Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
Yes, this is a little additional work for app developers to support another OAuth provider, but is really not that different from supporting both Twitter and Facebook, or Snapchat and Instagram.
1
1
3
This does *not* mean that Apple is requiring every app to use Sign in with Apple. This does not mean that apps that want to manage your Google Calendar will have to also add Sign in with Apple.
1
1
4
Sign In with Apple is a *good thing* for users! This means apps will no longer be able to force you to log in with your Facebook account to use them.
1
1
4
Now you may have heard people concerned by this clause from the new App Store Review Guidelines:
> Sign In with Apple [...] will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.
1
2
Once an app knows your Twitter username or your email address, they can sell it to advertisers, or track your activity across other apps. Apple's approach provides a unique scrambled email address to the app, preventing this.
1
2
4
Over the years, apps started to use OAuth to identify users because it's a quick way to find out and verify someone's Twitter/Facebook/etc account without having them type it in. This turned out to be bad for users' privacy:
1
2
Those use cases are more along the lines of what @OAuth_2 was originally intended for: letting apps access your account without giving them your password.
1
4
This is distinctly different from the case where an app wants you to sign in with your Google account so that it can manage your calendar. Or sign in with Snapchat to apply a filter to your profile picture.
1
3
Most of the time the way apps use OAuth providers is just to identify users. This is designed to be an alternative to using Facebook/Twitter/Google for that purpose.
2
1
Yes, Apple is entering the OAuth ecosystem as a new identity provider. Turns out every iOS user already has an Apple account, so why not enable users to sign in with an account they already have?
1
3
tl;dr This is a good move for users in the iOS ecosystem, and is primarily designed as an alternative for apps that currently use "Sign in with [Facebook/Twitter/Google]" to avoid leaking sensitive user info.
1
1
3
Let's clarify some of the misunderstandings around Apple's new "Sign In with Apple" feature announced at #WWDC19, a thread:
6
20
3
41
Alright, if you are curious about "Sign In with Apple," I walk through exactly how it works and what it looks like in this post.
developer.okta.com/blog/2019…
#WWDC19 #OAuth #AppleID
34
4
87
If you're interested, here is my sample code I was able to use to get an access token and ID token from Apple
github.com/aaronpk/sign-in-w…
1
9
28
weirdnesses:
* Their token endpoint requires setting a User-Agent header, otherwise responds with an HTML error
* Client secrets are a signed JWT using ECDSA + SHA256
* An email address isn't returned even when requesting the `email` scope
2
9
Initial test of the "Sign in with Apple" API:
* It's more or less based on OAuth + OIDC
* Their documentation is missing a lot of key info to use it right now, I had to guess at a lot of things
* The `sub` claim includes some sort of unique user identifier, not an email
4
20
65
To anyone who thought partial redirect URL matching in @OAuth_2 is "good enough," read this thread. Complete Periscope account takeover just by viewing a tweet. hackerone.com/reports/110293 #oauth
1
3
11
If you're in Toronto you should come to my #OAuth talk tomorrow! 🔐 regionalevents.okta.com/okta…
We'll have food and drinks, and we're giving copies of my book to everyone who attends! 📚
1
8