[Openid-specs-ab] Sign in with Apple use of non-standard OAuth2/OpenID Connect?

Mischa Salle msalle at nikhef.nl
Tue Jun 4 11:53:36 UTC 2019


On Tue, Jun 04, 2019 at 12:51:10PM +0200, Filip Skokan via Openid-specs-ab wrote:
> I had a look at the interface earlier today myself as well.
> 
> The client_secret value differs from a private_key_jwt client_assertion
> like so
> 
>    1. its `sub` and `iss` are not the same client_id value
>    2. it does not require `jti` (and it wouldn't probably use it for
>    checking the assertion is only used once anyway)
> 
> Apple's documentation states that the expiration of this derived client
> secret JWT can be up to 6 months. My assumption is they really wanted to
> stick to client secret basic/post scheme so that developers may use the
> basic oauth/oidc client implementations out there but have
> rotating/expiring client secrets out of the box, thats why the client
> secret value is derived from a private key Apple *generates for you *(you
> cannot provide your own public key).
> 
> There's no discovery and no userinfo endpoint, id token signing is RS256
> only given that the jwks_uri <https://appleid.apple.com/auth/keys> only
> yields a single RS256 alg key and the returned ID Token claims lack
> documentation. If there's no userinfo what's the point of using code flow
> and getting an access token - is it just so that clients must use the
> derived secret? ¯\_(ツ)_/¯

I think the hint is in
https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
    "access_token
	(Reserved for future use) A token used to access allowed data.
	Currently, no data set has been defined for access."

Cheers,
Mischa

> 
> Apple's frontend "Sign In with Apple JS" javascript implementation is a
> mystery to me as well, having a look at the JS it runs authorization within
> a popup with a `code id_token` response type but `form_post` response mode
> and a proprietary frame_id parameter. There's no hook for getting the
> tokens back. This seems a work in progress interface.
> 
> S pozdravem,
> *Filip Skokan*
> 
> 
> On Tue, 4 Jun 2019 at 12:31, Joseph Heenan via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> 
> > Hi all,
> >
> > Apple announced their own sign on solution at WWDC yesterday.
> >
> > It appears to be broadly OAuth2 / OpenID Connect, though this isn’t
> > explicitly mentioned:
> >
> >
> > https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
> >
> >
> > https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
> >
> > There is an id_token in the response, but it’s contents aren’t obviously
> > described beyond being ’A JSON Web Token that contains the user’s identity
> > information.’
> >
> > One obvious oddity is that at the token endpoint you are required to pass
> > a client_secret parameter that contains an ES256 JWS that is not entirely
> > unlikely a client_assertion. I don’t know if that’s a mistake in the
> > documentation or if Apple have deliberately moved away from a standard
> > client assertion for reasons that are unclear.
> >
> > Is anyone at WWDC? There’s a session and a lab on Wednesday that might
> > present an opportunity to ask some questions.
> >
> > Thanks
> >
> > Joseph
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >

> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..


More information about the Openid-specs-ab mailing list