[Openid-specs-ab] Sign in with Apple use of non-standard OAuth2/OpenID Connect?

Filip Skokan panva.ip at gmail.com
Tue Jun 4 10:51:10 UTC 2019

I had a look at the interface earlier today myself as well.

The client_secret value differs from a private_key_jwt client_assertion
like so

   1. its `sub` and `iss` are not the same client_id value
   2. it does not require `jti` (and it wouldn't probably use it for
   checking the assertion is only used once anyway)

Apple's documentation states that the expiration of this derived client
secret JWT can be up to 6 months. My assumption is they really wanted to
stick to client secret basic/post scheme so that developers may use the
basic oauth/oidc client implementations out there but have
rotating/expiring client secrets out of the box, thats why the client
secret value is derived from a private key Apple *generates for you *(you
cannot provide your own public key).

There's no discovery and no userinfo endpoint, id token signing is RS256
only given that the jwks_uri <https://appleid.apple.com/auth/keys> only
yields a single RS256 alg key and the returned ID Token claims lack
documentation. If there's no userinfo what's the point of using code flow
and getting an access token - is it just so that clients must use the
derived secret? ¯\_(ツ)_/¯

Apple's frontend "Sign In with Apple JS" javascript implementation is a
mystery to me as well, having a look at the JS it runs authorization within
a popup with a `code id_token` response type but `form_post` response mode
and a proprietary frame_id parameter. There's no hook for getting the
tokens back. This seems a work in progress interface.

S pozdravem,
*Filip Skokan*

On Tue, 4 Jun 2019 at 12:31, Joseph Heenan via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi all,
> Apple announced their own sign on solution at WWDC yesterday.
> It appears to be broadly OAuth2 / OpenID Connect, though this isn’t
> explicitly mentioned:
> https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
> https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
> There is an id_token in the response, but it’s contents aren’t obviously
> described beyond being ’A JSON Web Token that contains the user’s identity
> information.’
> One obvious oddity is that at the token endpoint you are required to pass
> a client_secret parameter that contains an ES256 JWS that is not entirely
> unlikely a client_assertion. I don’t know if that’s a mistake in the
> documentation or if Apple have deliberately moved away from a standard
> client assertion for reasons that are unclear.
> Is anyone at WWDC? There’s a session and a lab on Wednesday that might
> present an opportunity to ask some questions.
> Thanks
> Joseph
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190604/3ec5d990/attachment.html>

More information about the Openid-specs-ab mailing list