3

I want to use account deletion feature for users logged in with Apple REST API in my project. What values do the client_id and client_secret values specified in the curl request correspond to in my iOS application?

curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'token=REFRESH_TOKEN' \
-d 'token_type_hint=refresh_token'
kursatsimsek
  • 33
  • 3

1 Answers1

1

  1. The revoke link doesn’t delete accounts. It just revokes the token that you are sending

  2. The documentation tells you what each part is https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens

client_id string (Required) The identifier (App ID or Services ID) for your app.

client_secret string (Required) A secret JSON Web Token (JWT) that uses the Sign in with Apple private key associated with your developer account.

The JWT for the client secret will look like this

{

    "alg": "ES256", //The algorithm used to sign the token. For Sign in with Apple, use ES256.
    "kid": "ABC123DEFG"//A 10-character key identifier generated for the Sign in with Apple private key associated with your developer account.
}
{
    "iss": "DEF123GHIJ",// use your 10-character Team ID associated with your developer account.
    "iat": 1437179036,//time at which you generated the client secret, in terms of the number of seconds since Epoch, in UTC.
    "exp": 1493298100,//The expiration time registered claim identifies the time on or after which the client secret expires. 
    "aud": "https://appleid.apple.com",
    "sub": "com.mytest.app" //use the same value as client_id. The value is case-sensitive.
}

https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

The bottom part of the link above give you all you need to create the token and you will need a 3rd party api to sign it.

The private key needed shouldn’t be included in the bundle which is likely why there isn’t much swift documentation for this.

lorem ipsum
  • 21,175
  • 5
  • 24
  • 48
  • So, if I am using `Sign In with Apple` for my app to use cloudKit, do I need to use revoke token API? If yes, then where we found the client_secret and token? – Bhavin Bhadani Jun 14 '22 at 11:03
  • @BhavinBhadani yes everybody does per the guidelines. The client secret isn’t something to find it is something you make on your own server. The more I read into this process the clearer it becomes that supporting Sign In with Apple requires server work to be effective. – lorem ipsum Jun 14 '22 at 11:08
  • But the problem is we are not using any specific server and just use sign in to access cloud kit. Now, what to do in this case? – Bhavin Bhadani Jun 14 '22 at 11:12
  • @BhavinBhadani a JWT token requires a signature with your private key. That key shouldn't be in your app Bundle. Apple speaks about this process in terms of the new WeatherKit API and as a standard practice in the WeatherKit video from WWDC22 towards the end, I think around minute 9:30. – lorem ipsum Jun 14 '22 at 12:48
  • @BhavinBhadani I could go on and on about why I think that a server ops are needed but SO is the wrong platform for a discussion. Examine the Sign In with Apple docs, The more you read I think you will come to the same conclusion. This token revocation thing seems cosmetic to me there is no real purpose for it, actual deletion of an account should be handled server side for several other reasons than just the new req to initiate deletion from the app. Think about what happens when the user deletes their Apple ID or when the user goes into their settings and revoke the connection w/ your app. – lorem ipsum Jun 14 '22 at 12:48
  • I totally understand your point. I apple should also think about what if there is no server side implementation done over sign in. I think I should check some docs then. Thanks for the support – Bhavin Bhadani Jun 14 '22 at 13:19
  • 2
    @BhavinBhadani Apple has no other way of notifying you of these changes if the user decides to never open your app again or simply delete the app. I think this is the beginning of a larger adoption of these server side notifications. It is already required for subscription receipt verification, refunds, now Sign In with Apple and soon for WeatherKit. I think most Apple APIs will require some kind of server side work in the future. – lorem ipsum Jun 14 '22 at 15:24
  • I think Apple should have direct method to revoke token, that should not required any client id and secret – Paresh Patel Jun 15 '22 at 05:09