Single Sign-On is dead on iOS 11

[Iain McGinniss]

Hello all,

Just to bring this to your attention: Apple has essentially killed single sign-on for native apps in iOS 11. Changes made to SFSafariViewController (used by AppAuth, and the recommended mechanism for federated login by Apple) now mean that browser state is partitioned per app, so there is no way for an existing authentication in the browser to be reused by an app.

This fundamentally breaks an important part of OpenID Connect - users will now need to re-authenticate with their IDP in every app that they use. There is still time to provide feedback to Apple on this change, though they have been discussing this change in terms of "enhancing privacy" and I'd be very surprised if they change tack now.

Iain

[Nat Sakimura]

Maybe we can call upon the privacy community as well raising the voice that this is very bad for privacy. 

I wonder what is the privacy enhancement they have in mind. 

--

---
You received this message because you are subscribed to the Google Groups "OIDF Account Chooser list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oidf-account-choos...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nat Sakimura

Chairman of the Board, OpenID Foundation

[Iain McGinniss]

The change is specifically discussed in the What's New in Safari View Controller talk, around 17 minutes in. Rough transcript:

Now I'd like to talk about some privacy improvements in iOS 11, in Safari View Controller. Browsing the web in your app is different than browsing the web in other apps. It's different than browsing the web in Safari. Sometimes we want to use different accounts in different apps. For some apps I'll use my work account, and in others I'll use my personal account. On iOS 11, Safari View Controller will have a separate persistent data store in each app that it is used in. This means that cookies, local storage and other browsing data will be contained within your app and scoped to your app. This means that the user won't be automatically logged in to whatever accounts they were logged in to in Safari. What this does is it will prevent cross-app tracking of the user's activity, which you and your users might not even have been aware of. Ultimately, it helps keep user's browser activity private, and scoped within your app.

This matches their rationale for Intelligent Tracking Prevention, which is also going to play havoc with cookie and local storage more generally in Safari.

Iain

On Mon, Jun 12, 2017 at 5:04 PM, Nat Sakimura <saki...@gmail.com> wrote:

Maybe we can call upon the privacy community as well raising the voice that this is very bad for privacy. 

I wonder what is the privacy enhancement they have in mind. 

On Fri, Jun 9, 2017 at 2:34 AM 'Iain McGinniss' via OIDF Account Chooser list <oidf-account-chooser-list@googlegroups.com> wrote:

Hello all,

Just to bring this to your attention: Apple has essentially killed single sign-on for native apps in iOS 11. Changes made to SFSafariViewController (used by AppAuth, and the recommended mechanism for federated login by Apple) now mean that browser state is partitioned per app, so there is no way for an existing authentication in the browser to be reused by an app.

This fundamentally breaks an important part of OpenID Connect - users will now need to re-authenticate with their IDP in every app that they use. There is still time to provide feedback to Apple on this change, though they have been discussing this change in terms of "enhancing privacy" and I'd be very surprised if they change tack now.

Iain

--

---
You received this message because you are subscribed to the Google Groups "OIDF Account Chooser list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to oidf-account-chooser-list+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Nat Sakimura

Chairman of the Board, OpenID Foundation

--

---
You received this message because you are subscribed to the Google Groups "OIDF Account Chooser list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to oidf-account-chooser-list+unsub...@googlegroups.com.