Overview#Apple ID is a Digital Identity issued by Apple.
What is an Apple ID?#An Apple ID is the personal account you use to access Apple services like the App Store, iTunes Store, iCloud, iMessage, the Apple Online Store, FaceTime, and more. It includes the information you use to sign in, as well as all the contact, payment, and security details that you’ll use across Apple services.
When do I use my Apple ID?#Any time you set up a new device, make a purchase, or use any Apple service, you will be asked to sign in with your Apple ID and password. Once signed in you’ll have access to the service and all the personal information in your account.
How many Apple IDs do I need?#Just one. Use the same Apple ID everywhere you sign in to ensure that all your Apple services and devices work together seamlessly and you can access your personal content from all your devices.
Can I share an Apple ID with someone else?#Your Apple ID SHOULD NOT be shared with anyone else. It provides access to personal information including contacts, photos, device backups, and more. Sharing your Apple ID with someone else means you are giving them access to all your personal content and may lead to confusion over who actually owns the account. To share iTunes & App Store purchases, photos, a calendar, and more with someone else, try Family Sharing Opens in a new window., iCloud Photo Sharing Opens in a new window., or other easy-to-use sharing features.
How can I keep my Apple ID secure?#Security and privacy are very important to Apple and we provide a number of ways to secure your Apple ID and protect your privacy including strong passwords, Two-Factor Authentication, and more. Learn more about security and your Apple ID Opens in a new window..
Apple announced their own sign on solution at WWDC yesterday 2019-06-03.
It appears to be broadly OAuth2 / OpenID Connect, though this isn’t explicitly mentioned:
- https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens - based on information obtained 2019-06-04
- https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse - based on information obtained 2019-06-04
There is an id_token in the response, but it’s contents aren’t obviously described beyond being ’A JSON Web Token that contains the user’s identity information.’
One obvious oddity is that at the token endpoint you are required to pass a client_secret parameter that contains an ES256 JWS that is not entirely unlikely a client_assertion. I don’t know if that’s a mistake in the documentation or if Apple have deliberately moved away from a standard client assertion for reasons that are unclear.
- its sub and iss are not the same client_id value
- it does not require jti (and it wouldn't probably use it for checking the assertion is only used once anyway)
There's no discovery and no Userinfo_endpoint, Id_token signing is RS256 only given that the jwks_uri only yields a single RS256 alg key and the returned ID Token claims lack documentation. If there's no userinfo what's the point of using code flow and getting an Access Token - is it just so that clients must use the derived secret?