[Openid-specs-ab] Single Sign-On is dead on iOS 11

William Denniss wdenniss at google.com
Tue Jul 11 07:17:30 UTC 2017 

Yes indeed!

AppAuth has support already in a PR: https://github.com/ope
nid/AppAuth-iOS/pull/129

There's one bug which we found & filed (issues with cookies syncing from
the SFAuthenticationSession to Safari). If that's fixed before GM, then
this is a really great replacement!



On Mon, Jul 10, 2017 at 11:13 PM, Thomas Broyer via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Looks like they have a new API specifically for auth: https://twitter.com/
> othermaciej/status/884646977207545856
>
> Le mar. 13 juin 2017 02:04, Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> a écrit :
>
>> Maybe we can call upon the privacy community as well raising the voice
>> that this is very bad for privacy.
>> I wonder what is the privacy enhancement they have in mind.
>>
>> On Fri, Jun 9, 2017 at 2:34 AM 'Iain McGinniss' via OIDF Account Chooser
>> list <oidf-account-chooser-list at googlegroups.com> wrote:
>>
>>> Hello all,
>>>
>>> Just to bring this to your attention: Apple has essentially killed
>>> single sign-on for native apps in iOS 11. Changes made to
>>> SFSafariViewController (used by AppAuth, and the recommended mechanism for
>>> federated login by Apple) now mean that browser state is partitioned per
>>> app, so there is no way for an existing authentication in the browser to be
>>> reused by an app.
>>>
>>> This fundamentally breaks an important part of OpenID Connect - users
>>> will now need to re-authenticate with their IDP in every app that they use.
>>> There is still time to provide feedback to Apple on this change, though
>>> they have been discussing this change in terms of "enhancing privacy" and
>>> I'd be very surprised if they change tack now.
>>>
>>> Iain
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "OIDF Account Chooser list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to oidf-account-chooser-list+unsubscribe at googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>
>> Nat Sakimura
>>
>> Chairman of the Board, OpenID Foundation
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170711/9a4aa35f/attachment.html>

More information about the Openid-specs-ab mailing list