Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server


Published on

This deck will explore how you can integrate “Sign in with Apple” with your enterprise software using a zero-code approach. It discusses what is “Sign in with Apple”, what CIAM challenges does “Sign in with Apple” pose, and how you can leverage WSO2 Identity Server to integrate with “Sign in with Apple”.

Watch the on-demand webinar here:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server

  1. 1. IDENTITY SERVER IDENTITY SERVER Sign In with Apple: A Zero-Code Integration Approach Using WSO2 Identity Server Ishara Karunarathna Senior Technical Lead July 10, 2019 Farasath Ahamed Associate Technical Lead
  3. 3. IDENTITY SERVER Sign In with Apple ● Introduced in WWDC19 ● Built on four main aspects, ○ Privacy ○ Built in Security ○ Works everywhere ○ Antifraud
  5. 5. IDENTITY SERVER Why Worry About “Sign In with Apple” At All, ● Large ecosystem with 1.4 billion Apple ID accounts ● Allows users with Apple IDs to use their existing account to sign into third-party apps ● Future de facto authentication mechanism for iOS apps ● Enhances Security ○ Enforces strong authentication ○ User consent ○ Pseudo identifier per application
  6. 6. IDENTITY SERVER Behind the scenes of ‘Sign In with Apple’
  7. 7. IDENTITY SERVER The “Sign In with Apple” Flow ● Login API for developers ● Follows a flow similar to OpenID Connect ● A two step login process, ○ Redirect to apple’s authorize endpoint and get a code after authenticating the user ○ Exchange the code and obtain an id_token with user information
  8. 8. IDENTITY SERVER Step1: Obtaining An Authorization Code
  9. 9. IDENTITY SERVER Login With Your Apple account Credentials
  10. 10. IDENTITY SERVER Second Factor Authenticator
  11. 11. IDENTITY SERVER Consent to Share Your Email
  12. 12. IDENTITY SERVER Step 2 : Exchange Authorization Code For An Id_token
  13. 13. IDENTITY SERVER Challenges in integrating ‘Sign In with Apple’ to your application
  14. 14. IDENTITY SERVER ● Since “Sign in Apple” seems to be deviating from the standard OpenID Connect flow, there are few security implications introduced as a result ○ ‘nonce’ parameter sent in request in not returned to the app ○ Does not use PKCE - susceptible to code interception attacks ○ ‘prompt’ does not work as expected “Open Letter from the OpenID Foundation to Apple Regarding Sign In with Apple” Security Considerations
  15. 15. IDENTITY SERVER Making the most with "Sign in with Apple"
  16. 16. IDENTITY SERVER ● Lack of documentation ● Deviations from the standard OpenID Connect flow ○ Client Secret generation ● Applications that do not support OpenID Connect cannot support “Sign in with Apple” without modification ● Supporting multiple login options ● Implementing typical IAM use cases need information beyond the user identifier Development Challenges
  17. 17. IDENTITY SERVER Implementing ‘Sign In with Apple’ with Zero Code change with WSO2 Identity Server
  18. 18. IDENTITY SERVER Step1: Make your app speak in a standard ● Communicating in a standard protocol enables your app to be vendor neutral and eases integration with IAM providers.
  19. 19. IDENTITY SERVER Step2: Implement “Sign In with Apple” through OIDC Federation ● Add Apple as a trusted Identity provider ● Engage “Sign in with Apple” to the authentication flow
  20. 20. IDENTITY SERVER Demo
  21. 21. IDENTITY SERVER Apple Sign in for Enterprise use cases
  22. 22. IDENTITY SERVER Multi protocol login
  23. 23. IDENTITY SERVER Account Linking
  24. 24. IDENTITY SERVER Multi option login
  25. 25. IDENTITY SERVER Signup with missing claims
  26. 26. IDENTITY SERVER About WSO2 Identity Server Fully Open Source (Apache 2.0 open source license) Inherent extensibility for building tailor-made IAM platform 100+m identities managed worldwide 150+ production customers globally and 500+ educational institutes 24*7 support for the production customers Globally operating - main offices in USA, UK, Germany, Brazil, Australia, and Sri Lanka Product leader in LC: Access Management and Federation Innovation leader in LC: CIAM
  27. 27. IDENTITY SERVER ● 1e336003 ● rver-893cd47f3f5c ● way-forward-with-wso2-identity-server-f1faa1b715cc ● If you like to try it out “Sign in with Apple” using WSO2 Identity Server,
  28. 28. IDENTITY SERVER Thank You