Usually you offer a connect button with the most popular providers. You could also detect a login with somename@whateverapplemaildomain in order to passthrough for those addresses. There are some discovery mechanisms that can be added for DNS/http(s) services as well against different tlds.
In the end, probably would just add an apple-logo button next to twitter, google and facebook auth buttons.
----
Aside, in terms of data storage, separate the account, user and login/auth details. An account is related to activity inside the system. A user is a person authorized to use/act on or as that account. A login is an authority and related information to enter as a given user. Logins can be an OpenID reference, AD Integrated User, an API token, a local password entry (salted/hashed of course).
If you make the separations above, you'll have far fewer issues if/when you need to make your application more flexible in terms of users/authentication against accounts. It also is very helpful when you will have "individual" accounts and "business entity" accounts, which may have variances in UI/UX.
Beyond this, would separate the actual API/UI systems from auth systems relying on integrated tokens (like RSA signed JWT on an internal authority). In this way, your API systems only need to worry about "allowed" signers, and the roles assigned in the token's claims. Of course then there are issues with token lifetime, refresh and revocation to consider.
Sorry for the blathering on this, literally working on an authentication management system (fairly barebones initially) right now. MVP at end of day after 4 months work.
> There are some discovery mechanisms that can be added for DNS/http(s) services as well against different tlds.
I'm aware of OIDC's webfinger discovery mechanism; IIRC, it lets you translate "person@example.com" into a valid login. (But I don't think I've ever seen anyone implement this.) Is there something else?
I think you could also implement just a DNS identifier to OIDC discovery which would let you translate something like "apple.com" into an OIDC flow, but you would need the provider to publish a OIDC discovery document, which Apple's implementation does not do. (Why, IDK, since that seems like a really easy thing to do. But Google — which does have one, technically — also isn't "google.com" or "gmail.com", so entering this seems a bit hard for a user to enter. (It's under "accounts.google.com"))
My Apple ID is a personal email address at a custom domain name. I also use the same email address as a Microsoft ID. How would/should/could a service be expected to take my email and determine what services it is associated with? I assume that’s not really possible, and as an end-user I don’t particularly want that to be possible anyway.
But let’s take a simpler scenario, just because my email address is something@gmail.com, does that mean Google should be used as the OAuth provider? Maybe I use that same email address as an Apple ID and as a Microsoft ID as well.
If I understand correctly AppleID is supposed to obfuscate your real email such that the website you connect to will only see a hhfyguihry636357484@privacy.apple.com or something similar.
I'm mostly trying to clarify if the parent poster knew about something more than Webfinger, since his post mentions "DNS/http(s) services"; wasn't sure if that referred to Webfinger, or something else.
> How would/should/could a service be expected to take my email and determine what services it is associated with?
By following the OIDC standard, namely, using Webfinger discovery. I was mostly confused since, AFAIK, OIDC only mentions webfinger, not DNS, so I was curious if the parent to my post knew something I did not.
> as an end-user I don’t particularly want that to be possible anyway
I don't see why not. Note that this is discovering who the identity provider associated with an email is in an automated way — this is not discovering what services you log in to with that identity. That is, for "example@gmail.com", Webfinger would discover that Google is the identity provider. This is something a human can — roughly — already discern from the email anyways; this just provides an automated means. Moreover, it provides a means for the service wanting to log you in to then subsequently redirect you to; there are certain configuration parameters needed beyond just the email.
The idea is to make it simple for the average user: just enter your email.
> just because my email address is something@gmail.com, does that mean Google should be used as the OAuth provider?
Not necessarily, but I think the OIDC flow there is pretty good. One could imagine an implementation whereby GMail allowed you to specify an alternative IdP for your email, and then responded to with that when queried. This is more to do with Google's implementation. (Which, AFAIK, doesn't implement Webfinger at all, so it is kind of moot. And while I doubt they'd ever implement this sort of thing, the point is more that an IdP under your control could / that nothing in the spec prohibits it.)
> Maybe I use that same email address as an Apple ID and as a Microsoft ID as well.
I think OIDC supports this. The Webfinger query is not limited to a single result. (Though, given the paucity of webfinger implementations, I don't know how well UIs would handle this. But again, implementation vs. specification.) Even if that didn't work, you could always enter your IdP hostname directly into the RP, and it could either Webfinger that, or just see if that hostname is the IdP by attempting to pull the metadata from it.
(It is sad that most OIDC implementing RPs only give you a few hand-selected buttons leading to major IdPs to choose from.)
Microsoft's online login is probably the most prominent example of translating "user@domain.com" into a SSO login/redirect that uses Azure AD or another SSO provider for signon that I can think of.
I know it's based on DNS and/or HTTP(S) entries for the common SSO, just don't recall all the specs off hand.
For the google/apple and other very common cases you can detect by a whitelist for the domain part. For others, if there isn't a discovery mechanism in place, would have to defer to internal (password) created accounts.
It's a bit of a mess, fortunately there's a handful of TLDs that account for over 95% of public users. IIRC, when I worked at emailage, it was something like >85% of requests were from 20 domains, and 95% or so were from 100.
Click on the 'X minutes ago' permalink on the comment, and then select 'favorite'. It will show up under 'favorited ... comments' linked from your profile page while logged in.
More generally, and as hinted to by floatingatoll, the the 'X minutes ago' is also a permalink meaning after you click on it you can bookmark it in any bokmarking system you use. (I use pinboard.in)
Also FWIE, going to the permalink for a comment also gives you access to the flag feature.
In the end, probably would just add an apple-logo button next to twitter, google and facebook auth buttons.
----
Aside, in terms of data storage, separate the account, user and login/auth details. An account is related to activity inside the system. A user is a person authorized to use/act on or as that account. A login is an authority and related information to enter as a given user. Logins can be an OpenID reference, AD Integrated User, an API token, a local password entry (salted/hashed of course).
If you make the separations above, you'll have far fewer issues if/when you need to make your application more flexible in terms of users/authentication against accounts. It also is very helpful when you will have "individual" accounts and "business entity" accounts, which may have variances in UI/UX.
Beyond this, would separate the actual API/UI systems from auth systems relying on integrated tokens (like RSA signed JWT on an internal authority). In this way, your API systems only need to worry about "allowed" signers, and the roles assigned in the token's claims. Of course then there are issues with token lifetime, refresh and revocation to consider.
Sorry for the blathering on this, literally working on an authentication management system (fairly barebones initially) right now. MVP at end of day after 4 months work.