Abstract image of a woman sitting on books and studying on a laptop

Sign in with Apple

Nov Matake, profile picture
Nov Matake

This document summarizes differences between Sign in with Apple (SIWA) and OpenID Connect (OIDC) and OAuth 2.0 standards. It notes several ways SIWA specifications and behaviors deviate from or violate OIDC standards, including not supporting standard authentication methods, response types, and claims. It also describes SIWA's characteristic identifier design which links multiple apps and services from the same developer together under a single user consent. Developer teams are limited to 10 linked apps/services and must create a new team for additional apps.

Technology
1 of 35
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#idcon vol.27 - Sign in with Apple 特集 ※ ヤフースコアのことは禁句な!! https://idcon.org
Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ @nov
https://matake.jp
https://rubygems.org/gems/apple_id
https://signin-with-apple.herokuapp.com
Diff from OIDC / OAuth 2.0
OIDC Spec Violations ❖ when nonce is provided in the code or code id_token grant types, it won’t be included in the id_token returned #FIXED ❖ the code id_token response type does not include c_hash in the returned id_token #FIXED ❖ the code id_token response type returns the response parameters as query parameters, not in the fragment ❖ providing a prompt parameter with any value (e.g. login or consent) or empty results in a 400 with no body #FIXED ❖ when max_age is requested, the id_token does not include an auth_time claim #FIXED http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ no Discovery document is published at https://appleid.apple.com/.well-known/openid- configuration which makes developers have to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods, etc. #FEELS-OK ❖ no User Info endpoint is provided which means all of the claims about users have to be included in the (expiring and potentially large) id_token ❖ does not include different claims in the id_token based on scope #PARTIALLY-FIXED ❖ the token endpoint does not accept client_secret_basic as authentication method (required for OpenID Connect certification) and actually the default method to use for Clients when there’s no Discovery document that says otherwise http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ authentication towards the token endpoint requires a (custom) JWT assertion as a client_secret in a client_secret_post authentication method whereas the more appropriate private_key_jwt authentication method as defined in RFC7523 could have been used ❖ using unsupported or wrong parameters (e.g. non-existing response_type, scope, client_id, or redirect_uri) always results in the same message in the browser that says “Your request could not be completed because of an error. Please try again later.” without any explanation about what happened, why this is an error or how to fix it #FEELS-OK #EXCEPT-FOR-SCOPE ❖ exchanging the authorization code according to https://developer.apple.com/ documentation/signinwithapplerestapi/generate_and_validate_tokens should present a non-standard grant_type=authorization_token but using the standards-compliant grant_type=authorization_code actually works whereas the former does not, so the documentation is incorrect #FIXED http://bit.ly/diff-between-siwa-and-oidc
Peculiarities (奇妙な点) ❖ the Authorization Code grant type (for public Clients?) does not use PKCE to avoid code injection and code replay attacks #FEELS-OK ❖ when using the sample app available at https://github.com/aaronpk/sign-in-with- apple-example, adding openid as a scope leads to an error message and it works just with name and email as scope values; this behavior seems to be inconsistent across Clients: for some it works, or at least does not lead to errors, for others it does not work and ends with an error #FIXED? ❖ The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope. http://bit.ly/diff-between-siwa-and-oidc
Characteristic Identifiers Design
Team X
Team X App A
Team X Primary App A Service A-1
Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2
Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
User-related Identifiers Design
User ID (sub) Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Private Email Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Sign in with Apple
Sign in with Apple
User ID : Apple User ID : Public Emails : Private Email : 12345 000123.abc2xyz.0012 foo@icloud.com foo@me.com for-team-x@privaterelay.appleid.com Q1. Which address to use in each app’s context? Q2. How to handle email changes after revocation?
Consent Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Revocation Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Sign in with Apple
Sign in with Apple
Careful branding strategy required for primary app grouping
Developer-related Identifiers Design
Client ID Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
Private Key Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
CLIENT_ID is of the app / service which originally received the authorization code, not of the backend server which accesses the token endpoint, even when refreshing tokens.
Private Email Relay Service Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
MAX 10 MAX 10
For the 11th domain / address, setup new team !?!? Primary App A sends emails from App A-1 sends emails from App A-2 sends emails from Service A-1 sends emails from no-reply@primary-app-a.example.com no-reply@app-a1.example.com no-reply@app-a2.example.com no-reply@service-a1.example.com :
【結論】 iOS, iPad OS, Safari での UX は最高だが クセが強いので注意

More Related Content

PDF
OAuth 2.0 Updates #technight
Nov Matake
 
PDF
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
PDF
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
PDF
W3C Web Authentication - #idcon vol.24
Nov Matake
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PPTX
OpenID Connect 1.0 Explained
Eugene Siow
 
OAuth 2.0 Updates #technight
Nov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
W3C Web Authentication - #idcon vol.24
Nov Matake
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OpenID Connect 1.0 Explained
Eugene Siow
 

What's hot (20)

PDF
FIDO2 Specifications Overview
FIDO Alliance
 
PDF
NIST SP 800-63C #idcon vol.22
Nov Matake
 
PDF
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
PDF
Getting Started with FIDO2
FIDO Alliance
 
PDF
Full stack security
DPC Consulting Ltd
 
PPTX
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
PPTX
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
PDF
Webauthn Tutorial
FIDO Alliance
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PDF
Open id connect claims idcon mini vol1
Ryo Ito
 
PPT
Understanding OpenID
Prabath Siriwardena
 
PDF
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
PDF
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PDF
Syrup pay 인증 모듈 개발 사례
HyungTae Lim
 
PDF
Security Cas And Open Id
ConSanFrancisco123
 
PDF
FIDO 생체인증 기술 개발 사례
Lee Ji Eun
 
PDF
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
PDF
OpenID Connect via WebIntents
Nov Matake
 
PDF
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
FIDO2 Specifications Overview
FIDO Alliance
 
NIST SP 800-63C #idcon vol.22
Nov Matake
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
Getting Started with FIDO2
FIDO Alliance
 
Full stack security
DPC Consulting Ltd
 
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
Webauthn Tutorial
FIDO Alliance
 
OpenID Connect: An Overview
Pat Patterson
 
Open id connect claims idcon mini vol1
Ryo Ito
 
Understanding OpenID
Prabath Siriwardena
 
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Syrup pay 인증 모듈 개발 사례
HyungTae Lim
 
Security Cas And Open Id
ConSanFrancisco123
 
FIDO 생체인증 기술 개발 사례
Lee Ji Eun
 
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
OpenID Connect via WebIntents
Nov Matake
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
Ad

Similar to Sign in with Apple (20)

PPTX
How to build Simple yet powerful API.pptx
Channa Ly
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
PPTX
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
iOS Provisioning : Running your app in an iOS device
Madusha Perera
 
PPT
Live Identity Services Drilldown - PDC 2008
Jorgen Thelin
 
PDF
24032022 Zero Trust for Developers Pub.pdf
Tomasz Kopacz
 
PDF
API Testing and Hacking.pdf
VishwasN6
 
PDF
API Testing and Hacking (1).pdf
Vishwas N
 
PDF
API Testing and Hacking.pdf
Vishwas N
 
PDF
Web PenTest Sample Report
Octogence
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
PDF
Building Mobile Friendly APIs in Rails
Jim Jeffers
 
PDF
OAuth for QuickBooks Online REST Services
Intuit Developer
 
PDF
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 
PPTX
SAP Inbound IDoc.pptx
AshwaniKumar207236
 
PPTX
WEB API Gateway
Kumaresh Chandra Baruri
 
PPTX
Best Practices for Application Development with Box
Jonathan LeBlanc
 
PPTX
Owasp web security
Pankaj Kumar Sharma
 
PPTX
Developing Apps with Azure AD
SharePointRadi
 
ODP
Developing a Public API -- at ILTechTalks 2015
Yonatan Maman
 
How to build Simple yet powerful API.pptx
Channa Ly
 
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
iOS Provisioning : Running your app in an iOS device
Madusha Perera
 
Live Identity Services Drilldown - PDC 2008
Jorgen Thelin
 
24032022 Zero Trust for Developers Pub.pdf
Tomasz Kopacz
 
API Testing and Hacking.pdf
VishwasN6
 
API Testing and Hacking (1).pdf
Vishwas N
 
API Testing and Hacking.pdf
Vishwas N
 
Web PenTest Sample Report
Octogence
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Building Mobile Friendly APIs in Rails
Jim Jeffers
 
OAuth for QuickBooks Online REST Services
Intuit Developer
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 
SAP Inbound IDoc.pptx
AshwaniKumar207236
 
WEB API Gateway
Kumaresh Chandra Baruri
 
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Owasp web security
Pankaj Kumar Sharma
 
Developing Apps with Azure AD
SharePointRadi
 
Developing a Public API -- at ILTechTalks 2015
Yonatan Maman
 
Ad

More from Nov Matake (20)

PDF
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
PDF
FedCM - OpenID TechNight vol.19
Nov Matake
 
PDF
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Nov Matake
 
PDF
FIDO @ LINE - #idcon vol.24
Nov Matake
 
PDF
NIST SP 800-63C - Federation and Assertions (FINAL)
Nov Matake
 
PDF
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
Nov Matake
 
PDF
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
PDF
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
PDF
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
Nov Matake
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
PDF
FIDO alliance #idcon vol.18
Nov Matake
 
PDF
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
Nov Matake
 
PDF
OAuth認証再考からのOpenID Connect #devlove
Nov Matake
 
PDF
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 
PDF
JWT Translation #technight
Nov Matake
 
PDF
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
PDF
Self isssued-idp
Nov Matake
 
PDF
IIW 16th Report at #idcon
Nov Matake
 
PDF
Whats wrong oauth_authn
Nov Matake
 
PDF
OAuth 2.0 #idit2012
Nov Matake
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
FedCM - OpenID TechNight vol.19
Nov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Nov Matake
 
FIDO @ LINE - #idcon vol.24
Nov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
Nov Matake
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
Nov Matake
 
NIST SP 800-63-3 #idcon vol.22
Nov Matake
 
ID連携概要 - OpenID TechNight vol.13
Nov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
Nov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
FIDO alliance #idcon vol.18
Nov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
Nov Matake
 
OAuth認証再考からのOpenID Connect #devlove
Nov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 
JWT Translation #technight
Nov Matake
 
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
Self isssued-idp
Nov Matake
 
IIW 16th Report at #idcon
Nov Matake
 
Whats wrong oauth_authn
Nov Matake
 
OAuth 2.0 #idit2012
Nov Matake
 

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Five Habits of High-Impact Board Members
OnBoard
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 

Sign in with Apple

  • 1. #idcon vol.27 - Sign in with Apple 特集 ※ ヤフースコアのことは禁句な!! https://idcon.org
  • 2. Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ @nov
  • 6. Diff from OIDC / OAuth 2.0
  • 7. OIDC Spec Violations ❖ when nonce is provided in the code or code id_token grant types, it won’t be included in the id_token returned #FIXED ❖ the code id_token response type does not include c_hash in the returned id_token #FIXED ❖ the code id_token response type returns the response parameters as query parameters, not in the fragment ❖ providing a prompt parameter with any value (e.g. login or consent) or empty results in a 400 with no body #FIXED ❖ when max_age is requested, the id_token does not include an auth_time claim #FIXED http://bit.ly/diff-between-siwa-and-oidc
  • 8. Peculiarities (奇妙な点) ❖ no Discovery document is published at https://appleid.apple.com/.well-known/openid- configuration which makes developers have to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods, etc. #FEELS-OK ❖ no User Info endpoint is provided which means all of the claims about users have to be included in the (expiring and potentially large) id_token ❖ does not include different claims in the id_token based on scope #PARTIALLY-FIXED ❖ the token endpoint does not accept client_secret_basic as authentication method (required for OpenID Connect certification) and actually the default method to use for Clients when there’s no Discovery document that says otherwise http://bit.ly/diff-between-siwa-and-oidc
  • 9. Peculiarities (奇妙な点) ❖ authentication towards the token endpoint requires a (custom) JWT assertion as a client_secret in a client_secret_post authentication method whereas the more appropriate private_key_jwt authentication method as defined in RFC7523 could have been used ❖ using unsupported or wrong parameters (e.g. non-existing response_type, scope, client_id, or redirect_uri) always results in the same message in the browser that says “Your request could not be completed because of an error. Please try again later.” without any explanation about what happened, why this is an error or how to fix it #FEELS-OK #EXCEPT-FOR-SCOPE ❖ exchanging the authorization code according to https://developer.apple.com/ documentation/signinwithapplerestapi/generate_and_validate_tokens should present a non-standard grant_type=authorization_token but using the standards-compliant grant_type=authorization_code actually works whereas the former does not, so the documentation is incorrect #FIXED http://bit.ly/diff-between-siwa-and-oidc
  • 10. Peculiarities (奇妙な点) ❖ the Authorization Code grant type (for public Clients?) does not use PKCE to avoid code injection and code replay attacks #FEELS-OK ❖ when using the sample app available at https://github.com/aaronpk/sign-in-with- apple-example, adding openid as a scope leads to an error message and it works just with name and email as scope values; this behavior seems to be inconsistent across Clients: for some it works, or at least does not lead to errors, for others it does not work and ends with an error #FIXED? ❖ The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope. http://bit.ly/diff-between-siwa-and-oidc
  • 14. Team X Primary App A Service A-1
  • 15. Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2
  • 16. Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 18. User ID (sub) Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 19. Private Email Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 22. User ID : Apple User ID : Public Emails : Private Email : 12345 000123.abc2xyz.0012 foo@icloud.com foo@me.com for-team-x@privaterelay.appleid.com Q1. Which address to use in each app’s context? Q2. How to handle email changes after revocation?
  • 23. Consent Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 24. Revocation Screen Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 27. Careful branding strategy required for primary app grouping
  • 29. Client ID Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 30. Private Key Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 31. CLIENT_ID is of the app / service which originally received the authorization code, not of the backend server which accesses the token endpoint, even when refreshing tokens.
  • 32. Private Email Relay Service Team X Primary App A App A-3 App A-2 App A-1 Service A-1 Service A-2 Primary App B App B-2 App B-1 Service B-1
  • 34. For the 11th domain / address, setup new team !?!? Primary App A sends emails from App A-1 sends emails from App A-2 sends emails from Service A-1 sends emails from no-reply@primary-app-a.example.com no-reply@app-a1.example.com no-reply@app-a2.example.com no-reply@service-a1.example.com :
  • 35. 【結論】 iOS, iPad OS, Safari での UX は最高だが クセが強いので注意