{{announcement.body}}
{{announcement.title}}

How Sign In With Apple Works

DZone 's Guide to

How Sign In With Apple Works

What exactly is Sign In with Apple? And how will it impact developers.

· Security Zone ·
Free Resource

The Sign In with Apple issues were recently announced at Apple’s WWDC, which generated a lot of fanfare, discussion, and pushback. But it’s important to understand how the technology works, how developers can use it, and whether it’s ultimately a good or bad thing for consumers. Ultimately, Apple’s efforts suggest that the company is taking a privacy-centric approach to social authentication, and potentially shifting how other companies think about providing good customer experiences and protecting privacy.

First to the brass tacks of the authentication itself. Sign in with Apple is based on the open standards OAuth and OpenID Connect. If you're familiar with those, then Apple's API will be recognizable to you already. Apple is entering the space providing a new OAuth provider, the same way existing providers like Facebook and Google provide APIs to authenticate users.

Most of the time, apps use these third-party providers to just identify users, saving them the step of entering and verifying an email address and remembering another password. The unfortunate side effect is that many OAuth providers like Facebook and Google also reveal additional information about the user while they are signing in to the app, such as the user's full name, email address, or even profile information.

Apple is taking a privacy-first approach, and returning only the bare minimum information required, and only if the user allows it. The user gets a chance to choose which name is given to the app when signing in, and can choose whether to reveal their real email address, or use a proxy email address provided by Apple.

How Will This Impact Developers?

One particularly unique aspect of the way Apple is choosing to roll out Sign In with Apple is that they are requiring its use in apps published to the App Store, essentially mandating that developers adopt the authentication. Apple is in the unique position to be able to do this as gatekeepers of their App Store. While this may look monopolistic or controlling at first, it actually makes a lot of sense and has the potential to provide users with a better experience overall, as well as help preserve the privacy of iOS users.

Specifically, Sign In with Apple is required for apps that use any other third-party sign-in provider. This means if your app currently has a "Sign In with Google" button, you will need to add "Sign In with Apple" as well. Note that this likely does not apply if your app interacts with the Google API, such as managing a user's calendar.

Luckily, it should be relatively easy to integrate Sign In with Apple into your app. Apple provides a Swift API that handles all of the heavy lifting, and is likely even easier than what it took to add your current third-party sign-in providers. If you're writing a web app, then you can either use their JavaScript library, or interact with their OAuth API directly. If you're interested in reading a full tutorial of how to implement Sign In with Apple, check out my recent post on the Okta Developer blog.

What's the Promise for Consumers?

Apple has made a few careful design decisions in the way this API works, which helps preserve peoples' privacy.

Rather than return a meaningful identifier like the user's Apple ID or some username, Apple returns an opaque string as the user ID to your app, such as 001473.fe6f32bf4b8e4590adabcbdcb8598bd0.2039. These strings are guaranteed to be consistent within one Apple developer "Team," but the same user will appear to be different to apps built by different Apple developers. This means it will not be possible to correlate users across applications. This is notably different from traditional single-sign-on providers, which return a stable user identifier such as the user's email address to all applications.

Users will be able to choose whether to share their real email address or a proxy email address provided by Apple. The proxy address does not reveal any user data to the app, but will still forward emails from the app developer to the user if any are sent.

Topics:
oauth 2 ,openid ,apple ,sign in ,authentication ,security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}