Closed schaafjs closed 1 year ago
johnozbay
commented
4 years ago Hi there!
Thanks a lot for filing this!
We're already working on this – it was going to be a surprise, but looks like the octo-cat's out of the bag now! 🎉 We're hoping to roll this out with our v3.0, which will have many other auth improvements like FIDO / hardware 2FA.
Stay tuned, and I'll ping this thread once it's out! 🍎
All the best, John
johnozbay
commented
4 years ago Just to add to this conversation – https://www.theverge.com/2020/9/9/21429029/epic-games-accounts-apple-sign-in-system-date-september-11
Today Apple revoked Epic's access to Sign In with Apple. We're running this scenario by our attorneys now to see if this were to happen to us, whether if we would have any legal ground to stand on.
I've also asked about our login-with-google option as well.
But to further clarify, Apple's situation is a bit more critical and different. Because all google accounts have real emails behind them, (i.e. email @ gmail.com) we can fall-back to a magic-link type login if shit hits the fan and Google decides to revoke rights to use logins. But with Apple, all emails are proxied through apple, we don't get any real-email addresses, and all these users would be effectively locked-out forever whenever Apple does anything like this.
Given the nature of Cryptee, I'd love to reserve the right to piss off Apple some day, so we're looking into this from a different legal & technical angle now. It's safe to say there's now a non-zero chance we may not implement this, simply because of the distasteful example Apple has set here.
Curious to hear everyone's opinions, but I can't imagine anyone being okay with getting locked out of their account because of a debate we might one day have with Apple.
schaafjs
commented
4 years ago Seems like Apple backtracked on their decision [1][2] and provided Epic Games with an indefinite extension for "Log in with Apple". I don't think this changes anything considering the size of Epic Games compared to Cryptee. Most likely a major backlash from users which relied on this method was a cause for Apple changing their mind in the first place.
Your concern with "Log in with Apple" not providing a fallback option in case Cryptee would be removed from their program is very much a valid one. Asking the user to provide cryptee with their actual e-mail address if they choose to conceil it in the sign up process defeats that very purpose but seems like the only option. Maybe some explanation on why this is a necessary measurement would make it more understandable for the user. This preserves improved log in flow (since adding this fallback e-mail address would be done just once) while still maintaining the benefits of oauth.
johnozbay
commented
1 year ago We're working on some major improvements to our login flow as we speak, and we've discussed this internally with the team once again.
We think that taking Apple's word for it, and trusting that they won't start revoking companies' access to 'sign in with apple' is a big risk, especially because accounts won't have real emails, but proxied ones, and there doesn't seem to be an easy solution or workaround for this.
So we thought it's "better-to-be-safe-than-sorry-in-the-long-term" — and we're not going to add Sign In with Apple unless some day they change the way it works and perhaps allow providers to send parameters like "real-email-required" etc, then we could add this.
Apologies that it took us so long to come to this decision — but after our long conversations we're convinced that this is the safest way to move forward.
Best,
J
Is your feature request related to a problem? Please describe. Currently the only third party sign in option is to sign in with google. This is more of a general feature request than a personal problem that I have.
Describe the solution you'd like Adding sign in with apple would allow users who prefer oauth over additional passwords and are in the apple eco system to sign in more conveniently.
Additional context I think this makes sense since many users which rely on oauth are members of either but not both eco systems or might prefer apples version which is a bit more privacy preserving (anonymous email address and name possible). The device coverage is also good with it being supported natively on all apple devices (obviously) and also usable in every (major) browser. Some links I found: