Aaron Parecki · Aug 19, 2019 · 9:29 PM UTC

Aaron Parecki · Aug 19, 2019 · 9:29 PM UTC

Aaron Parecki

Aaron Parecki @aaronpk

19 Aug 2019

Something about Apple's decision to do "OAuth-but-not-quite" rubbed me the wrong way, but this is a great example of how it breaks down very concretely.

This tweet is unavailable

Aug 19, 2019 · 9:29 PM UTC

Hirsch Singhal · Aug 19, 2019 · 10:42 PM UTC

Hirsch Singhal @hpsin_

19 Aug 2019

Replying to @aaronpk

This is disappointing, and likely a hole in any OIDC compliance. I'd expect requesting an email scope drops the email claim into the token.

Aaron Parecki · Aug 19, 2019 · 10:48 PM UTC

Aaron Parecki @aaronpk

19 Aug 2019

100%. Also notice how not following the spec opened up a new vulnerability. But when has Apple been known to respect standards?

more replies

beroal CS · Aug 30, 2019 · 8:06 PM UTC

beroal CS @beroal_cs

30 Aug 2019

Replying to @aaronpk

IIRC, incompatibilities between implementations sank OpenID. Hence the problem is in the programmers, again.

This tweet is unavailable

Aaron Parecki · Aug 19, 2019 · 10:49 PM UTC

Aaron Parecki @aaronpk

19 Aug 2019

Yeah totally. That was why I was bashing my head against the wall for a while when I first tried this API out. I couldn't figure out what I was doing wrong. The worst part is it's based on the first time the user approves the app regardless of whether the app finishes the flow.