,
19 tweets,
3 min read
Read on Twitter
Let's clarify some of the misunderstandings around Apple's new "Sign In with Apple" feature announced at #WWDC19, a thread:
tl;dr This is a good move for users in the iOS ecosystem, and is primarily designed as an alternative for apps that currently use "Sign in with [Facebook/Twitter/Google]" to avoid leaking sensitive user info.
Yes, Apple is entering the OAuth ecosystem as a new identity provider. Turns out every iOS user already has an Apple account, so why not enable users to sign in with an account they already have?
Most of the time the way apps use OAuth providers is just to identify users. This is designed to be an alternative to using Facebook/Twitter/Google for that purpose.
This is distinctly different from the case where an app wants you to sign in with your Google account so that it can manage your calendar. Or sign in with Snapchat to apply a filter to your profile picture.
Those use cases are more along the lines of what @OAuth_2 was originally intended for: letting apps access your account without giving them your password.
Over the years, apps started to use OAuth to identify users because it's a quick way to find out and verify someone's Twitter/Facebook/etc account without having them type it in. This turned out to be bad for users' privacy:
Once an app knows your Twitter username or your email address, they can sell it to advertisers, or track your activity across other apps. Apple's approach provides a unique scrambled email address to the app, preventing this.
Now you may have heard people concerned by this clause from the new App Store Review Guidelines:
> Sign In with Apple [...] will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.
> Sign In with Apple [...] will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.
Sign In with Apple is a *good thing* for users! This means apps will no longer be able to force you to log in with your Facebook account to use them.
This does *not* mean that Apple is requiring every app to use Sign in with Apple. This does not mean that apps that want to manage your Google Calendar will have to also add Sign in with Apple.
Yes, this is a little additional work for app developers to support another OAuth provider, but is really not that different from supporting both Twitter and Facebook, or Snapchat and Instagram.
At the end of the day, the benefit of signing in to apps is to be able to save stuff to your account so you can restore it later, and to get email notifications.
"Sign In with Apple" provides apps with both those features without revealing any more information about you than necessary.
So yes, Sign In with Apple is a good thing for user privacy, and will be a better user experience overall.
Is Apple using their position as gatekeepers of the App Store to force adoption of "Sign In with Apple"?
Yes.
Is this a bad thing?
No.
Does this affect you if you don't use an iOS device?
No.
Does this benefit people who have an iOS device?
Yes.
Yes.
Is this a bad thing?
No.
Does this affect you if you don't use an iOS device?
No.
Does this benefit people who have an iOS device?
Yes.
Will we see other OAuth providers follow suit and start randomizing email addresses and user IDs returned to apps? I hope so!
Ironically, Facebook first started doing this a few years ago when they launched app-scoped user IDs.
Ironically, Facebook first started doing this a few years ago when they launched app-scoped user IDs.
Anyway, if you're curious about what this will look like, I wrote a sample app that uses Sign In with Apple so you can see how it works.
developer.okta.com/blog/2019/06/0…
developer.okta.com/blog/2019/06/0…
That is all. Thanks for listening.
