Aaron Parecki

Dan Grover https://twitter.com/DanGrover • Jun 4
I can see this giving users a lot of rope to hang themselves, too. If you are trying to use any cross-platform service, you now have no way to log in on a non-Apple device or recover your account.

It's just OAuth, and it works on the web too. https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple

Portland, Oregon, USA

5 likes 1 repost 1 reply

Tue, Jun 4, 2019 8:16pm -07:00
Michael Warkentin https://twitter.com/mwarkentin • Jun 5
@Threadreaderapp unroll

already did that myself 😉 https://aaronparecki.com/2019/06/04/23/sign-in-with-apple-misunderstandings

Portland, Oregon, USA

4 likes 1 repost

Tue, Jun 4, 2019 5:16pm -07:00
André Neves https://twitter.com/andreneves • Jun 4
So now services/apps need to handle OAuth, Apple SSO, and regular email/pass. Feels like more mental burden for developers.

Also turns out Apple's is also OAuth :-) https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple

Portland, Oregon

2 likes

Tue, Jun 4, 2019 3:42pm -07:00
André Neves https://twitter.com/andreneves • Jun 4
Feels a lot like another way to lock users inside of the Apple world. How is this any better than signing up with any other service like Google or Facebook (for OAuth for example). It has some nice 'privacy' features but it feels like a marketing stunt more than anything imo

It's more about providing easier options for users: https://aaronparecki.com/2019/06/04/23/sign-in-with-apple-misunderstandings

Portland, Oregon

2 likes 2 replies

Tue, Jun 4, 2019 3:42pm -07:00
complexmix https://twitter.com/thatonehacker5 • Jun 4
It will be set as the default (knowing Apple) and will make all other options so inconvenient that apple users will essentially have one choice. Just like how you can use Chrome on iOS, but they make it as inconvenient as possible to avoid the POS that is Safari.

It's still up to the app to provide the buttons. Check out the sample walkthroughs in that blog post.

Portland, Oregon

1 reply

Tue, Jun 4, 2019 3:27pm -07:00
complexmix https://twitter.com/thatonehacker5 • Jun 4
Ah yes, take away the freedom of choice

In contrast: this forces app developers to provide users the choice between Apple or some other sign-in, rather than letting developers require just e.g. Facebook login.

More: https://aaronparecki.com/2019/06/04/23/sign-in-with-apple-misunderstandings

Portland, Oregon, USA

2 likes 2 reposts 1 reply

Tue, Jun 4, 2019 3:16pm -07:00
Halyna https://twitter.com/Halyna_13 • Jun 4
No, you don’t need an Apple device for 2FAuth of Apple ID. They send an SMS to authenticate the new login.

Confirmed. I was able to create a brand new Apple ID, enroll a Google Voice phone number for 2FA, and never touch this account from an iOS device.

Portland, Oregon

6 likes 2 replies

Tue, Jun 4, 2019 1:25pm -07:00
Stefan Esser https://twitter.com/i0n1c • Jun 4
you still need a trusted apple device to use Apple 2FA in addition to trusted phone number, don’t you?

I honestly don't know. But also keep in mind this is primarily designed for logging in to iOS apps, so ppl can log in with their Apple account instead of their Facebook account, which is a win for user privacy.

Portland, Oregon

Tue, Jun 4, 2019 1:12pm -07:00
Stefan Esser https://twitter.com/i0n1c • Jun 4
yes and how are you supposed to get through the Apple 2FA protection without an Apple device?

via SMS or phone call

> A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

https://support.apple.com/en-us/HT204915

Portland, Oregon

4 likes 2 replies

Tue, Jun 4, 2019 12:57pm -07:00
Stefan Esser https://twitter.com/i0n1c • Jun 4
because you want to actually login to a service from an android device

That's not how it works. It works like every other OAuth flow, you click the button and are redirected to Apple to sign in. Here's a full walkthrough with screenshots: https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple

Portland, Oregon

4 likes 8 replies

Tue, Jun 4, 2019 12:54pm -07:00
Marty McGuire https://martymcgui.re/ • Jun 4
I am excited to see this as part of indielogin.com, but I don’t yet see a clear identifier that I could put on my homepage to say “yep, that’s my Apple account”!

I suspect the identifier returned is also scoped per app like their advertising IDs, but have not yet confirmed this.

Portland, Oregon

Tue, Jun 4, 2019 10:16am -07:00
Brandon Carroll https://twitter.com/bcarroll22 • Jun 4
If you have a native and a web app, and a user creates their account with Apple sign in through your app, I wonder how you sign in with that account in your web app? Is Apple sign in basically just oauth with a fake email address you don’t know? And what’s your password?

It's just OAuth. Sign In with Apple isn't limited to mobile apps. Here's a demo of doing it in a web app. https://github.com/aaronpk/sign-in-with-apple-example

Portland, Oregon

1 like 1 reply

Mon, Jun 3, 2019 9:13pm -07:00
Seth A. Roby https://twitter.com/TALlama • Jun 4
I haven’t looked into the tech specs yet; but I’m assuming it’s just WebauthN or OAuth under the hood. If so it shouldn’t be hard to support.

It is OAuth! https://github.com/aaronpk/sign-in-with-apple-example

Portland, Oregon

1 like

Mon, Jun 3, 2019 7:59pm -07:00
Dana Fried https://twitter.com/leftoblique • Jun 4
Isn't there a single open standard being used under the hood by most of the big sign in providers now? I was under the impression that they're all OAuth or something?

I've been testing out the new API and it's definitely OAuth/OpenID Connect. But it's true that this will add more work for developers, both just getting this set up and also dealing with a new kind of account identifier.

Portland, Oregon

3 likes

Mon, Jun 3, 2019 6:01pm -07:00
Ben Sandofsky https://twitter.com/sandofsky • Jun 3
Wow. Apple sign-in support is mandatory? https://developer.apple.com/news/?id=06032019j

Sounds like they are requiring Apple Sign-In to be an option if any other third party sign-in is also provided. Good move IMO, better for users! This will stop apps from having just a "Sign in with Facebook" option.

Portland, Oregon, USA

22 likes 1 reply

Mon, Jun 3, 2019 4:49pm -07:00
Barry Dorrans https://twitter.com/blowdart • Jun 3
Oof no discovery document? Blah

Not that I've been able to find! Also can't find their userinfo or introspection endpoints. I also had to guess their authorization endpoint because it's not in their docs.

Portland, Oregon

1 like 1 reply

Mon, Jun 3, 2019 4:29pm -07:00
Barry Dorrans https://twitter.com/blowdart • Jun 3
No token binding? 😒

So far there's no docs on what you can do with the access token. I suspect using it may require also including the client_secret which is a signed JWT, or who knows. Here's the working code: https://github.com/aaronpk/sign-in-with-apple-example

Portland, Oregon, USA

3 replies

Mon, Jun 3, 2019 4:01pm -07:00
Jhonny https://twitter.com/JhonnyBillM • Jun 3
Do you know if I can request users profile picture ?

So far there is no indication that'll be possible.

Portland, Oregon

1 like

Mon, Jun 3, 2019 3:45pm -07:00
@fluffy https://queer.party/@fluffy • Jun 3
@aaronpk Cool that they're using an open protocol! I still wish it were one with a better federation story though. Anyone should be able to provide any identity to anyone, rather than being beholden to the handful that any given website decides to support.

I totally agree! https://indieauth.net/

Portland, Oregon

1 reply

Mon, Jun 3, 2019 3:38pm -07:00
Aaron Parecki https://aaronparecki.com/ • Jun 3
weirdnesses:

• Their token endpoint requires setting a User-Agent header, otherwise responds with an HTML error
• Client secrets are a signed JWT using ECDSA + SHA256
• An email address isn't returned even when requesting the `email` scope

If you're interested, here is my sample code I was able to use to get an access token and ID token from Apple

https://github.com/aaronpk/sign-in-with-apple-example

Portland, Oregon, USA

31 likes 12 reposts 2 replies

Mon, Jun 3, 2019 3:20pm -07:00

older