[Openid-specs-ab] Sign in with Apple use of non-standard OAuth2/OpenID Connect?

Hans Zandbelt hans.zandbelt at zmartzone.eu
Thu Jun 13 10:36:13 UTC 2019


also providing the (optional) nonce in a regular code flow does not result
in the (then) required inclusion in an id_token

Hans.

On Wed, Jun 12, 2019 at 12:09 PM Filip Skokan via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Further issues i ran into
>
>    - `code id_token` response type does not respect `nonce` in the
>    authorization request returned `id_token`
>    - `code id_token` response type does not include `c_hash` in the
>    authorization request returned `id_token`
>    - providing `prompt` parameter with any value (login/consent) or empty
>    results in a 400 with no body
>
> The interface seems to be just "connect-inspired", not connect.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 4 Jun 2019 at 13:53, Mischa Salle <msalle at nikhef.nl> wrote:
>
>> On Tue, Jun 04, 2019 at 12:51:10PM +0200, Filip Skokan via
>> Openid-specs-ab wrote:
>> > I had a look at the interface earlier today myself as well.
>> >
>> > The client_secret value differs from a private_key_jwt client_assertion
>> > like so
>> >
>> >    1. its `sub` and `iss` are not the same client_id value
>> >    2. it does not require `jti` (and it wouldn't probably use it for
>> >    checking the assertion is only used once anyway)
>> >
>> > Apple's documentation states that the expiration of this derived client
>> > secret JWT can be up to 6 months. My assumption is they really wanted to
>> > stick to client secret basic/post scheme so that developers may use the
>> > basic oauth/oidc client implementations out there but have
>> > rotating/expiring client secrets out of the box, thats why the client
>> > secret value is derived from a private key Apple *generates for you
>> *(you
>> > cannot provide your own public key).
>> >
>> > There's no discovery and no userinfo endpoint, id token signing is RS256
>> > only given that the jwks_uri <https://appleid.apple.com/auth/keys> only
>> > yields a single RS256 alg key and the returned ID Token claims lack
>> > documentation. If there's no userinfo what's the point of using code
>> flow
>> > and getting an access token - is it just so that clients must use the
>> > derived secret? ¯\_(ツ)_/¯
>>
>> I think the hint is in
>>
>> https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
>>     "access_token
>>         (Reserved for future use) A token used to access allowed data.
>>         Currently, no data set has been defined for access."
>>
>> Cheers,
>> Mischa
>>
>> >
>> > Apple's frontend "Sign In with Apple JS" javascript implementation is a
>> > mystery to me as well, having a look at the JS it runs authorization
>> within
>> > a popup with a `code id_token` response type but `form_post` response
>> mode
>> > and a proprietary frame_id parameter. There's no hook for getting the
>> > tokens back. This seems a work in progress interface.
>> >
>> > S pozdravem,
>> > *Filip Skokan*
>> >
>> >
>> > On Tue, 4 Jun 2019 at 12:31, Joseph Heenan via Openid-specs-ab <
>> > openid-specs-ab at lists.openid.net> wrote:
>> >
>> > > Hi all,
>> > >
>> > > Apple announced their own sign on solution at WWDC yesterday.
>> > >
>> > > It appears to be broadly OAuth2 / OpenID Connect, though this isn’t
>> > > explicitly mentioned:
>> > >
>> > >
>> > >
>> https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens
>> > >
>> > >
>> > >
>> https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
>> > >
>> > > There is an id_token in the response, but it’s contents aren’t
>> obviously
>> > > described beyond being ’A JSON Web Token that contains the user’s
>> identity
>> > > information.’
>> > >
>> > > One obvious oddity is that at the token endpoint you are required to
>> pass
>> > > a client_secret parameter that contains an ES256 JWS that is not
>> entirely
>> > > unlikely a client_assertion. I don’t know if that’s a mistake in the
>> > > documentation or if Apple have deliberately moved away from a standard
>> > > client assertion for reasons that are unclear.
>> > >
>> > > Is anyone at WWDC? There’s a session and a lab on Wednesday that might
>> > > present an opportunity to ask some questions.
>> > >
>> > > Thanks
>> > >
>> > > Joseph
>> > >
>> > > _______________________________________________
>> > > Openid-specs-ab mailing list
>> > > Openid-specs-ab at lists.openid.net
>> > > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> > >
>>
>> > _______________________________________________
>> > Openid-specs-ab mailing list
>> > Openid-specs-ab at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> --
>> Nikhef                      Room  H155
>> Science Park 105            Tel.  +31-20-592 5102
>> 1098 XG Amsterdam           Fax   +31-20-592 5155
>> The Netherlands             Email msalle at nikhef.nl
>>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190613/fbe8d3e5/attachment.html>


More information about the Openid-specs-ab mailing list