jspωiki
Apple ID

Overview#

Apple ID is a Digital Identity issued by Apple.

What is an Apple ID?#

An Apple ID is the personal account you use to access Apple services like the App Store, iTunes Store, iCloud, iMessage, the Apple Online Store, FaceTime, and more. It includes the information you use to sign in, as well as all the contact, payment, and security details that you’ll use across Apple services.

When do I use my Apple ID?#

Any time you set up a new device, make a purchase, or use any Apple service, you will be asked to sign in with your Apple ID and password. Once signed in you’ll have access to the service and all the personal information in your account.

How many Apple IDs do I need?#

Just one. Use the same Apple ID everywhere you sign in to ensure that all your Apple services and devices work together seamlessly and you can access your personal content from all your devices.

Can I share an Apple ID with someone else?#

Your Apple ID SHOULD NOT be shared with anyone else. It provides access to personal information including contacts, photos, device backups, and more. Sharing your Apple ID with someone else means you are giving them access to all your personal content and may lead to confusion over who actually owns the account. To share iTunes & App Store purchases, photos, a calendar, and more with someone else, try Family Sharing Opens in a new window., iCloud Photo Sharing Opens in a new window., or other easy-to-use sharing features.

How can I keep my Apple ID secure?#

Security and privacy are very important to Apple and we provide a number of ways to secure your Apple ID and protect your privacy including strong passwords, Two-Factor Authentication, and more. Learn more about security and your Apple ID Opens in a new window..

#

Apple announced their own sign on solution at WWDC yesterday 2019-06-03.

It appears to be broadly OAuth2 / OpenID Connect, though this isn’t explicitly mentioned:

There is an id_token in the response, but it’s contents aren’t obviously described beyond being ’A JSON Web Token that contains the user’s identity information.’

One obvious oddity is that at the token endpoint you are required to pass a client_secret parameter that contains an ES256 JWS that is not entirely unlikely a client_assertion. I don’t know if that’s a mistake in the documentation or if Apple have deliberately moved away from a standard client assertion for reasons that are unclear.

The client_secret value differs from a Private_key_jwt Client_assertion like so:

  • its sub and iss are not the same client_id value
  • it does not require jti (and it wouldn't probably use it for checking the assertion is only used once anyway)
Apple's documentation states that the expiration of this derived client secret JWT can be up to 6 months. My assumption is they really wanted to stick to client secret basic/post scheme so that developers may use the basic oauth/oidc client implementations out there but have rotating/expiring client secrets out of the box, that's why the client secret value is derived from a private key Apple generates for you (you cannot provide your own public key).

There's no discovery and no Userinfo_endpoint, Id_token signing is RS256 only given that the jwks_uri only yields a single RS256 alg key and the returned ID Token claims lack documentation. If there's no userinfo what's the point of using code flow and getting an Access Token - is it just so that clients must use the derived secret?

Apple's frontend "Sign In with Apple JS" JavaScript implementation is a mystery to me as well, having a look at the JS it runs authorization within a popup with a code id_token response type but form_post response mode and a Proprietary Protocol frame_id parameter. There's no hook for getting the tokens back. This seems a work in progress interface.

More Information#

There might be more information for this subject on one of the following: