authn-server
authn-server copied to clipboard
keratin
Sign In with Apple support
https://developer.apple.com/sign-in-with-apple/
- Is this new authentication API easy to integrate into
authn-server? - Is there any work happening on this front?
@cainlevy
@cetinsert Yes, my first impression is that Sign In with Apple uses a standard OAuth flow and should be simple to integrate into authn-server. I'm not aware of anyone working on it yet.
Integrating an OAuth provider into authn-server involves:
- adding configuration for the integration (example]
- implementing the Provider interface, mostly to fetch the authenticated user's ID and email (example)
@cainlevy
https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple#create-a-private-key-for-client-authentication
Does this clarify any questions for development?
I would love to take time and send you weekly PRs for each oauth2 provider available in https://godoc.org/golang.org/x/oauth2#pkg-subdirectories but not yet in authn-server.
I am not sure I can start with Sign In with Apple right off the bat though. I need your assesment on how far it differs from existing oauth2 clients (both authn-server and golang.org/x/oauth2/* ones).
Interesting. AuthN currently assumes that the client secret can be generated on startup. We'll need to update the oauth.Provider interface to allow for dynamic configuration so that we can create the JWT per request.
It's nice that the returned access token contains an ID token with the user ID. It looks like there's no way to fetch an email though. For now we can probably "cheat" by creating a fake email from the user ID so that the account creation validations don't need any modification.
All in all, it looks doable but with at least one complication that other oauth2 clients would not have.
I believe the reason they do not provide a static email as directly is because apple wants to provide a unique email per app or perhaps per login to keep user's email address private. This was a much appreciated feature when they first announced Sign In with Apple a few weeks / days ago.
Yeah, that's neat! It just looks like there's no way to discover the email address yet.
With https://github.com/golang/oauth2/pull/386/files#diff-ae789e93466cc0fcd954b362b667fec6 now defined, what needs to be done is just a provider file for your project, right?
id_token in https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse
contains the user ID which is a unique or real email address.
I think the upstream PR got lost in gerrit-land on this one, I can try to resubmit but any concern about defining an endpoint internally in the interim if this one is pursued @cainlevy
This PR will enable defining provider-specific signing keys as part of the configured credentials and should unblock future work here https://github.com/keratin/authn-server/pull/236
Think I'm pretty close to having a PR ready for this. Will be based on this branch https://github.com/keratin/authn-server/pull/241
Came across this doc with some of the rough edges in Apple's implementation that seemed worth including here for posterity https://bitbucket.org/openid/connect/src/master/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md#markdown-header-peculiarities
This is available in v1.19.0
https://github.com/keratin/authn-server/releases/tag/v1.19.0