As the technical lead of the OpenID Foundation Certification Team, I’d like to add a few comments to the open letter that OpenID Foundation Chairman, Nat Sakimura wrote to Apple (https://openid.net/2019/09/30/apple-successfully-implements-openid-connect-with-sign-in-with-apple/). Nat thanks Apple for their recent efforts to make “Sign In with Apple” compliant with the OpenID Connect standard. The OpenID Foundation has always been developer-focused. The widespread adoption of OpenID Connect is an example of a standards development process that incorporates input from engineers and architects worldwide and across industry use cases. It’s an organic and painstaking process that results in open standards with global adoption with a self certification option.
My take is from the viewpoint of developers: imagine a developer of a mobile app or a web application that requires users to sign in with their Apple account. As of last month there are literally dozens of implementations of OpenID Connect Relying Party functionality available that one can leverage today. Moreover, whether you want to leverage Sign in with Apple, Google Sign In, Microsoft Live, Microsoft Azure AD, Paypal or many others, you can do so with the very same Relying Party software implementation. There are still a few confused identity providers out there – I’m looking at you Facebook – but my guess is that in due time they will follow Apple’s example.
This means that developers do not have to write and maintain their own SSO integration to use Sign in with Apple. Today developers can leverage existing libraries and plugins that have been around for years and that are stable, mature and secure.Imagine that “Sign In with Apple” wasn’t OpenID Connect compliant. The same Relying Party software eco-system would have to be developed for Sign In with Apple, in parallel to the existing OpenID Connect Relying Party software eco-system. It would be a huge waste of time and resources since at the end of the day they solve exactly the same problem! Consider this: the development of programming language support, platform support, library support, bug fixing, security incident handling, protocol improvements, software packaging, software bundling, incorporation of new web developments, etc. Everything would have to be done twice. Valuable time and effort would be diluted by dividing them across two solutions for the same thing that exist in parallel.
Hence I want to thank Apple too, now on behalf of the developer community at large. We can spend time on more important problems like privacy, security and ease of use. We can optimize efforts to make identity software simpler and more secure by supporting OpenID Connect as the open, global SSO standard to build on in the future.
Hans Zandbelt – OpenID Foundation’s Certification Team Lead
About the Author
Hans Zandbelt is CTO at ZmartZone IAM. He holds an MSc. degree in Computer Science, Tele-Informatics and Open Systems from Twente University (1993). He has over 25 years of experience as a technical leader in research and innovation projects on digital identity. In 2007 he joined SURFnet as the founding father, architect and technical product manager of SURFfederatie, the national infrastructure for federated Single Sign-On for the research- and higher education community in the Netherlands. In 2011 he joined Ping Identity as an expert on Single Sign-On, cloud Identity & Access Management and large scale deployment of federation technology, representing the CTO Office in Europe. In 2017 he founded ZmartZone IAM to provide Identity & Access Management consultancy, to contribute to modern open IAM standards and to offer open source solutions implementing those. He is the technical team leader of the Certification Team within the OpenID Foundation.