My app not too long ago bought a evaluation comment from Apple that I will need to have Account deletion mechanism in my app (which makes use of Register with Apple). It additionally says I ought to revoke tokens issued by Apple.
In response, I’ve dealt with it as a part of my UI in addition to again finish. I delete consumer’s sandbox information, keychain information in addition to the consumer report on the server.
As for the token, I don’t use normal entry/revoke token suggested by Apple.
Here’s what I do:
1 – Register with Apple on the machine
2 – Get ID token
3 – Ship it to my server
4 – My Server will create a JWT primarily based on PEM file I bought from Apple
5 – Ship that JWT to iOS shopper
6 – Shopper will use it till it expires.
7 – When it expire, I once more pressure the consumer to do SIWA.
This manner, I do know the consumer is a sound Apple consumer (I haven’t got Android plans). I sort of lived with this as a result of I assumed this was Apple’s method of minimizing our problem to do much less server dance.
I additionally developed the SIWA half earlier than 2022 when this rule got here into impact, therefore additionally selected SIWA for its simplicity.
Nicely, not fairly.
Now that I see it, all I’m doing is producing a shopper secret, which is 1-step away Entry token. So how do I even go about revoking it?
-
At current, my makes an attempt to acquire an Apple entry token from SIWA returned authorization code + my JWT (shopper secret) meets with
invalid_client
error code. -
There may be loads of Apple documentation, however strands of data are right here and there. All one can do is trial and error. Such a fancy matter requires extra elaborate rationalization. As a substitute of offering samples, Apple factors to exterior websites (Jwt.io) as a substitute of attempting to be a supply of reality.
-
Googling doesn’t get me any pattern implementation, and even normal steps I ought to comply with if I haven’t got complicated necessities. Do I’ve to depend on third get together like Firebase whose tutorials are available?
I get that safety is a fragile matter. However to me, after JWT step, it is between my server and iOS customers, I actually do not see the purpose of doing so many hops for authentication.
I naively selected SIWA to reduce server administration, however it appears I’m falling on my face. If I used to be doing this with electronic mail, I’d solely be creating JWT and it might in all probability be sufficient, which I’m doing anyway now.
What am I lacking right here?
(A humble request: I’d extremely recognize experiences of builders who’ve carried out this, not only a recap of Apple’s guidelines. With little readability on the main points, coding it in 48 hours isn’t any huge deal for me. OTOH, if there’s a supply that cites I can bypass token revoke move, please share as nicely.)