DPoP isn't mandated, MTLS sender constrained access tokens are selected by a lot of people instead of DPoP. (And yes I agree, MTLS has challenges in some cases.) Stateful refresh tokens have other practical issues,…
There at least a few others left, https://gitlab.com is one I regularly use. Sadly the amount of money you need to spend on security & support for such a service does make offering such a service (particularly for free)…
It's a double edged sword. Actually creating a good standard that people want to use through an open process that aims to be unbiased takes a non-trivial amount of time and hence costs a not insubstantial amount of…
My understanding it is quite often government/country contexts where (because ISO is recognised in various international treaties) it is easier to get approval to use an ISO standard than it is to use an OpenID…
Historically the IETF has been reluctant to get involved with Identity (and hence authentication) for various reasons. There are a few standards bodies in this area and they all have their strengths and weaknesses (the…
I wasn't really following OAuth back in those days, but I have heard much of the history from those that were there are the time, and there were some of the failures of some of the early specs in this area for being too…
"Through I'm not sure if requiring (instead of just allowing) PKCE is strictly OIDC compliant" It's technically not compliant, but people definitely do so, and there are definite security advantages to requiring it.…
Yes, indeed. Both OAuth 2.1 & the BCP tighten things up a lot, although neither is technically final yet (the security BCP should be published as an RFC "any day now"). For people looking for an easy-to-follow…
The certification suite is open source software (produced by the OpenID Foundation mostly at their cost) and entirely free to use: https://github.com/openid-certification/oidctest Apple are absolutely 100% free to run…
Apple are using OAuth 2.0. The contributor referred to (John Bradley) as saying that OAuth 2.0 implementation mistakes are almost inevitable is one of the authors of the OpenID Connect spec, and if you follow the…
There's no requirement to be to a member of the OpenID Foundation to describe your implementation as OpenID; the trademark rules are here: https://openid.net/intellectual-property/trademark-license/ The main requirement…
Neither of you need to; the article contains a link to https://bitbucket.org/openid/connect/src/default/How-Sign-in... where a bunch of experts have analysed the current (beta) signin with Apple against the spec. In…
Spot on - in fact over time what we're seeing happen is the authors of the OpenID Connect standards submitting the parts as RFCs to the IETF. The OpenID Foundation is able to move a lot faster than the RFC process…
DPoP isn't mandated, MTLS sender constrained access tokens are selected by a lot of people instead of DPoP. (And yes I agree, MTLS has challenges in some cases.) Stateful refresh tokens have other practical issues,…
There at least a few others left, https://gitlab.com is one I regularly use. Sadly the amount of money you need to spend on security & support for such a service does make offering such a service (particularly for free)…
It's a double edged sword. Actually creating a good standard that people want to use through an open process that aims to be unbiased takes a non-trivial amount of time and hence costs a not insubstantial amount of…
My understanding it is quite often government/country contexts where (because ISO is recognised in various international treaties) it is easier to get approval to use an ISO standard than it is to use an OpenID…
Historically the IETF has been reluctant to get involved with Identity (and hence authentication) for various reasons. There are a few standards bodies in this area and they all have their strengths and weaknesses (the…
I wasn't really following OAuth back in those days, but I have heard much of the history from those that were there are the time, and there were some of the failures of some of the early specs in this area for being too…
"Through I'm not sure if requiring (instead of just allowing) PKCE is strictly OIDC compliant" It's technically not compliant, but people definitely do so, and there are definite security advantages to requiring it.…
Yes, indeed. Both OAuth 2.1 & the BCP tighten things up a lot, although neither is technically final yet (the security BCP should be published as an RFC "any day now"). For people looking for an easy-to-follow…
The certification suite is open source software (produced by the OpenID Foundation mostly at their cost) and entirely free to use: https://github.com/openid-certification/oidctest Apple are absolutely 100% free to run…
Apple are using OAuth 2.0. The contributor referred to (John Bradley) as saying that OAuth 2.0 implementation mistakes are almost inevitable is one of the authors of the OpenID Connect spec, and if you follow the…
There's no requirement to be to a member of the OpenID Foundation to describe your implementation as OpenID; the trademark rules are here: https://openid.net/intellectual-property/trademark-license/ The main requirement…
Neither of you need to; the article contains a link to https://bitbucket.org/openid/connect/src/default/How-Sign-in... where a bunch of experts have analysed the current (beta) signin with Apple against the spec. In…
Spot on - in fact over time what we're seeing happen is the authors of the OpenID Connect standards submitting the parts as RFCs to the IETF. The OpenID Foundation is able to move a lot faster than the RFC process…