The working document linked to by this press release:<p><a href="https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md" rel="nofollow">https://bitbucket.org/openid/connect/src/default/How-Sign-in...</a><p><i>Since September 2019 all spec violations have been addressed by Apple, as recorded in the next section. The section thereafter - "Peculiarities" lists specific implementation choices by Apple that differ from what most implementations provide, but are not spec violations per se.</i><p>The previous HN discussion about the spec violations:<p><a href="https://news.ycombinator.com/item?id=20311000" rel="nofollow">https://news.ycombinator.com/item?id=20311000</a>
Shameless plug (but I hope that's okay, again): IRMA Authentication is an open-source app [1] and protocol that offers privacy-friendly attribute based authentication and signing using Camenisch and Lysyanskaya's Idemix [2].<p>It's currently heavily focused towards The Netherlands, where citizens can obtain attributes such as name, home address and age. These attributes can then be selectively disclosed directly to a service provider, without the identity provider being able to see the transaction [3]. Multiple disclosures are also unlinkable as long as the attributes themselves are not identifying.<p>The fact that the identity provider is not at all involved with the transaction is an enormous privacy win compared to OpenID Connect, especially in the case of centralizing providers such as Apple – and less so in for example the domain of education single sign-on.<p>It's not currently using the verifiable claims data model, but it would very much fit it. It also doesn't use a 'blockchain', simply because it's not necessary to do so, and makes it all a lot less complicated.<p>[1] <a href="https://github.com/privacybydesign" rel="nofollow">https://github.com/privacybydesign</a><p>[2] <a href="https://privacybydesign.foundation/publications/" rel="nofollow">https://privacybydesign.foundation/publications/</a><p>[3] <a href="https://privacybydesign.foundation/meeting-slides/slides-8-3-19/ringers-8-maart-2019.pdf#page=2&zoom=auto,-68,540" rel="nofollow">https://privacybydesign.foundation/meeting-slides/slides-8-3...</a>
So I don't currently use Apple products, does this mean that people can use their own OpenID Connect identity providers with Apple (like if I run an Open ID Connect server at idp.example.com, I can add it as an authentication source) or is this just for using Apple's Identity Provider to allow your own apps to log-in via your Apple account?<p>Open ID Connect is essentially a an OAuth2 implementation. The original Open ID 1.0 concept, where you could use any identity provider with any service provider, is pretty much dead:<p><a href="https://battlepenguin.com/tech/the-decline-of-openid/" rel="nofollow">https://battlepenguin.com/tech/the-decline-of-openid/</a>
This is really great. So many people were up in arms about Apple releasing an implementation that didn't comply with OpenID. Good on Apple for addressing the issues.
I'm glad they've got the tech right for the actual authentication, but their email relay is still far from usable.<p>It's limited in very fundamental ways, that will prevent many companies of any scale from using it. It's very difficult to make it work with an email service such as SendGrid, and it's limited to 10 domains you can prove ownership of, and 10 specific email addresses.<p>I work for a company that charges users and ships physical products – our payment providers and shipping providers all need to be able to contact our customers if they choose to use those services, but this would be essentially impossible (or a prohibitive amount of technical work at scale).<p>It's a very poor implementation. I wrote an obnoxiously long blog post about this. <a href="https://danpalmer.me/2019-07-02-on-signing-in-with-apple/" rel="nofollow">https://danpalmer.me/2019-07-02-on-signing-in-with-apple/</a>
I wish Apple would actually publish the configuration document too (under the well-known URL, as listed in the peculiarities). It makes it one less step for OpenID clients to follow.<p>I wonder what their rationale is, for not doing that (given how easy it is, compared to all the other things they fixed).<p>But overall this is great news.
Slightly off topic, but it's been frustrating to me that large organizations only want to implement OpenID providers and not consumers. What Apple has done makes it easier to bring your Apple identity across the internet, but it's ultimately an identity that Apple owns.
Looks like Apple fixed all of the critical issues here <a href="https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md" rel="nofollow">https://bitbucket.org/openid/connect/src/default/How-Sign-in...</a> but left in some "peculiarities," some of which are <i>quite</i> unpleasant.<p>> <i>The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope.</i><p>So if you don't ask for the user's email right up front, you can never ask for it again later?!
So they actually responded by fixing those issues? I wonder if they went as far delaying the release for that. If that’s the case, +1 to Apple for privacy
For those of you interested in this topic, check out Internet Identity Workshop: <a href="https://internetidentityworkshop.com/" rel="nofollow">https://internetidentityworkshop.com/</a><p>Great little "un-conference", hosted semi-annually in Mountain View, CA. Where a lot of the nuts and bolts were worked out for OpenID Connect.<p>In fact, today IIW 29 is coming to a close. Next gathering in April, 2020.
has sign in with Apple launched yet? It was the Big Thing in iOS 13 that I was personally most excited about but honestly, if it has launched, I haven't seen it yet.<p>edit: from the comments it sounds like it has launched, but currently being implemented in a voluntary manner. Looked at the 9to5Mac article on iOS 13 support of apps and it looks like I just don't use any of them unfortunately.<p>Love the idea still and hoping it gains heavily in adoption.
Can someone explain who is OpenID, what's the OpenID Connect Self Certification Test Suite, and why it is so important that Apple follows their spec?
Say I have a web service with users but don't offer an email service with my core offering. Im guessing by using this I wouldn't be able to build iCloud Mail into my main service; allow my users to view, receive and send iCloud Mail through my web service?
Apple's online credential/auth* user experience is terrible.<p>I can't wait till Apple fixes their account auto-lock feature. On weekly basis I have to unlock my account because someone is trying to login with my email. I contacted the customer service to see if something could be done to avoid auto-locking. The only suggestion was to pick another email address that's not common.<p>Also in order for me to unlock I have to supply my password along with answers to my 3 secret questions. Additionally my recovery email cannot be the same as my account email.<p>Why Apple's online is terrible compared to their hardware/software?