'Sign in with Apple' better but not perfect, says OpenID Foundation head

Jump to First Reply
Posted:
in iPhone edited October 2019
After a critical letter to Apple during the iOS 13 beta process discussing "Sign in with Apple" shortcomings, the OpenID Foundation Chairman is now praising Apple for changes made -- but the group is still seeking more.

Sign in with Apple


A letter to Apple's Craig Federighi from OpenID Foundation Chairman Nat Sakimura is thanking Apple for changes made during the iOS 13 beta process.

"We applaud your team's efforts in quickly addressing the critical security and compatibility gaps identified and successfully implementing them while Sign In with Apple is still in beta," wrote Sakimura. "Now users will no longer be limited to where they can use the service and they can have confidence in their security and privacy. Furthermore, Sign In with Apple is now interoperable with widely available OpenID Connect Relying Party software."

Sakimura concludes by asking Apple to "continue working through the issues identified."

The original document calling for changes has been altered to reflect Apple's changes, but the Foundation still points out areas of improvement. Specifically, the Foundation is calling for a discovery document to assist developers in implementation.

"The OpenID Foundation applauds Apple's efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect," the original letter began, discussing that Connect is a "modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications," and was "developed by a large number of companies and industry experts" within the Foundation.

At the time, the Foundation said that Apple "largely adopted" Connect in building Sign in with Apple. But, there were a host of differences that exposed users to privacy and security threats. Specifically cited were the lack of PKCE in the Authorization Code grant type, which could theoretically leave people exposed to code injection and replay attacks.

According to Sakimura, the problems allegedly placed "an unnecessary burden" on developers working with both Connect and Sign in with Apple, since Apple's code wasn't fully compatible with OpenID Connect Relying Party software.

The original letter asked Apple to "address the gaps," use the Open ID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.

Testing of Sign in with Apple began well ahead of iOS 13 release. The technology is intended to be a more privacy-focused alternative to sign-in buttons from the likes of Facebook, Google, and Twitter. Apple has been criticized for making support mandatory if those third-party options are present.

Comments

  • Reply 1 of 7

    True, but we expect perfection when anything is first introduced. Even if the organization making the statement is not even perfect. Organizations almost demands you do it their way or it is no good enough or acceptable. Even if the concept is a good one, the demands often taint the idea. I guess that is why politics is so popular (messy).


    edited October 2019
     0Likes 0Dislikes 0Informatives
  • Reply 2 of 7
    kkqd1337kkqd1337 Posts: 482member
    Are there any apps using this yet?
    StrangeDayswatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 3 of 7
    macguimacgui Posts: 2,510member
    If this was available in a public beta, it might just be enough for me to try it out. I really hate seeing all the share icons. But since it uses your Apple ID and password, I'll wait while Apple takes all the time it wants to get this right.
    applesnorangeswatto_cobra
     2Likes 0Dislikes 0Informatives
  • Reply 4 of 7
    StrangeDaysstrangedays Posts: 13,142member
    All I wanna know is, when can we get it?
    ihatescreennameswatto_cobrajony0
     3Likes 0Dislikes 0Informatives
  • Reply 5 of 7
    entropysentropys Posts: 4,354member
    I’m wondering, is the OpenId Foundation this dude and his keyboard?
    watto_cobra
     1Like 0Dislikes 0Informatives
  • Reply 6 of 7
    fastasleepfastasleep Posts: 6,457member
    entropys said:
    I’m wondering, is the OpenId Foundation this dude and his keyboard?
    No.

    Community Board Members

    Corporate Board Members


    edited October 2019
    cornchipjbdragonapplesnorangeswatto_cobraFileMakerFellergatorguy
     1Like 0Dislikes 5Informatives
  • Reply 7 of 7
    chaickachaicka Posts: 257member
    kkqd1337 said:
    Are there any apps using this yet?
    Only spotted one recently - TikTok.
     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.