Apple announced its “Sign In with Apple” feature with much fanfare at WWDC last month. Meant to be a brand-new way for the Apple users to log into apps and websites without losing their privacy, the feature has now been called out by OpenID Foundation. The foundation says that although Apple has used significant parts of OpenID Connect for Sign In with Apple implementation, its code is not completely aligned with OpenID, leaving the users vulnerable to security and privacy risks.
In an open letter to Apple's Senior Vice President of Software Engineering Craig Federighi, OpenID Foundation wrote, “the current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks.”
The foundation has also detailed the spec violations as well as peculiarities in Sign In with Apple implementation, at least one of which is known to enable attacks. Other violations and peculiarities mostly seem to hamper the interoperability of Apple's solution with OpenID Connect partners. It is unclear if any of them pose any security or privacy risks to Apple consumers.
The OpenID Foundation is asking Apple to address the gaps between Sign In with Apple and OpenID Connect and make it compatible and interoperable. The foundation is also asking Apple to join it.
Apple has said to have fixed one of issues pointed out by the foundation. So, the company is clearly paying attention to what OpenID Foundation is saying, but it remains to be seen whether the iPhone maker will do everything that the foundation is asking or just fix the security issues and keep its implementation independent.
To recall, with Apple ID authentication, Apple will just provide the app developers or website publishers with a random ID and keep all of users' data safe with itself. The company also said that it won't use the Apple ID authentication data to profile users or their activity.