[Openid-specs-ab] Sign in with Apple use of non-standard OAuth2/OpenID Connect?

Joseph Heenan joseph at authlete.com
Tue Jun 4 10:26:15 UTC 2019


Hi all,

Apple announced their own sign on solution at WWDC yesterday.

It appears to be broadly OAuth2 / OpenID Connect, though this isn’t explicitly mentioned:

https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens

https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse

There is an id_token in the response, but it’s contents aren’t obviously described beyond being ’A JSON Web Token that contains the user’s identity information.’

One obvious oddity is that at the token endpoint you are required to pass a client_secret parameter that contains an ES256 JWS that is not entirely unlikely a client_assertion. I don’t know if that’s a mistake in the documentation or if Apple have deliberately moved away from a standard client assertion for reasons that are unclear.

Is anyone at WWDC? There’s a session and a lab on Wednesday that might present an opportunity to ask some questions.

Thanks

Joseph



More information about the Openid-specs-ab mailing list