About Account deletion when users use the Sign in with Apple

Did you mean 'and the Token is NOT obtained and saved.' ?? If that's what you meant, we have the same problem. We never used/saved access or refresh token, but in order to revoke them, you need to have them. Will Apple require revoking of tokens from platforms that didn't save them? Should we start saving those tokens from now on?

Hi there, I think I have the same question. Currently, we use Sign in with Apple and do the whole authentication flow, however, once we have the tokens from Apple, we just discard them and generate our own tokens instead. Do we need to store the apple tokens so we can later revoke them? Should we revoke them as soon as they are generated since we'll no longer need them?

I also do not save the token obtained with apple Sign in on my app. I could start saving it and revoke it when the user wants to delete the account, the issue is I always get invalid_client error no matter what client ID I use in the request. This is the last part in the Apple reminder email.

 If your app offers Sign in with Apple, use the Sign in with Apple REST API to revoke user tokens.

https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens#discussion Is this really necessary to pass the app review? The token as a validity of 1 day, and users are not going to create and delete an account in the same day I guess. It seems that this API isto be used when using sign in with apple on the web. Can someone at Apple provide some explanations?

Upcoming Requirement Reminder

Note: This is a support message regarding upcoming requirements that may be relevant for your app. Starting June 30, 2022, apps submitted to the App Store that support account creation must also include an option to initiate account deletion.

We noticed this app may support account creation. If it already offers account deletion or you’re working to implement it, we appreciate your efforts to follow the App Store Review Guidelines. Apps submitted after June 30 that do not comply with the account deletion requirements in guideline 5.1.1(v) will not pass review.

To learn more about the account deletion requirements, visit Offering account deletion in your app. If your app offers Sign in with Apple, use the Sign in with Apple REST API to revoke user tokens.

I didn't save the token or secret as well cause I didn't know I needed them. Now apparently we need them. What are we to do? Log the user out and log them back in to get a new token? Apparently we have to call the endpoint to log them out. I have been doing some experimenting with that, and now saving the secret/token. I am calling the endpoint, and it returns a 200, but the credentialRevokedNotification notification is not fired. I believe I am doing it right based on the doc which is frustrating. I've called hundreds of endpoints so I know what I am doing. I think my problems maybe related to the client_secret though. There seems to be a process behind that which I am looking into.

client_secret string (Required) A secret JSON Web Token (JWT) that uses the Sign in with Apple private key associated with your developer account. For more information about creating client secrets, see Generate and Validate Tokens.

Note, not sure how this is possible via an app. Seems more like a process for a website using sign in.

Apple should have given us a sign out button like they have in the phone settings and and on the appleid site. They didn't think about this and now a bunch of us are going to get screwed somehow.

Apple explained this case is just for the Account Deletion only. If you revoke the access into the Settings i suppose the revoke is sent automatically by the system.

If your app offers Sign in with Apple, you’ll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account.

Hi everyone, I'm struggling a bit trying to understand how all this works.

I've implemented Sign in with Apple on an Unity iOS game. I do save all info Apple provides once the login success, I save the IdentityToken, UserId and AuthorizationCode.

We have received also the notification from Apple that we have to implement the Account Deletion, and that we have to implement the Revoke Tokens API endpoint using the Sign in with Apple REST API Revoke Tokens just that I don't have clear which is the client_id, what is the client_secret and what is the token.

Is client_id the bundle ID?

Is client_secret the identityToken provided by Apple during the Sign In process?

and what exactly is the token?

I'd really apreciate if someone can explain what should I do with the info provided during Sign in with Apple flow (UserId, IdentityToken and AuthorizationCode) in order to properly implement the Revoke Tokens API.

Also, is it supposed that this will be equivalent to when player goes to Settings -> Password and Security-> Apps using Sign in with Apple?

I have the same problem. Who knows how to solve it?

I would also like to see an official Apple explanation about this feature.

I assume Apple wants to stop users from using Apple ID for login in to the app after they delete account. At least this would make sense to me.

We also use only public key in the current implementation, so we had to obtain access token and then revoke it. The result confirmed that after revocation users can no longer use apple ID for SIWA in this particular app. And the app disappeared from the "Apps using Apple ID" list.
So basically calling "/revoke" is equivalent to "Stop using Apple ID" button in the Apple ID settings. So basically what we did was:

1. Create client secret (construct and sign JWT)
2. Create access token "/tokens"
3. Revoke token "/revoke"

Apple documentation is good for this steps and you can easily find all info. It just fails to explain what is expected for the new requirement.

https://developer.apple.com/forums/thread/708415 apple posted explanation

The three required values ​​are required for appleid.apple.com/auth/revoke.

• client_id: This is the App ID you can find in Apple Developer's Identifiers. Team ID is an excluded identifier, namely the bundle ID.
• client_secret: A secret JSON Web Token (JWT) that uses the Sign in with Apple private key associated with your developer account. You need to create it using JWT, and download key file from developer.apple.com/account/resources/authkeys/list
• token: A token that requires revoke. The token is access_token or refresh_token returned from auth/token.

As for the auth/token, there are two additional parameters as below

• code: The authorization code received in an authorization response sent to your app. The code is single-use only and valid for five minutes. Authorization code validation requests require this parameter. It is the same to the authorizationCode key of the response of apple signing, and its type is base64. It should be decoded to utf-8 before assigning to auth/token API.
• grant_type: (Required) The grant type determines how the client app interacts with the validation server. Authorization code and refresh token validation requests require this parameter. For authorization code validation, use authorization_code. For refresh token validation requests, use refresh_token.

Here is one sample of node.js on SO

Hi fmricky,

Please see the forum post below for the suggested steps for account deletion, as well as the workaround for when clients using the Sign in with Apple REST API or Sign in with Apple JS SDK do not have an existing refresh token, access token, or authorization code:

Handling account deletions and revoking tokens for Sign in with Apple

Regards,

Paris

Today is the initial deadline to implement token revocation when user deletes account. Was it moved due to unclear requirements or it is not enforced at all?

My server implementation is the same as yours.

As I understand it, revoke is intended for security and system overhead. When we no longer need to interact with the apple server, we need to actively destroy the corresponding accesstoken and refreshtoken.

However, we did not perform login verification, that is, we did not call oauth/token, so accesstoken and refreshtoken will not be generated. Since these are not generated, there is no revoke.

For an iOS App offering Sign-in-with-Apple, it remains unclear whether triggering Account Deletion from within the App is also expected to call the Revoke Token endpoint.

At the moment, the access and refresh tokens (which are obtained by calling the Generate and Validate tokens endpoint) are NOT stored by the App or our backend; this call is never made.

When deleting the account from the iOS App, is the App or our backend expected to call the Revoke Token endpoint? or is it sufficient to instruct the user to Stop using their Apple ID with the App in iPhone settings?