[Openid-specs-ab] Single Sign-On is dead on iOS 11

Nat Sakimura sakimura at gmail.com
Tue Jun 13 00:04:36 UTC 2017


Maybe we can call upon the privacy community as well raising the voice that
this is very bad for privacy.
I wonder what is the privacy enhancement they have in mind.

On Fri, Jun 9, 2017 at 2:34 AM 'Iain McGinniss' via OIDF Account Chooser
list <oidf-account-chooser-list at googlegroups.com> wrote:

> Hello all,
>
> Just to bring this to your attention: Apple has essentially killed single
> sign-on for native apps in iOS 11. Changes made to SFSafariViewController
> (used by AppAuth, and the recommended mechanism for federated login by
> Apple) now mean that browser state is partitioned per app, so there is no
> way for an existing authentication in the browser to be reused by an app.
>
> This fundamentally breaks an important part of OpenID Connect - users will
> now need to re-authenticate with their IDP in every app that they use.
> There is still time to provide feedback to Apple on this change, though
> they have been discussing this change in terms of "enhancing privacy" and
> I'd be very surprised if they change tack now.
>
> Iain
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "OIDF Account Chooser list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to oidf-account-chooser-list+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170613/f3a3d53d/attachment.html>


More information about the Openid-specs-ab mailing list