search

ory / network

Ory runs a global end-to-end security infrastructure for humans, robots, and servers. We build and use open source software.
Apache License 2.0
81 stars 6 forks source link

Support additional client IDs for Apple native sign in #343

Closed jonas-jonas closed 1 year ago

jonas-jonas commented 1 year ago

To fully support a seamless development experience for social sign in using native SDKs (ID token based), we need to support multiple client IDs. This is because the actual application typically has a different identifier than the web application, and it also depends on the release-type (debug, test, release, etc.).

Proposed solution

  1. Add a config key allowed_id_token_audiences that lists all audiences that are allowed to submit ID tokens
  2. Add a client_id parameter to the createNativeLoginFlow/createNativeRegistrationFlow operations that is then checked on creation, and then used when the ID token is submitted to validate the ID token's aud claim
kmherrmann commented 1 year ago

This is requested by Moonpig.

jonas-jonas commented 1 year ago

When using multiple client, the OIDC flow doesn't work for Apple, as we have a hardcoded exception in the CSRF protection for apple callbacks (e.g. all providers that have the id apple). If you have multiple OIDC providers (e.g. apple_web, apple_android, apple_ios) that exemption doesn't apply, and you receive a CSRF violation error.

If we allow multiple client IDs in the config, that issue is also going to be fixed.