Blog: OIDC, Sign in with Apple, and passkeys in the core

[shai-almog]

Summary

• June 1 follow-up post in the new weekly release series, covering the identity stack rewrite that shipped across PR Add OidcClient identity stack + native iOS/Android bindings #5018 (OIDC + SystemBrowser + Apple Sign In + Google / Facebook / Microsoft / Auth0 / Firebase wrappers + Oauth2 deprecation) and PR Add WebAuthn / passkey client + Auth0 / Firebase passkey helpers #5039 (portable WebAuthn / passkey client + Auth0 / Firebase passkey helpers).
• Walks through why the in-app-WebView Oauth2 flow is no longer viable, the new OidcClient surface, the system-browser routing on iOS (ASWebAuthenticationSession) and Android (Custom Tabs), the provider wrappers, the Sign in with Apple flow, the W3C-shaped WebAuthn client, and the scanner-driven framework / entitlement / Objective-C gating.
• Includes the "if you sign in via OIDC, you already get passkeys" guidance from the dev guide.

File

• docs/website/content/blog/oidc-and-passkeys.md — single new file.

Sequencing

Branches off master; intended to publish after the connectivity-APIs post (#5076). Front matter date is 2026-06-01.

Test plan

• Hugo build of docs/website succeeds.
• Post renders correctly on the blog index and as a standalone page.
• Header image is generated at /static/blog/oidc-and-passkeys.jpg.

[shai-almog]

Superseded — consolidating the follow-up posts so this release week ships fewer, broader posts. New merged versions in the follow-up PRs to this one.