Apple Successfully Implements OpenID Connect with Sign in with Apple

534 点作者 atestu超过 5 年前

18 条评论

The working document linked to by this press release:<a href="https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md" rel="nofollow">https://bitbucket.org/openid/connect/src/default/How-Sign-in...</a>Since September 2019 all spec violations have been addressed by Apple, as recorded in the next section. The section thereafter - "Peculiarities" lists specific implementation choices by Apple that differ from what most implementations provide, but are not spec violations per se.The previous HN discussion about the spec violations:<a href="https://news.ycombinator.com/item?id=20311000" rel="nofollow">https://news.ycombinator.com/item?id=20311000</a>

评论 #21151144 未加载

Confiks超过 5 年前

Shameless plug (but I hope that's okay, again): IRMA Authentication is an open-source app [1] and protocol that offers privacy-friendly attribute based authentication and signing using Camenisch and Lysyanskaya's Idemix [2].It's currently heavily focused towards The Netherlands, where citizens can obtain attributes such as name, home address and age. These attributes can then be selectively disclosed directly to a service provider, without the identity provider being able to see the transaction [3]. Multiple disclosures are also unlinkable as long as the attributes themselves are not identifying.The fact that the identity provider is not at all involved with the transaction is an enormous privacy win compared to OpenID Connect, especially in the case of centralizing providers such as Apple – and less so in for example the domain of education single sign-on.It's not currently using the verifiable claims data model, but it would very much fit it. It also doesn't use a 'blockchain', simply because it's not necessary to do so, and makes it all a lot less complicated.[1] <a href="https://github.com/privacybydesign" rel="nofollow">https://github.com/privacybydesign</a>[2] <a href="https://privacybydesign.foundation/publications/" rel="nofollow">https://privacybydesign.foundation/publications/</a>[3] <a href="https://privacybydesign.foundation/meeting-slides/slides-8-3-19/ringers-8-maart-2019.pdf#page=2&zoom=auto,-68,540" rel="nofollow">https://privacybydesign.foundation/meeting-slides/slides-8-3...</a>

评论 #21153389 未加载

评论 #21151899 未加载

评论 #21156006 未加载

评论 #21155279 未加载

评论 #21155133 未加载

djsumdog超过 5 年前

So I don't currently use Apple products, does this mean that people can use their own OpenID Connect identity providers with Apple (like if I run an Open ID Connect server at idp.example.com, I can add it as an authentication source) or is this just for using Apple's Identity Provider to allow your own apps to log-in via your Apple account?Open ID Connect is essentially a an OAuth2 implementation. The original Open ID 1.0 concept, where you could use any identity provider with any service provider, is pretty much dead:<a href="https://battlepenguin.com/tech/the-decline-of-openid/" rel="nofollow">https://battlepenguin.com/tech/the-decline-of-openid/</a>

评论 #21150548 未加载

评论 #21152100 未加载

评论 #21156622 未加载

评论 #21150948 未加载

nathancahill超过 5 年前

This is really great. So many people were up in arms about Apple releasing an implementation that didn't comply with OpenID. Good on Apple for addressing the issues.

danpalmer超过 5 年前

I'm glad they've got the tech right for the actual authentication, but their email relay is still far from usable.It's limited in very fundamental ways, that will prevent many companies of any scale from using it. It's very difficult to make it work with an email service such as SendGrid, and it's limited to 10 domains you can prove ownership of, and 10 specific email addresses.I work for a company that charges users and ships physical products – our payment providers and shipping providers all need to be able to contact our customers if they choose to use those services, but this would be essentially impossible (or a prohibitive amount of technical work at scale).It's a very poor implementation. I wrote an obnoxiously long blog post about this. <a href="https://danpalmer.me/2019-07-02-on-signing-in-with-apple/" rel="nofollow">https://danpalmer.me/2019-07-02-on-signing-in-with-apple/</a>

评论 #21152372 未加载

评论 #21151269 未加载

评论 #21151283 未加载

评论 #21156013 未加载

评论 #21153945 未加载

atonse超过 5 年前

I wish Apple would actually publish the configuration document too (under the well-known URL, as listed in the peculiarities). It makes it one less step for OpenID clients to follow.I wonder what their rationale is, for not doing that (given how easy it is, compared to all the other things they fixed).But overall this is great news.

yoz-y超过 5 年前

This is maybe the first time I see a positive open letter. Kudos to both parties.

madrox超过 5 年前

Slightly off topic, but it's been frustrating to me that large organizations only want to implement OpenID providers and not consumers. What Apple has done makes it easier to bring your Apple identity across the internet, but it's ultimately an identity that Apple owns.

评论 #21152472 未加载

dfabulich超过 5 年前

Looks like Apple fixed all of the critical issues here <a href="https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md" rel="nofollow">https://bitbucket.org/openid/connect/src/default/How-Sign-in...</a> but left in some "peculiarities," some of which are quite unpleasant.> The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope.So if you don't ask for the user's email right up front, you can never ask for it again later?!

评论 #21150884 未加载

评论 #21150995 未加载

评论 #21151008 未加载

heyoni超过 5 年前

So they actually responded by fixing those issues? I wonder if they went as far delaying the release for that. If that’s the case, +1 to Apple for privacy

willow9886超过 5 年前

For those of you interested in this topic, check out Internet Identity Workshop: <a href="https://internetidentityworkshop.com/" rel="nofollow">https://internetidentityworkshop.com/</a>Great little "un-conference", hosted semi-annually in Mountain View, CA. Where a lot of the nuts and bolts were worked out for OpenID Connect.In fact, today IIW 29 is coming to a close. Next gathering in April, 2020.

wil421超过 5 年前

Thankfully. I do not use sign in with Google or Facebook and I would not feel comfortable signing in with any Ad company’s credentials.

jsgo超过 5 年前

has sign in with Apple launched yet? It was the Big Thing in iOS 13 that I was personally most excited about but honestly, if it has launched, I haven't seen it yet.edit: from the comments it sounds like it has launched, but currently being implemented in a voluntary manner. Looked at the 9to5Mac article on iOS 13 support of apps and it looks like I just don't use any of them unfortunately.Love the idea still and hoping it gains heavily in adoption.

评论 #21150422 未加载

评论 #21150370 未加载

评论 #21150212 未加载

评论 #21150482 未加载

评论 #21150334 未加载

评论 #21151409 未加载

评论 #21150481 未加载

评论 #21150663 未加载

评论 #21150769 未加载

评论 #21150743 未加载

baby超过 5 年前

Can someone explain who is OpenID, what's the OpenID Connect Self Certification Test Suite, and why it is so important that Apple follows their spec?

评论 #21152211 未加载

评论 #21152181 未加载

shujito超过 5 年前

sorry for this but this page is messing with the mouse scrolling, how can I prevent that? I've seen other several pages that do the same

paul7986超过 5 年前

Say I have a web service with users but don't offer an email service with my core offering. Im guessing by using this I wouldn't be able to build iCloud Mail into my main service; allow my users to view, receive and send iCloud Mail through my web service?

sroussey超过 5 年前

Still not to spec. And no PKCE? Oy.

评论 #21151123 未加载

antimora超过 5 年前

Apple's online credential/auth* user experience is terrible.I can't wait till Apple fixes their account auto-lock feature. On weekly basis I have to unlock my account because someone is trying to login with my email. I contacted the customer service to see if something could be done to avoid auto-locking. The only suggestion was to pick another email address that's not common.Also in order for me to unlock I have to supply my password along with answers to my 3 secret questions. Additionally my recovery email cannot be the same as my account email.Why Apple's online is terrible compared to their hardware/software?

评论 #21155278 未加载