My app recently got a review remark from Apple that I must have Account deletion mechanism in my app (which uses Sign in with Apple). It also says I should revoke tokens issued by Apple.
In response, I have handled it as part of my UI as well as back end. I delete user’s sandbox data, keychain data as well as the user record on the server.
As for the token, I do not use standard access/revoke token advised by Apple.
Here is what I do:
1 – Sign in with Apple on the device
2 – Get ID token
3 – Send it to my server
4 – My Server will create a JWT based on PEM file I got from Apple
5 – Send that JWT to iOS client
6 – Client will use it until it expires.
7 – When it expire, I again force the user to do SIWA.
This way, I know the user is a valid Apple user (I don’t have Android plans). I kind of lived with this because I thought this was Apple’s way of minimizing our hassle to do less server dance.
I also developed the SIWA part before 2022 when this rule came into effect, hence also chose SIWA for its simplicity.
Well, not quite.
Now that I see it, all I am doing is generating a client secret, which is 1-step away Access token. So how do I even go about revoking it?
-
At present, my attempts to obtain an Apple access token from SIWA returned authorization code + my JWT (client secret) meets with
invalid_client
error code. -
There is plenty of Apple documentation, but strands of information are here and there. All one can do is trial and error. Such a complex topic requires more elaborate explanation. Instead of providing samples, Apple points to external sites (Jwt.io) instead of trying to be a source of truth.
-
Googling does not get me any sample implementation, or even standard steps I should follow if I don’t have complex requirements. Do I have to rely on 3rd party like Firebase whose tutorials are readily available?
I get that security is a delicate topic. But to me, after JWT step, it’s between my server and iOS users, I truly don’t see the point of doing so many hops for authentication.
I naively chose SIWA to minimize server management, but it seems I am falling on my face. If I was doing this with email, I would only be creating JWT and it would probably be enough, which I am doing anyway now.
What am I missing here?
(A humble request: I would highly appreciate experiences of developers who have implemented this, not just a recap of Apple’s rules. With little clarity on the details, coding it in 48 hours is no big deal for me. OTOH, if there is a source that cites I can bypass token revoke flow, please share as well.)