weirdnesses: * Their token endpoint requires setting a User-... • Aaron Parecki

42°F

Aaron Parecki https://aaronparecki.com/ • Jun 3
Initial test of the "Sign in with Apple" API:

• It's more or less based on OAuth + OIDC
• Their documentation is missing a lot of key info to use it right now, I had to guess at a lot of things
• The `sub` claim includes some sort of unique user identifier, not an email

weirdnesses:

• Their token endpoint requires setting a User-Agent header, otherwise responds with an HTML error
• Client secrets are a signed JWT using ECDSA + SHA256
• An email address isn't returned even when requesting the `email` scope

Portland, Oregon, USA

Mon, Jun 3, 2019 2:24pm -07:00

12 likes 1 repost 2 replies
- Asim Aslam
Have you written a response to this? Let me know the URL:
- Filip Skokan twitter.com/_panva
  
  That client secret :-) so quirky, why not just call it private_key_jwt client auth and use the proper client assertion format. Also, if the key is provided by apple i'm assuming non-repudiation is off the table.
  
  Looking forward to do testing of my own using node's openid-client
  
  Tue, Jun 4, 2019 6:46am +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  If you're interested, here is my sample code I was able to use to get an access token and ID token from Apple
  
  https://github.com/aaronpk/sign-in-with-apple-example
  
  Mon, Jun 3, 2019 3:20pm -07:00

Posted in /replies using quill.p3k.io