Aaron Parecki · Aug 19, 2019 · 9:29 PM UTC

Aaron Parecki

Aaron Parecki @aaronpk

19 Aug 2019

Something about Apple's decision to do "OAuth-but-not-quite" rubbed me the wrong way, but this is a great example of how it breaks down very concretely.

This tweet is unavailable

Hirsch Singhal · Aug 19, 2019 · 10:42 PM UTC

Hirsch Singhal @hpsin_

19 Aug 2019

This is disappointing, and likely a hole in any OIDC compliance. I'd expect requesting an email scope drops the email claim into the token.

Aaron Parecki · Aug 19, 2019 · 10:48 PM UTC

Aaron Parecki · Aug 19, 2019 · 10:48 PM UTC

Aaron Parecki @aaronpk

19 Aug 2019

Replying to @hpsin_

100%. Also notice how not following the spec opened up a new vulnerability. But when has Apple been known to respect standards?

Aug 19, 2019 · 10:48 PM UTC

Hirsch Singhal · Aug 19, 2019 · 11:40 PM UTC

Hirsch Singhal @hpsin_

19 Aug 2019

Replying to @aaronpk

I'll say that compliance is sometimes a journey, and the OIDC community and developers are both great at cheering on and supporting those who want to put in the work to join the fold. Given the privacy implications, I trust that this can be remedied after some thought and effort.