The OpenID Foundation has posted an open letter to Apple raising concerns about its upcoming ‘Sign In With Apple’ feature.
Announced earlier this month, Sign In With Apple will let users sign in to apps and websites using their Apple ID when iOS 13 and macOS Catalina launch.
Sign In with Apple was built from the ground up to give users peace of mind about their privacy. Data collection is limited to the user’s name and email address, and Apple’s private email relay lets users receive email even if they prefer to keep their address private. Apple will not track users as they interact with your app.
According to the OpenID Foundation, Apple has largely adopted OpenID Connect; however, it says the current set of differences exposes users to greater security and privacy risks. It’s urging the company to address the gaps between Sign In with Apple and OpenID Connect.
You can read the full letter below!
June 27, 2019
Mr. Craig Federighi
Senior Vice President of Software Engineering
One Apple Park Way
Cupertino, CA 95014
RE: Open Letter from the OpenID Foundation to Apple Regarding Sign In with Apple
Dear Mr. Federighi,
The OpenID Foundation applauds Apple’s efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect.
Over the course of the last decade, OpenID Connect was developed by a large number of companies and industry experts within the OpenID Foundation (OIDF). OpenID Connect is a modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications in a standard way.
It appears Apple has largely adopted OpenID Connect for their Sign In with Apple implementation offering, or at least has intended to. Known differences between the two are tracked in a document managed by the OIDF certification team, found here: https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md.
The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.
Therefore the OpenID Foundation invites Apple to:
● Address the gaps between Sign In with Apple and OpenID Connect based on the feedback.
● Use the OpenID Connect Self Certification Test Suite to improve the interoperability and security of Sign In with Apple.
● Publicly state that Sign In with Apple is compatible and interoperable with widely-available OpenID Connect Relying Party software.
● Join the OpenID Foundation.
The OpenID Foundation and the community at large would appreciate Apple’s feedback.
Thank you for your consideration.
OpenID Foundation Chairman
On behalf of the Board of Directors of the OpenID Foundation
This article was originally posted here