'Sign in with Apple' better but not perfect, says OpenID Foundation head

A letter to Apple's Craig Federighi from OpenID Foundation Chairman Nat Sakimura is thanking Apple for changes made during the iOS 13 beta process.

"We applaud your team's efforts in quickly addressing the critical security and compatibility gaps identified and successfully implementing them while Sign In with Apple is still in beta," wrote Sakimura. "Now users will no longer be limited to where they can use the service and they can have confidence in their security and privacy. Furthermore, Sign In with Apple is now interoperable with widely available OpenID Connect Relying Party software."

Sakimura concludes by asking Apple to "continue working through the issues identified."

The original document calling for changes has been altered to reflect Apple's changes, but the Foundation still points out areas of improvement. Specifically, the Foundation is calling for a discovery document to assist developers in implementation.

"The OpenID Foundation applauds Apple's efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect," the original letter began, discussing that Connect is a "modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications," and was "developed by a large number of companies and industry experts" within the Foundation.

At the time, the Foundation said that Apple "largely adopted" Connect in building Sign in with Apple. But, there were a host of differences that exposed users to privacy and security threats. Specifically cited were the lack of PKCE in the Authorization Code grant type, which could theoretically leave people exposed to code injection and replay attacks.

According to Sakimura, the problems allegedly placed "an unnecessary burden" on developers working with both Connect and Sign in with Apple, since Apple's code wasn't fully compatible with OpenID Connect Relying Party software.

The original letter asked Apple to "address the gaps," use the Open ID Connect Self Certification Test Suite, state that Sign in with Apple is compatible with Relying Party software, and finally join the OpenID Foundation.

Testing of Sign in with Apple began well ahead of iOS 13 release. The technology is intended to be a more privacy-focused alternative to sign-in buttons from the likes of Facebook, Google, and Twitter. Apple has been criticized for making support mandatory if those third-party options are present.