ios – Sign in with Apple – is the whole Access Token Revoke Dance fully required?

iOS Development


My app recently got a review remark from Apple that I must have Account deletion mechanism in my app (which uses Sign in with Apple). It also says I should revoke tokens issued by Apple.

In response, I have handled it as part of my UI as well as back end. I delete user’s sandbox data, keychain data as well as the user record on the server.

As for the token, I do not use standard access/revoke token advised by Apple.

Here is what I do:

1 – Sign in with Apple on the device
2 – Get ID token
3 – Send it to my server
4 – My Server will create a JWT based on PEM file I got from Apple
5 – Send that JWT to iOS client
6 – Client will use it until it expires.
7 – When it expire, I again force the user to do SIWA.

This way, I know the user is a valid Apple user (I don’t have Android plans). I kind of lived with this because I thought this was Apple’s way of minimizing our hassle to do less server dance.

I also developed the SIWA part before 2022 when this rule came into effect, hence also chose SIWA for its simplicity.

Well, not quite.

Now that I see it, all I am doing is generating a client secret, which is 1-step away Access token. So how do I even go about revoking it?

  • At present, my attempts to obtain an Apple access token from SIWA returned authorization code + my JWT (client secret) meets with invalid_client error code.

  • There is plenty of Apple documentation, but strands of information are here and there. All one can do is trial and error. Such a complex topic requires more elaborate explanation. Instead of providing samples, Apple points to external sites (Jwt.io) instead of trying to be a source of truth.

  • Googling does not get me any sample implementation, or even standard steps I should follow if I don’t have complex requirements. Do I have to rely on 3rd party like Firebase whose tutorials are readily available?

I get that security is a delicate topic. But to me, after JWT step, it’s between my server and iOS users, I truly don’t see the point of doing so many hops for authentication.

I naively chose SIWA to minimize server management, but it seems I am falling on my face. If I was doing this with email, I would only be creating JWT and it would probably be enough, which I am doing anyway now.

What am I missing here?

(A humble request: I would highly appreciate experiences of developers who have implemented this, not just a recap of Apple’s rules. With little clarity on the details, coding it in 48 hours is no big deal for me. OTOH, if there is a source that cites I can bypass token revoke flow, please share as well.)

admin
adminhttps://techmins.com

Latest articles

spot_imgspot_img
Previous article
3D Printed Physical Therapy Tools
Next article
Android Auto gets a helpful Google Maps feature to avoid parking lot panic

Related articles

Leave a reply

Please enter your comment!
Please enter your name here

spot_imgspot_img

ABOUT US

Techmins is your Technology. Nanotechnology, Drone, Robotics, Big data, Cloud computing, 3D printing, Self driving car, Telecom, Mobile, Apple, iOS development, Software development and Green technology related news website. We provide you latest breaking news and videos straight from the tech industry.

Copyright © 2023 - techmins.com. All rights reserved.