Support additional client IDs for Apple native sign in

Question

Support additional client IDs for Apple native sign in

jonas-jonas opened this issue a year ago · 2 comments

To fully support a seamless development experience for social sign in using native SDKs (ID token based), we need to support multiple client IDs. This is because the actual application typically has a different identifier than the web application, and it also depends on the release-type (debug, test, release, etc.).

Proposed solution

Add a config key allowed_id_token_audiences that lists all audiences that are allowed to submit ID tokens
Add a client_id parameter to the createNativeLoginFlow/createNativeRegistrationFlow operations that is then checked on creation, and then used when the ID token is submitted to validate the ID token's aud claim

Answer 1 · 2023-09-28T10:28:03.000Z

This is requested by Moonpig.

Answer 2 · 2023-10-20T09:37:04.000Z

When using multiple client, the OIDC flow doesn't work for Apple, as we have a hardcoded exception in the CSRF protection for apple callbacks (e.g. all providers that have the id apple). If you have multiple OIDC providers (e.g. apple_web, apple_android, apple_ios) that exemption doesn't apply, and you receive a CSRF violation error.

If we allow multiple client IDs in the config, that issue is also going to be fixed.