Will we see other OAuth providers follow suit and start randomizing email addresses and user IDs returned to apps? I hope so! Ironically, Facebook first started doing this a few years ago when they launched app-scoped user IDs.

Anyway, if you're curious about what this will look like, I wrote a sample app that uses Sign In with Apple so you can see how it works. developer.okta.com/blog/2019…

That is all. Thanks for listening.

Now I would just love to have a quick guide for using Apple Sign In as an Okta generic oidc inbound provider. Is this possible already ?

I actually just got this working last night!

Do you know where you can find the .well-known/openid-configuration on the apple url? Do they even use it?

I haven't found it yet. I wouldn't be surprised if they just don't have that endpoint

So talked with the Apple engineers here at WWDC: They don't have that endpoint, they also will not expose user_info or a revocation endpoint. The user_info will only be sent once and only once then you will only get a unique id again. Only scopes available now are name and email

Another question, if there is no `user_info` endpoint, what are the access token and refresh tokens for?

Just for the uniqueid. Verify that the uniqueid is not modified.