OpenID Foundation says 'Sign in with Apple' has critical gaps, urges changes

The OpenID Foundation this week issued an open letter to Apple's Software Engineering chief, Craig Federighi, arguing that the upcoming "Sign in with Apple" standard bears a lot of similarity to OpenID Connect — but not enough for privacy, security, and development purposes.

"The OpenID Foundation applauds Apple's efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect," the letter begins, elaborating that Connect is a "modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications," and was "developed by a large number of companies and industry experts" within the Foundation.

While Apple appears to have "largely adopted" Connect in building Sign in with Apple, there are a host of differences that shrink the places where Apple's system can be used and expose it to privacy and security threats, the Foundation said. An example of the latter is absence of PKCE in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks.

The schism also allegedly "places an unnecessary burden" on developers working with both Connect and Sign in with Apple, particularly since Apple's code isn't compatible with OpenID Connect Relying Party software.

The letter asks for Apple to "address the gaps," use the Open ID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.

Testing of Sign in with Apple will start later this summer ahead of iOS 13's fall launch window. The technology is intended to be a more privacy-focused alternative to sign-in buttons from the likes of Facebook, Google, and Twitter, but Apple has been criticized for making support mandatory if those third-party options are present.

24 Comments

rob53 3312 comments · 13 Years

About 5 years ago

I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.

bonobob 395 comments · 13 Years

rob53 said:

I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.

The security of the login and what is done with the data that is made available by that login are two separate things. This article is about the former, not the latter. The login security is of critical importance. Screw that up, and the whole system could be compromised.

1STnTENDERBITS 460 comments · 8 Years

rob53 said:

I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.

Based on your comment, I don't think you understand the subject matter. Their issue with Sign in With Apple has nothing to do with logging personal data or selling anything. It's kind of hard for you to give an opinion about OpenID's complaint when you don't seem to even know what their complaint is about. If their complaint about the security of Apple's implementation is valid, comparing it to Google and Facebook logins won't make it any more secure. That's simply unnecessary deflection. The complaint is critical gaps in security, not data collection.

Apple will most likely address any valid security issues from OpenID's complaint before release.

mdriftmeyer 7395 comments · 20 Years

There is absolutely nothing about OpenID/OAuth 2.0 that Apple cares about. Their solution isn't about conforming with it. Sign in with Apple has no interest in opening up its middleware to OpenID which has a history of flaws. Among the many flaws is Phishing.

Sorry, but when SIgn in with Apple arrives it'll be whined about that the FBI and others can't hack into it as well.

mac_dog 1084 comments · 16 Years

rob53 said:

I'm sure Apple and developers will find most of the issues before its released. Comparing Apple's implementation to Google and Facebook logons is like comparing a locked door to an open one. OpenID can complain all they want but lets hear their assessment about logging in with Facebook and Google. I highly doubt Apple will be logging any personal data and will not be selling anything while Facebook and Google are guaranteed to be selling everything they get.

It’s foolish to pin all your hopes on Apple “finding the issues”. Apple should pay attention and start with those issues—unless they are the wiser.

And, quite frankly, I couldn’t care less how Facebook and google are conducting their business. I just care that Apple gets it right.