<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><span></span></div><div dir="ltr">I have a website whose “Primary App” isn’t published at App Store.</div><div dir="ltr"><br><div>Probably this site is where Nat logged in.</div><div><a href="https://signin-with-apple.herokuapp.com/">https://signin-with-apple.herokuapp.com/</a></div><div><br></div><div>I assume everyone can login there.<br><br>To register a client_id for Apple ID, you need to register an iOS/iPad/Mac ap, but you don’t have to publish it on App Store.<br> <br><div id="AppleMailSignature" dir="ltr">Sent from my iPhone</div><div dir="ltr"><br>On Jun 14, 2019, at 15:08, Joseph Heenan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="Content-Type" content="text/html; charset=utf-8">It’s a subtle point - you have to have an iOS app before you can use signin with apple on the web. Once you have an iOS app, it works fine on the web (except you can’t currently access name/email via the web interface it seems).<div class=""><br class=""></div><div class="">i.e. if you don’t have an iOS app, I believe your access to ’signin with apple on web’ is blocked. So, if your use is one Apple doesn’t allow on the App Store (porn, gambling, etc), you can’t publish an iOS app on the store, so you can’t use signin with apple on the web either.</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 14 Jun 2019, at 14:48, n-sakimura <<a href="mailto:n-sakimura@nri.co.jp" class="">n-sakimura@nri.co.jp</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div dir="auto" class="">
Is that so?
<div class=""><br class="">
</div>
<div class="">AFAIK, I could successfully login with Sign in with Apple on a web application from Chrome. <br class="">
<br class="">
<div dir="ltr" class="">Nat</div>
<div dir="ltr" class=""><br class="">
2019/06/14 13:48、Joseph Heenan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>>のメール:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div dir="ltr" class="">To me it seems pretty clear that Apple are primarily targeting iOS apps, and essentially sign in with Apple can only be used if you have an iOS app. (If you have an iOS app you can use sign in with apple on the web as well, but they clearly aren’t
currently aiming to make it accessible to pure web apps that have no counterpart iOS App Store app).
<div class=""><br class="">
</div>
<div class="">I guess at least some of this will change before it comes out of beta, not being able to do an on boarding flow as easily on the web (due to the lack of user information you mention) seems like a significant omission. I’d guess they be thinking
to add a userinfo style endpoint?</div>
<div class=""><br class="">
</div>
<div class="">Joseph<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 14 Jun 2019, at 09:24, Jeff LOMBARDO via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="auto" class="">Hi
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">At IDPro we were also mesmerized by the fact that the sub looks a lot like a JWT. </div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">But it can de decoded like nothing of the short. Not even CWT. So I see here a kind of non trivial CRC.</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">As the sub looks like a JWT we hoped to retrive the user information there or thanks to it. From analisys of the native code, this is finally not the case as user information is retrieved through other claims than sub from ASAuthorizationAppleIDCredential.<br class="">
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">So it sounds more likely that Web/JS/pure OIDC implementation should get it from specific claims and not the sub too.<br class="">
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">Which can be related to the scope not functioning (if you specify it it fails at consent) for the momemt when lookig at web implementation. <br class="">
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">Jeff</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Le jeu. 13 juin 2019 06:36, Hans Zandbelt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> a écrit :<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">also providing the (optional) nonce in a regular code flow does not result in the (then) required inclusion in an id_token
<div class=""><br class="">
</div>
<div class="">Hans.<br class="">
</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Jun 12, 2019 at 12:09 PM Filip Skokan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">openid-specs-ab@lists.openid.net</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" class="">Further issues i ran into
<div class="">
<ul class="">
<li class="">`code id_token` response type does not respect `nonce` in the authorization request returned `id_token`</li><li class="">`code id_token` response type does not include `c_hash` in the authorization request returned `id_token`</li><li class="">providing `prompt` parameter with any value (login/consent) or empty results in a 400 with no body</li></ul>
<div class="">The interface seems to be just "connect-inspired", not connect.</div>
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div dir="ltr" class="m_-3375013125782790869gmail-m_5038539643184687528gmail_signature">
S pozdravem,<br class="">
<b class="">Filip Skokan</b></div>
</div>
<br class="">
</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, 4 Jun 2019 at 13:53, Mischa Salle <<a href="mailto:msalle@nikhef.nl" target="_blank" rel="noreferrer" class="">msalle@nikhef.nl</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Tue, Jun 04, 2019 at 12:51:10PM +0200, Filip Skokan via Openid-specs-ab wrote:<br class="">
> I had a look at the interface earlier today myself as well.<br class="">
> <br class="">
> The client_secret value differs from a private_key_jwt client_assertion<br class="">
> like so<br class="">
> <br class="">
> 1. its `sub` and `iss` are not the same client_id value<br class="">
> 2. it does not require `jti` (and it wouldn't probably use it for<br class="">
> checking the assertion is only used once anyway)<br class="">
> <br class="">
> Apple's documentation states that the expiration of this derived client<br class="">
> secret JWT can be up to 6 months. My assumption is they really wanted to<br class="">
> stick to client secret basic/post scheme so that developers may use the<br class="">
> basic oauth/oidc client implementations out there but have<br class="">
> rotating/expiring client secrets out of the box, thats why the client<br class="">
> secret value is derived from a private key Apple *generates for you *(you<br class="">
> cannot provide your own public key).<br class="">
> <br class="">
> There's no discovery and no userinfo endpoint, id token signing is RS256<br class="">
> only given that the jwks_uri <<a href="https://appleid.apple.com/auth/keys" rel="noreferrer noreferrer" target="_blank" class="">https://appleid.apple.com/auth/keys</a>> only<br class="">
> yields a single RS256 alg key and the returned ID Token claims lack<br class="">
> documentation. If there's no userinfo what's the point of using code flow<br class="">
> and getting an access token - is it just so that clients must use the<br class="">
> derived secret? ¯\_(ツ)_/¯<br class="">
<br class="">
I think the hint is in<br class="">
<a href="https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse" rel="noreferrer noreferrer" target="_blank" class="">https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse</a><br class="">
"access_token<br class="">
(Reserved for future use) A token used to access allowed data.<br class="">
Currently, no data set has been defined for access."<br class="">
<br class="">
Cheers,<br class="">
Mischa<br class="">
<br class="">
> <br class="">
> Apple's frontend "Sign In with Apple JS" javascript implementation is a<br class="">
> mystery to me as well, having a look at the JS it runs authorization within<br class="">
> a popup with a `code id_token` response type but `form_post` response mode<br class="">
> and a proprietary frame_id parameter. There's no hook for getting the<br class="">
> tokens back. This seems a work in progress interface.<br class="">
> <br class="">
> S pozdravem,<br class="">
> *Filip Skokan*<br class="">
> <br class="">
> <br class="">
> On Tue, 4 Jun 2019 at 12:31, Joseph Heenan via Openid-specs-ab <<br class="">
> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">
openid-specs-ab@lists.openid.net</a>> wrote:<br class="">
> <br class="">
> > Hi all,<br class="">
> ><br class="">
> > Apple announced their own sign on solution at WWDC yesterday.<br class="">
> ><br class="">
> > It appears to be broadly OAuth2 / OpenID Connect, though this isn’t<br class="">
> > explicitly mentioned:<br class="">
> ><br class="">
> ><br class="">
> > <a href="https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens" rel="noreferrer noreferrer" target="_blank" class="">
https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens</a><br class="">
> ><br class="">
> ><br class="">
> > <a href="https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse" rel="noreferrer noreferrer" target="_blank" class="">
https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse</a><br class="">
> ><br class="">
> > There is an id_token in the response, but it’s contents aren’t obviously<br class="">
> > described beyond being ’A JSON Web Token that contains the user’s identity<br class="">
> > information.’<br class="">
> ><br class="">
> > One obvious oddity is that at the token endpoint you are required to pass<br class="">
> > a client_secret parameter that contains an ES256 JWS that is not entirely<br class="">
> > unlikely a client_assertion. I don’t know if that’s a mistake in the<br class="">
> > documentation or if Apple have deliberately moved away from a standard<br class="">
> > client assertion for reasons that are unclear.<br class="">
> ><br class="">
> > Is anyone at WWDC? There’s a session and a lab on Wednesday that might<br class="">
> > present an opportunity to ask some questions.<br class="">
> ><br class="">
> > Thanks<br class="">
> ><br class="">
> > Joseph<br class="">
> ><br class="">
> > _______________________________________________<br class="">
> > Openid-specs-ab mailing list<br class="">
> > <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">
Openid-specs-ab@lists.openid.net</a><br class="">
> > <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank" class="">
http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
> ><br class="">
<br class="">
> _______________________________________________<br class="">
> Openid-specs-ab mailing list<br class="">
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">
Openid-specs-ab@lists.openid.net</a><br class="">
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank" class="">
http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
<br class="">
<br class="">
-- <br class="">
Nikhef Room H155<br class="">
Science Park 105 Tel. +31-20-592 5102<br class="">
1098 XG Amsterdam Fax +31-20-592 5155<br class="">
The Netherlands Email <a href="mailto:msalle@nikhef.nl" target="_blank" rel="noreferrer" class="">
msalle@nikhef.nl</a><br class="">
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class="">
</blockquote>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote>
</div>
<br clear="all" class="">
<div class=""><br class="">
</div>
-- <br class="">
<div dir="ltr" class="m_-3375013125782790869gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div style="font-size:small" class=""><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank" rel="noreferrer" class="">hans.zandbelt@zmartzone.eu</a></div>
<div style="font-size:small" class="">ZmartZone IAM - <a href="http://www.zmartzone.eu/" target="_blank" rel="noreferrer" class="">
www.zmartzone.eu</a><br class="">
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
<blockquote type="cite" class="">
<div dir="ltr" class=""><span class="">_______________________________________________</span><br class="">
<span class="">Openid-specs-ab mailing list</span><br class="">
<span class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a></span><br class="">
<span class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br class="">
</div>
</blockquote>
</div>
</div>
</div></blockquote></div><br class=""></div></div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></div></body></html>