!!! Overview
[{$pagename}] is a [Digital Identity] issued by [Apple].

!! What is an [{$pagename}]?
An Apple ID is the personal account you use to access Apple services like the App Store, iTunes Store, [iCloud], [iMessage], the Apple Online Store, [FaceTime], and more. It includes the information you use to sign in, as well as all the contact, payment, and security details that you’ll use across Apple services.

!! When do I use my [{$pagename}]?
Any time you set up a new [device], make a purchase, or use any [Apple] service, you will be asked to sign in with your [{$pagename}] and [password]. Once signed in you’ll have access to the service and all the personal information in your account.

!! How many [{$pagename}]s do I need?
Just one. Use the same [{$pagename}] everywhere you sign in to ensure that all your [Apple] [services] and [devices] work together seamlessly and you can access your personal content from all your devices.

!! Can I share an [{$pagename}] with someone else?
Your [{$pagename}] [SHOULD NOT] be shared with anyone else. It provides access to personal information including contacts, photos, device backups, and more. Sharing your [{$pagename}] with someone else means you are giving them access to all your personal content and may lead to confusion over who actually owns the account. To share iTunes & App Store purchases, photos, a calendar, and more with someone else, try Family Sharing Opens in a new window., iCloud Photo Sharing Opens in a new window., or other easy-to-use sharing features.

!! How can I keep my [{$pagename}] secure?
Security and privacy are very important to Apple and we provide a number of ways to secure your [{$pagename}] and protect your privacy including strong passwords, [Two-Factor Authentication], and more. Learn more about security and your [{$pagename}] Opens in a new window..

!! 

Apple announced their own sign on solution at WWDC yesterday [2019|Year 2019]-06-03.

It appears to be broadly OAuth2 / OpenID Connect, though this isn’t explicitly mentioned:

* [https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens|https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens|target='_blank'] - based on information obtained 2019-06-04 
* [https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse|https://developer.apple.com/documentation/signinwithapplerestapi/tokenresponse|target='_blank'] - based on information obtained 2019-06-04 


There is an id_token in the response, but it’s contents aren’t obviously described beyond being ’A JSON Web Token that contains the user’s identity information.’

One obvious oddity is that at the token endpoint you are required to pass a client_secret parameter that contains an ES256 JWS that is not entirely unlikely a client_assertion. I don’t know if that’s a mistake in the documentation or if Apple have deliberately moved away from a standard client assertion for reasons that are unclear.

The client_secret value differs from a [Private_key_jwt] [Client_assertion] like so:
* its [sub] and [iss] are not the same [client_id] value
* it does not require [jti] (and it wouldn't probably use it for checking the assertion is only used once anyway)
Apple's documentation states that the expiration of this derived client secret [JWT] can be up to 6 months. My assumption is they really wanted to stick to client secret basic/post scheme so that developers may use the basic oauth/oidc client implementations out there but have rotating/expiring client secrets out of the box, that's why the client secret value is derived from a private key Apple generates for you (you cannot provide your own public key).

There's no discovery and no [Userinfo_endpoint], [Id_token] signing is RS256 only given that the jwks_uri only yields a single [RS256] alg key and the returned ID Token claims lack documentation. If there's no userinfo what's the point of using code flow and getting an [Access Token] - is it just so that clients must use the derived secret?

Apple's frontend "Sign In with Apple JS" [JavaScript] implementation is a mystery to me as well, having a look at the JS it runs [authorization] within a popup with a code id_token response type but form_post response mode and a [Proprietary Protocol] frame_id parameter. There's no hook for getting the tokens back. This seems a work in progress interface.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Sign In with Apple REST API|https://developer.apple.com/documentation/signinwithapplerestapi|target='_blank'] - based on information obtained 2019-06-04