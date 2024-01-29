#Apple #scraps #Sign #Apple #obligation #conditions #Tablets #phones #News

OIDC is an extension of OAuth2 and certain libraries were (and some applications still are) incomplete, but that doesn’t mean it wasn’t based on the standards

They called it OIDC compliant, but it was not, precisely because they had not followed the standards properly. They fixed that after release. That has nothing to do with the JWTs themselves.

OIDC is not an extension of OAuth2, but more of a wrapper around it. OAuth2 is about authorization, OIDC is about authentication. The authorization part of OIDC is OAuth2

only that the OAuth2 implementations of other providers did not have this and developers do not consider it necessary to develop this anyway. But if you e.g. Keycloak setup can support this.

I don’t think you understand what I was referring to. The problem was (and still is) that Apple didn’t provide a single line of code to explain or demonstrate their anomalous use of client secrets. The way they do this means that as a consumer you suddenly have to do something that is normally on the provider side of OAuth2, namely generate a JWS.

It is not surprising that they do not want to maintain SDKs for all kinds of programming languages, but they should have provided at least one reference implementation and that is not available.

The standards of OAuth2 and OIDC have nothing to do with this, because how a client secret is created is not specified. But it does mean that there was no OAuth2 client library that could do this; and most still don’t do this because it’s simply not part of a client’s responsibility.

The secret etc that you talk about is indeed the responsibility of your application if the client wants to use it. Indeed, Facebook etc. generate everything on their side and then give your application the opportunity to communicate directly with the profile without the user continuing to give permission, with Apple this is explicitly set up not to be possible.

Uh, so this is absolutely not the case

The client secret is intended to verify your request for user data, but for this you need the user’s authorization. That is no different. It is indeed true that the token you receive from Apple is then quite useless, while you can request data several times from other providers – but that is separate from the secret.

In fact, I have a number of OIDC implementations in one of my backends where, just like with Apple, you can’t do anything with the token, except check whether it is still valid.

