On June 3rd during Apple’s WWDC 2019, Craig Federighi, Senior VP, Software Engineering for Apple revealed a new social login solution alongside Facebook Connect and Sign in with Google. With Sign in with Apple, Cupertino’s firm aims to revolutionize social login by elevating the personal data protection level and allowing end-users to control the data they share with applications.
Privacy and data control at the core
Sign in with Apple (SIWA) works just like its competitors: the end-user chooses to authenticate with their Apple account and then consents to share data with a third app. It is precisely within that last step that SIWA aims to bring more trust. The end-user will be able to not only view the data being shared, but also the actual values. Moreover, Apple brings the possibility to protect end-users from spam and some cross-referencing techniques by sharing a randomly generated email address in place of the usual one. This random email will act as an alias and could be disabled at any time the user chooses.
The authentication actually uses the end-user AppleID and is already integrated to all Apple devices making biometric authentication (ie TouchID or FaceID) available as well as push notifications. Apple indeed underlines the fact that it makes it easy to implement MFA for third party apps.
With Sign in with Apple, Apple directly aims at Facebook and Google by proposing a privacy-preserving technology and by getting a foot in the door through its AppStore policy: every application using social login features must include Sign-in with Apple within the options.
For now, the update is sketchy but non-conforming apps may be unable to be published (eg. FranceConnect or Belgium’s eID); will they be forced to implement Sign-In with Apple to get published in the AppStore?
To this day, no final date has been confirmed by Apple for application compliance and Sign In with Apple is in beta mode since the beginning of this summer.
A solution inspired by standards but with major differences
Apple’s social login solution is based on OpenID Connect.. OpenID foundation experts tested it as soon as it was available on the Apple Developer console and released a document detailing the differences between Sign-In with Apple and the OpenID Connect standard. Among the differences there’s:
- No use of PKCE which protects against authorization code compromise, especially for public clients (with no secret or no means to correctly protect their secret)
- No use of the nonce parameter in the IDTokens which can make the protocol vulnerable to CSRF attacks (edit: this has been recently updated by Apple)
Among its peculiarities, we can mention:
- Client secret being generated for each request in a signed JWT form
- No possibility to change the IDToken content, even through the use of the scope parameter
OpenID foundation published an open letter to Craig Federighi asking for updates to the protocol to make it OIDC compliant, asking even for certification against the specification and lastly asking for Apple to join the OpenID foundation. Apple did not officially answer this open letter yet, but inconsistencies spotted in the documentation were updated following it.
IAM market reaction
For now, very few have integrated this feature into their applications, mostly because the solution is very new and no-one has fully measured the impact of Apple’s approach.
That said, some Customer Identity and Access Management vendors are already working hard towards the solution: some plan to integrate Sign-In with Apple in their offering and some already have it available in beta with test identifiers to actually test the experience proposed by Apple.
On GitHub, vendors of on-prem solutions have patches allowing their users to implement the feature right now and several frameworks and language libraries have implementations of Sign-In with Apple clients: React Native, Node.js and Ruby.
The Sign in with Apple story is far from being at an end; we’re still waiting for Apple’s official answer to remarks from the OpenID foundation and more detailed information on the new AppStore policy. UntilApple makes it clearer, there’s a chance that the market will stay cautious towards this feature, yet it might be a good idea to prepare for application updates. Apple will probably be a major actor of social login from now on.
Henri Lefevre and Bertrand Carlie Wavestone
Twitter feed is not available at the moment.