OpenID Foundation says 'Sign in with Apple' has critical gaps, urges changes
The OpenID Foundation this week issued an open letter to Apple's Software Engineering chief, Craig Federighi, arguing that the upcoming "Sign in with Apple" standard bears a lot of similarity to OpenID Connect — but not enough for privacy, security, and development purposes.
"The OpenID Foundation applauds Apple's efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect," the letter begins, elaborating that Connect is a "modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications," and was "developed by a large number of companies and industry experts" within the Foundation.
While Apple appears to have "largely adopted" Connect in building Sign in with Apple, there are a host of differences that shrink the places where Apple's system can be used and expose it to privacy and security threats, the Foundation said. An example of the latter is absence of PKCE in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks.
The schism also allegedly "places an unnecessary burden" on developers working with both Connect and Sign in with Apple, particularly since Apple's code isn't compatible with OpenID Connect Relying Party software.
The letter asks for Apple to "address the gaps," use the Open ID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.
Testing of Sign in with Apple will start later this summer ahead of iOS 13's fall launch window. The technology is intended to be a more privacy-focused alternative to sign-in buttons from the likes of Facebook, Google, and Twitter, but Apple has been criticized for making support mandatory if those third-party options are present.