SlideShare una empresa de Scribd logo

Sign in with Apple

Nov Matake
Nov Matake

This document summarizes differences between Sign in with Apple (SIWA) and OpenID Connect (OIDC) and OAuth 2.0 standards. It notes several ways SIWA specifications and behaviors deviate from or violate OIDC standards, including not supporting standard authentication methods, response types, and claims. It also describes SIWA's characteristic identifier design which links multiple apps and services from the same developer together under a single user consent. Developer teams are limited to 10 linked apps/services and must create a new team for additional apps.

Tecnología
1 de 35
Descargar para leer sin conexión
#idcon vol.27 - Sign in with Apple 特集 ※ ヤフースコアのことは禁句な!! https://idcon.org
Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ @nov
https://matake.jp
https://rubygems.org/gems/apple_id
https://signin-with-apple.herokuapp.com
Diff from OIDC / OAuth 2.0
OIDC Spec Violations ❖ when nonce is provided in the code or code id_token grant types, it won’t be included in the id_token returned #FIXED ❖ the code id_token response type does not include c_hash in the returned id_token #FIXED ❖ the code id_token response type returns the response parameters as query parameters, not in the fragment ❖ providing a prompt parameter with any value (e.g. login or consent) or empty results in a 400 with no body #FIXED ❖ when max_age is requested, the id_token does not include an auth_time claim #FIXED http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ no Discovery document is published at https://appleid.apple.com/.well-known/openid- configuration which makes developers have to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods, etc. #FEELS-OK ❖ no User Info endpoint is provided which means all of the claims about users have to be included in the (expiring and potentially large) id_token ❖ does not include different claims in the id_token based on scope #PARTIALLY-FIXED ❖ the token endpoint does not accept client_secret_basic as authentication method (required for OpenID Connect certification) and actually the default method to use for Clients when there’s no Discovery document that says otherwise http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ authentication towards the token endpoint requires a (custom) JWT assertion as a client_secret in a client_secret_post authentication method whereas the more appropriate private_key_jwt authentication method as defined in RFC7523 could have been used ❖ using unsupported or wrong parameters (e.g. non-existing response_type, scope, client_id, or redirect_uri) always results in the same message in the browser that says “Your request could not be completed because of an error. Please try again later.” without any explanation about what happened, why this is an error or how to fix it #FEELS-OK #EXCEPT-FOR-SCOPE ❖ exchanging the authorization code according to https://developer.apple.com/ documentation/signinwithapplerestapi/generate_and_validate_tokens should present a non-standard grant_type=authorization_token but using the standards-compliant grant_type=authorization_code actually works whereas the former does not, so the documentation is incorrect #FIXED http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ the Authorization Code grant type (for public Clients?) does not use PKCE to avoid code injection and code replay attacks #FEELS-OK ❖ when using the sample app available at https://github.com/aaronpk/sign-in-with- apple-example, adding openid as a scope leads to an error message and it works just with name and email as scope values; this behavior seems to be inconsistent across Clients: for some it works, or at least does not lead to errors, for others it does not work and ends with an error #FIXED? ❖ The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope. http://bit.ly/diff-between-siwa-and-oidc
Characteristic Identifiers Design
Team X
Team X App A
Team X Primary App A Service A-1
Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2
Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
User-related Identifiers Design
User ID (sub) Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Private Email Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
User ID : Apple User ID : Public Emails : Private Email : 12345 000123.abc2xyz.0012 foo@icloud.com foo@me.com for-team-x@privaterelay.appleid.com Q1. Which address to use in each app’s context? Q2. How to handle email changes after revocation?
Consent Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Revocation Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Careful branding strategy required for primary app grouping
Developer-related Identifiers Design
Client ID Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Private Key Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
CLIENT_ID is of the app / service which originally received the authorization code, not of the backend server which accesses the token endpoint, even when refreshing tokens.
Private Email Relay Service Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
MAX 10 MAX 10
For the 11th domain / address, setup new team !?!? Primary App A sends emails from App A-1 sends emails from App A-2 sends emails from Service A-1 sends emails from no-reply@primary-app-a.example.com no-reply@app-a1.example.com no-reply@app-a2.example.com no-reply@service-a1.example.com :
【結論】 iOS, iPad OS, Safari での UX は最高だが クセが強いので注意

Recomendados

OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 

Recomendados

OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22Nov Matake
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Ryo Ito
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례HyungTae Lim
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open IdConSanFrancisco123
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례Lee Ji Eun
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakHitachi, Ltd. OSS Solution Center.
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 

Más contenido relacionado

La actualidad más candente

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22Nov Matake
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Ryo Ito
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례HyungTae Lim
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례Lee Ji Eun
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakHitachi, Ltd. OSS Solution Center.
 

La actualidad más candente (20)

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
 
Full stack security
Full stack securityFull stack security
Full stack security
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례Syrup pay 인증 모듈 개발 사례
Syrup pay 인증 모듈 개발 사례
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in Osaka
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntents
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
 

Similar a Sign in with Apple

How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceMadusha Perera
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdfTomasz Kopacz
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwas N
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdfVishwasN6
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsJim Jeffers
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure ADSharePointRadi
 
Developing a Public API -- at ILTechTalks 2015
Developing a Public API -- at ILTechTalks 2015Developing a Public API -- at ILTechTalks 2015
Developing a Public API -- at ILTechTalks 2015Yonatan Maman
 

Similar a Sign in with Apple (20)

How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
SAP Inbound IDoc.pptx
SAP Inbound IDoc.pptxSAP Inbound IDoc.pptx
SAP Inbound IDoc.pptx
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure AD
 
Developing a Public API -- at ILTechTalks 2015
Developing a Public API -- at ILTechTalks 2015Developing a Public API -- at ILTechTalks 2015
Developing a Public API -- at ILTechTalks 2015
 

Más de Nov Matake

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next StageNov Matake
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19Nov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Nov Matake
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24Nov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)Nov Matake
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016Nov Matake
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22Nov Matake
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13Nov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconNov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18Nov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onNov Matake
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technightNov Matake
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteNov Matake
 
Self isssued-idp
Self isssued-idpSelf isssued-idp
Self isssued-idpNov Matake
 
IIW 16th Report at #idcon
IIW 16th Report at #idconIIW 16th Report at #idcon
IIW 16th Report at #idconNov Matake
 
Whats wrong oauth_authn
Whats wrong oauth_authnWhats wrong oauth_authn
Whats wrong oauth_authnNov Matake
 
OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012Nov Matake
 

Más de Nov Matake (20)

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technight
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
 
Self isssued-idp
Self isssued-idpSelf isssued-idp
Self isssued-idp
 
IIW 16th Report at #idcon
IIW 16th Report at #idconIIW 16th Report at #idcon
IIW 16th Report at #idcon
 
Whats wrong oauth_authn
Whats wrong oauth_authnWhats wrong oauth_authn
Whats wrong oauth_authn
 
OAuth 2.0 #idit2012
OAuth 2.0 #idit2012OAuth 2.0 #idit2012
OAuth 2.0 #idit2012
 

Último

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

Último (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Sign in with Apple

  • 1. #idcon vol.27 - Sign in with Apple 特集 ※ ヤフースコアのことは禁句な!! https://idcon.org
  • 2. Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ @nov
  • 6. Diff from OIDC / OAuth 2.0
  • 7. OIDC Spec Violations ❖ when nonce is provided in the code or code id_token grant types, it won’t be included in the id_token returned #FIXED ❖ the code id_token response type does not include c_hash in the returned id_token #FIXED ❖ the code id_token response type returns the response parameters as query parameters, not in the fragment ❖ providing a prompt parameter with any value (e.g. login or consent) or empty results in a 400 with no body #FIXED ❖ when max_age is requested, the id_token does not include an auth_time claim #FIXED http://bit.ly/diff-between-siwa-and-oidc
  • 8. Peculiarities (奇妙な点) ❖ no Discovery document is published at https://appleid.apple.com/.well-known/openid- configuration which makes developers have to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods, etc. #FEELS-OK ❖ no User Info endpoint is provided which means all of the claims about users have to be included in the (expiring and potentially large) id_token ❖ does not include different claims in the id_token based on scope #PARTIALLY-FIXED ❖ the token endpoint does not accept client_secret_basic as authentication method (required for OpenID Connect certification) and actually the default method to use for Clients when there’s no Discovery document that says otherwise http://bit.ly/diff-between-siwa-and-oidc
  • 9. Peculiarities (奇妙な点) ❖ authentication towards the token endpoint requires a (custom) JWT assertion as a client_secret in a client_secret_post authentication method whereas the more appropriate private_key_jwt authentication method as defined in RFC7523 could have been used ❖ using unsupported or wrong parameters (e.g. non-existing response_type, scope, client_id, or redirect_uri) always results in the same message in the browser that says “Your request could not be completed because of an error. Please try again later.” without any explanation about what happened, why this is an error or how to fix it #FEELS-OK #EXCEPT-FOR-SCOPE ❖ exchanging the authorization code according to https://developer.apple.com/ documentation/signinwithapplerestapi/generate_and_validate_tokens should present a non-standard grant_type=authorization_token but using the standards-compliant grant_type=authorization_code actually works whereas the former does not, so the documentation is incorrect #FIXED http://bit.ly/diff-between-siwa-and-oidc
  • 10. Peculiarities (奇妙な点) ❖ the Authorization Code grant type (for public Clients?) does not use PKCE to avoid code injection and code replay attacks #FEELS-OK ❖ when using the sample app available at https://github.com/aaronpk/sign-in-with- apple-example, adding openid as a scope leads to an error message and it works just with name and email as scope values; this behavior seems to be inconsistent across Clients: for some it works, or at least does not lead to errors, for others it does not work and ends with an error #FIXED? ❖ The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope. http://bit.ly/diff-between-siwa-and-oidc
  • 14. Team X Primary App A Service A-1
  • 15. Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2
  • 16. Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 18. User ID (sub) Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 19. Private Email Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 20.
  • 21.
  • 22. User ID : Apple User ID : Public Emails : Private Email : 12345 000123.abc2xyz.0012 foo@icloud.com foo@me.com for-team-x@privaterelay.appleid.com Q1. Which address to use in each app’s context? Q2. How to handle email changes after revocation?
  • 23. Consent Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 24. Revocation Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 25.
  • 26.
  • 27. Careful branding strategy required for primary app grouping
  • 29. Client ID Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 30. Private Key Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 31. CLIENT_ID is of the app / service which originally received the authorization code, not of the backend server which accesses the token endpoint, even when refreshing tokens.
  • 32. Private Email Relay Service Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 34. For the 11th domain / address, setup new team !?!? Primary App A sends emails from App A-1 sends emails from App A-2 sends emails from Service A-1 sends emails from no-reply@primary-app-a.example.com no-reply@app-a1.example.com no-reply@app-a2.example.com no-reply@service-a1.example.com :
  • 35. 【結論】 iOS, iPad OS, Safari での UX は最高だが クセが強いので注意