The OpenID foundation has written an open letter to Apple arguing that the upcoming ‘Sign in with Apple’ feature bears similarities to OpenID Connect, but lacks privacy and security.
‘Sign in with Apple’ was launched at WWDC 2019 earlier this month. Users can simply use their Apple ID for authentication purpose instead of using a social account, or their email addresses, etc. Apple will be protecting users’ privacy by providing developers with a unique random ID. However, the OpenID Foundation is questioning some of the decisions Apple made for Sign In with Apple.
The OpenID Foundation is a non-profit organization with members such as PayPal, Google, Microsoft, and more. The OpenID Foundation controls numerous universal sign-in platforms using its OpenID Connect platform.
The letter states, “It appears Apple has largely adopted OpenID Connect for their Sign In with Apple implementation offering, or at least has intended to. However, there are differences between the two are tracked in a document managed by the OIDF certification team. The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple.”
Issues with Sign in with Apple and differences with OpenID
The OpenID team has listed down the differences between Apple’s Sign in and OpenID Connect. The differences were identified by the OpenID Foundation’s Certification team and the identity community at large.
- In Apple’s No Discovery document, developers have to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods, etc.
- No UserInfo endpoint is provided, which means all of the claims about users have to be included in the (expiring and potentially large) id_token.
- Does not include different claims in the id_token based on requested scopes.
- The token endpoint does not accept client_secret_basic as a client authentication method.
- Using unsupported or wrong parameters always results in the same message in the browser that says “Your request could not be completed because of an error. Please try again later.” without any explanation about what happened, why this is an error, or how to fix it.
- Absence of PKCE [Proof Key for Code Exchange] in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks.
- When using the sample app, adding openid as a scope leads to an error message and it works just with name and email as scope values.
The letter asks for Apple to “address the gaps,” use the OpenID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.
You can read the full open letter here. Testing of Sign in with Apple will start later this summer ahead of iOS 13’s fall launch window.