'is SIWA on the web, which already uses OAuth2 and much of OpenID Connect, vulnerable to known attacks on OAuth2 and OpenID Connect' question - and at this point I would agree that the commentary that the OpenID Foundation provided suggests that it is vulnerable, and I would imagine Apple will fix these issues before SIWA comes out of beta).

    Compatibility with OpenID Connect matters for developers and anyone that wants to add 'Sign In With Apple' to their website. OpenID compatible means it's a tweak to configuration to add an extra OpenID provider (if the website already has OpenID integrated, e.g. has 'sign in with google') - if SIWA isn't OpenID compatible then it will require changes at the source code level, which may mean waiting for an upstream software vendor to release a version of their product that is compatible with the SIWA oddities and (depending how long it is since they last upgraded) a potentially long test / fix cycle before they can roll out SIWA support.

    As an end user, I would personally prefer that Apple did everything in their power to make 'Sign in with Apple' as easy for developers to use as they can, and I think being interoperable with existing OpenID Connect libraries would help with that, especially as Apple are already using the OpenID standard.

    I really really want to see app developers supporting SIWA rather than having to create new accounts, verify emails, etc, every time I install a new app that needs an account creating. (And whilst SIWA is going to be mandatory for apps that supported third party logins, it will be completely optional for apps that use their own first-party login system - it's this category of apps that have the choice of whether to adopt SIWA or not, and that choice will be a lot easier if SIWA is easy to implement for developers.)

    edited June 2019 cropr
Sign In or Register to comment.