What difference does Apple OIDC have that isn't compatible with the existing OIDC provider support?

Open letter from the OpenID Foundation to Apple: https://openid.net/open-letter-from-the-openid-foundation-to-apple-regarding-sign-in-with-apple/

I haven't checked what the current state is. Maybe some of it has been changed / fixed. I didn't have the time for a deep dive yet.

Differences:
https://bitbucket.org/openid/connect/src/master/How-Sign-in-with-Apple-differs-from-OpenID-Connect.md

Peculiarities

• No UserInfo endpoint is provided, which means claims about users are instead included in the (expiring and potentially large) id_token.
• The scope value of only the very first request by an application is respected. If an application initially requests only the name scope, and the user allows it, it is then impossible to later also request the email scope.
• The client_secret_basic client authentication method is not supported, despite being mandatory to implement for OpenID Certified implementations.
• Authentication at the token endpoint requires a (custom) JWT assertion as a client_secret in a client_secret_post authentication method, whereas the more appropriate private_key_jwt authentication method, as defined in RFC 7523, could have been used.
• The Authorization Code grant type (for public Clients) does not use PKCE [RFC 7636] to avoid code injection and code replay attacks.
• Including the profile scope in the request causes the error invalid_request "Application is not authorized to access the requested information". Instead, the non-standard scope name is used to request the user's name.
• The user's name is only sent to the application in the POST request to the redirect URI (along with the authorization code) and so is susceptible to injection attacks. The UserInfo Endpoint response is the correct place to return this claim about the end-user.

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@kvanzuijlen are you going to work on this? :)

I have some code ready for this but still need to get access to Apple credentials. I think I should be able to work on this over the next few weeks.

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

Are there any plans to re-open this issue? Would be awesome to have this.

@denniseffing it seems no one had the time to create a PR for this feature. If you are willing to invest the time. Feel free to go ahead and open a PR.