82°F

Aaron Parecki

  • Articles
  • Notes
  • Photos

Monday, June 3, 2019

← Older → Newer
  • 10:17pm
    Asleep
    6:00am
    Awake
    7h 43m
    Slept
    21m
    Awake for
    Portland, Oregon, USA
    Mon, Jun 3, 2019 6:00am -07:00
  • Aaron Parecki
    Contributions from: Denmark, Poland, United Kingdom, United States
    Mon, Jun 3, 2019 10:35am -07:00
  • Apple is making keynote presentations look super easy. What pros! Nobody matches this level of performance. #WWDC19

    Portland, Oregon
    Mon, Jun 3, 2019 1:34pm -04:00 (liked on Mon, Jun 3, 2019 11:03am -07:00)
  • With the new Mac Pro and Logic Pro soon to be released, I’m starting a new rock band called The Mac Pros. Or maybe the Cheesegraters.

    Portland, Oregon
    Mon, Jun 3, 2019 1:35pm -05:00 (liked on Mon, Jun 3, 2019 11:38am -07:00)
  • 📷 PhotoJoseph 🎥 https://twitter.com/photojoseph
    DIRECT IMPORT INTO LIGHTROOM ON iPadOS!!!!!! Finally. Fi. Na. Lly.
    Portland, Oregon
    Mon, Jun 3, 2019 6:11pm +00:00 (liked on Mon, Jun 3, 2019 11:39am -07:00)
  • 📷 PhotoJoseph 🎥 https://twitter.com/photojoseph   •   Jun 3
    DIRECT IMPORT INTO LIGHTROOM ON iPadOS!!!!!! Finally. Fi. Na. Lly.
    Aaron Parecki
    I definitely thought of you when they announced that!
    Portland, Oregon
    1 like
    Mon, Jun 3, 2019 11:43am -07:00
  • Aaron Parecki
    Well this is exciting. 🍎🔐 #AppleID #OAuth #WWDC2019 #WWDC
    Portland, Oregon, USA
    9 likes 1 repost 2 replies
    Mon, Jun 3, 2019 1:38pm -07:00 #appleid #oauth #wwdc2019 #wwdc
  • Aaron Parecki
    Initial test of the "Sign in with Apple" API:

    • It's more or less based on OAuth + OIDC
    • Their documentation is missing a lot of key info to use it right now, I had to guess at a lot of things
    • The `sub` claim includes some sort of unique user identifier, not an email
    Portland, Oregon, USA
    74 likes 23 reposts 8 replies
    Mon, Jun 3, 2019 2:21pm -07:00 #oauth
  • Aaron Parecki https://aaronparecki.com/   •   Jun 3
    Initial test of the "Sign in with Apple" API:

    • It's more or less based on OAuth + OIDC
    • Their documentation is missing a lot of key info to use it right now, I had to guess at a lot of things
    • The `sub` claim includes some sort of unique user identifier, not an email
    Aaron Parecki
    weirdnesses:

    • Their token endpoint requires setting a User-Agent header, otherwise responds with an HTML error
    • Client secrets are a signed JWT using ECDSA + SHA256
    • An email address isn't returned even when requesting the `email` scope
    Portland, Oregon, USA
    12 likes 1 repost 2 replies
    Mon, Jun 3, 2019 2:24pm -07:00
  • Marc Köhlbrugge https://twitter.com/marckohlbrugge   •   Jun 3
    Some ppl pointed out this is probably “just” an implementation of OAuth w/ email forwarding on top.

    That’s probably correct. However, what sets Apple apart from the other major OAuth providers (mainly Facebook & Google) is that Apple is not in the business of selling your data.
    Aaron Parecki
    I just tried it out and it's OAuth + OpenID Connect with a little bit of Apple uniqueness sprinkled in.
    Portland, Oregon, USA
    4 likes
    Mon, Jun 3, 2019 2:29pm -07:00
  • Blaine Cook https://twitter.com/blaine   •   Jun 3
    Oh, nice, where did you find the details?
    Aaron Parecki
    They have some docs here https://developer.apple.com/sign-in-with-apple/get-started/ but their docs are missing quite a bit right now. I had to guess at some endpoints and things.
    Portland, Oregon, USA
    6 likes 1 reply
    Mon, Jun 3, 2019 2:29pm -07:00
  • @fluffy https://queer.party/@fluffy   •   Jun 3

    @aaronpk I wonder what the underlying protocol is and if anyone can join in as an identity provider. I'm not any more enamored with Apple as identity service as with Twitter or Facebook.

    Aaron Parecki
    It's OAuth + OIDC, and they are becoming an identity provider with this. I do think they're better for this than Twitter/Facebook since they aren't in the business of selling user data.
    Portland, Oregon
    1 like 1 reply
    Mon, Jun 3, 2019 2:38pm -07:00
  • Aaron Parecki https://aaronparecki.com/   •   Jun 3
    weirdnesses:

    • Their token endpoint requires setting a User-Agent header, otherwise responds with an HTML error
    • Client secrets are a signed JWT using ECDSA + SHA256
    • An email address isn't returned even when requesting the `email` scope
    Aaron Parecki
    If you're interested, here is my sample code I was able to use to get an access token and ID token from Apple

    https://github.com/aaronpk/sign-in-with-apple-example
    Portland, Oregon, USA
    31 likes 12 reposts 2 replies
    Mon, Jun 3, 2019 3:20pm -07:00
  • @fluffy https://queer.party/@fluffy   •   Jun 3

    @aaronpk Cool that they're using an open protocol! I still wish it were one with a better federation story though. Anyone should be able to provide any identity to anyone, rather than being beholden to the handful that any given website decides to support.

    Aaron Parecki
    I totally agree! https://indieauth.net/
    Portland, Oregon
    1 reply
    Mon, Jun 3, 2019 3:38pm -07:00
  • Jhonny https://twitter.com/JhonnyBillM   •   Jun 3
    Do you know if I can request users profile picture ?
    Aaron Parecki
    So far there is no indication that'll be possible.
    Portland, Oregon
    1 like
    Mon, Jun 3, 2019 3:45pm -07:00
  • Barry Dorrans https://twitter.com/blowdart   •   Jun 3
    No token binding? 😒
    Aaron Parecki
    So far there's no docs on what you can do with the access token. I suspect using it may require also including the client_secret which is a signed JWT, or who knows. Here's the working code: https://github.com/aaronpk/sign-in-with-apple-example
    Portland, Oregon, USA
    3 replies
    Mon, Jun 3, 2019 4:01pm -07:00
  • Barry Dorrans https://twitter.com/blowdart   •   Jun 3
    Oof no discovery document? Blah
    Aaron Parecki
    Not that I've been able to find! Also can't find their userinfo or introspection endpoints. I also had to guess their authorization endpoint because it's not in their docs.
    Portland, Oregon
    1 like 1 reply
    Mon, Jun 3, 2019 4:29pm -07:00
  • Ben Sandofsky https://twitter.com/sandofsky
    Wow. Apple sign-in support is mandatory? https://developer.apple.com/news/?id=06032019j
    Portland, Oregon
    Mon, Jun 3, 2019 10:23pm +00:00 (liked on Mon, Jun 3, 2019 4:48pm -07:00)
  • Ben Sandofsky https://twitter.com/sandofsky   •   Jun 3
    Wow. Apple sign-in support is mandatory? https://developer.apple.com/news/?id=06032019j
    Aaron Parecki
    Sounds like they are requiring Apple Sign-In to be an option if any other third party sign-in is also provided. Good move IMO, better for users! This will stop apps from having just a "Sign in with Facebook" option.
    Portland, Oregon, USA
    22 likes 1 reply
    Mon, Jun 3, 2019 4:49pm -07:00
  • Jason™ https://twitter.com/yuusharo
    I don’t understand the argument you’re trying to make, Philip.

    Sign in with Apple works on all devices including the web and Android. They specifically said so during the Platform State of the Union a few hours ago.

    It’s tied to your AppleID, not your device.
    Portland, Oregon
    Mon, Jun 3, 2019 11:53pm +00:00 (liked on Mon, Jun 3, 2019 5:00pm -07:00)
  • Christina "I Am Sadly not at WWDC" Warren https://twitter.com/film_girl
    I’m sure devs will complain but as a user, I’m glad to see this.
    Portland, Oregon
    Mon, Jun 3, 2019 11:25pm +00:00 (liked on Mon, Jun 3, 2019 5:59pm -07:00)
  • Dana Fried https://twitter.com/leftoblique   •   Jun 4
    Isn't there a single open standard being used under the hood by most of the big sign in providers now? I was under the impression that they're all OAuth or something?
    Aaron Parecki
    I've been testing out the new API and it's definitely OAuth/OpenID Connect. But it's true that this will add more work for developers, both just getting this set up and also dealing with a new kind of account identifier.
    Portland, Oregon
    3 likes
    Mon, Jun 3, 2019 6:01pm -07:00
  • Christina "I Am Sadly not at WWDC" Warren https://twitter.com/film_girl
    Yeah most are oauth
    Portland, Oregon
    Tue, Jun 4, 2019 1:02am +00:00 (liked on Mon, Jun 3, 2019 6:02pm -07:00)
  • Ben Adida https://twitter.com/benadida
    1/ On the occasion of the launch of @apple's "Sign in with Apple," allow me to indulge in a walk down a memory lane called @MozillaPersona -- the project I loved and led at Mozilla 6-8 years ago, the project that broke my heart. This is my take, I'm sure it's incomplete.
    Portland, Oregon
    Tue, Jun 4, 2019 1:15am +00:00 (liked on Mon, Jun 3, 2019 6:24pm -07:00)
  • Mister Kookookajoo https://twitter.com/MrKookookajoo
    Finally, a better option than FB and Google sign in.
    Portland, Oregon
    Tue, Jun 4, 2019 1:35am +00:00 (liked on Mon, Jun 3, 2019 6:38pm -07:00)
  • Seth A. Roby https://twitter.com/TALlama   •   Jun 4
    I haven’t looked into the tech specs yet; but I’m assuming it’s just WebauthN or OAuth under the hood. If so it shouldn’t be hard to support.
    Aaron Parecki
    It is OAuth! https://github.com/aaronpk/sign-in-with-apple-example
    Portland, Oregon
    1 like
    Mon, Jun 3, 2019 7:59pm -07:00
  • Aaron Parecki
    Reading all these tweets of people freaking out about Apple requiring apps to use "Sign In with Apple" and feeling another "authentication is not authorization" rant coming. Lots of misunderstanding of sign-in vs accessing APIs. #WWDC19 #OAuth
    Portland, Oregon, USA
    7 likes 2 reposts 2 replies 1 mention
    Mon, Jun 3, 2019 9:12pm -07:00 #wwdc19 #oauth
  • Brandon Carroll https://twitter.com/bcarroll22   •   Jun 4
    If you have a native and a web app, and a user creates their account with Apple sign in through your app, I wonder how you sign in with that account in your web app? Is Apple sign in basically just oauth with a fake email address you don’t know? And what’s your password?
    Aaron Parecki
    It's just OAuth. Sign In with Apple isn't limited to mobile apps. Here's a demo of doing it in a web app. https://github.com/aaronpk/sign-in-with-apple-example
    Portland, Oregon
    1 like 1 reply
    Mon, Jun 3, 2019 9:13pm -07:00
  • Dr. Jens Foell https://twitter.com/fMRI_guy
    A little experiment:

    Respond to this tweet with your most controversial pop culture opinion, and I *will* validate it.
    If there's ANY sincere pop culture opinion you have that NO ONE would EVER agree with, post it here and I will agree with you no questions asked.
    Portland, Oregon
    Mon, Jun 3, 2019 8:23pm +00:00 (liked on Mon, Jun 3, 2019 9:22pm -07:00)
← Older → Newer

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv