Will we see other OAuth providers follow suit and start randomizing email addresses and user IDs returned to apps? I hope so! Ironically, Facebook first started doing this a few years ago when they launched app-scoped user IDs.

Anyway, if you're curious about what this will look like, I wrote a sample app that uses Sign In with Apple so you can see how it works. developer.okta.com/blog/2019…

That is all. Thanks for listening.

Now I would just love to have a quick guide for using Apple Sign In as an Okta generic oidc inbound provider. Is this possible already ?

I actually just got this working last night!

Do you know where you can find the .well-known/openid-configuration on the apple url? Do they even use it?

I haven't found it yet. I wouldn't be surprised if they just don't have that endpoint

So talked with the Apple engineers here at WWDC: They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email

Just verified again, and I don't get back name or email address when I request "name email" scope. I did find a bug where apparently Apple is ignoring the "scope" parameter after the very first time you authorize an app though, so could be related.

That is not a bug that is feature. They told me they will only give you the info once. Probably why scope won’t matter after your first invoke.