revoke Apple Token Api, Always Return 200

I received the mail below.

Starting June 30, 2022, apps submitted to the App Store that support account creation must also include an option to initiate account deletion.

We noticed this app may support account creation. If it already offers account deletion or you’re working to implement it, we appreciate your efforts to follow the App Store Review Guidelines. Apps submitted after June 30 that do not comply with the account deletion requirements in guideline 5.1.1(v) will not pass review.

However, the revoke api is not working properly. Even if you throw an incorrect key value, 200 is always returned.

Is the API working properly? What should I do?

Up vote post of caelum614 Down vote post of caelum614
1.4k views
Posted by
caelum614
Reply

  • The api does nothing. We get 200 responses from all calls - new Tokens, old tokens, placeholder data - it doesn't seem to matter. We got 400 errors invalid_client for empty payload or non-encrypted form data, otherwise 200. It DOES NOT revoke authorization for any token we've posted. The only way we've successfully revoked token authentication is via ios privacy settings, or user security page. This api is not working.

    jmorley

  • The API IS working provided the token is correct - the 200 and 400 responses are very unhelpful. The AuthorizationCode you receive with the sign-in token has to be sent to auth/token along with client id and client secret requesting a grant_type of authorization_code. The token you get back from this call is what you use in the token field of the auth/revoke form. The documentation for all of this is very confusing and the parameter names don't help.

    jmorley
Add a Comment

Accepted Reply

Also complicating things, the AuthorizationCode expires after 10 minutes. So apparently the only way to get a new code to revoke the user's token is for them to sign in again, which is a strange user experience when they are trying to delete their account and revoke authentication.

Posted by
jmorley
Up vote reply of jmorley Down vote reply of jmorley
Post marked as solved
Add a Comment

Replies

According doc it returns 200 also when token has been revoked already. So probably invalid token equals expired/revoked.

Posted by
PotatoEater
Up vote reply of PotatoEater Down vote reply of PotatoEater
Add a Comment

https://stackoverflow.com/questions/72556424/how-to-validate-the-apple-revoke-token-api-appleid-apple-com-auth-revoke-succe/72656409#72656409

Posted by
jmorley
Up vote reply of jmorley Down vote reply of jmorley
Add a Comment

Also complicating things, the AuthorizationCode expires after 10 minutes. So apparently the only way to get a new code to revoke the user's token is for them to sign in again, which is a strange user experience when they are trying to delete their account and revoke authentication.

Posted by
jmorley
Up vote reply of jmorley Down vote reply of jmorley
Post marked as solved
Add a Comment

So what's actual solution? I'm having the same issue and by looking at the replies it seems like I just have to assume the revocation works if I pass valid parameters, right?

Posted by
kirill_lutarevich
Up vote reply of kirill_lutarevich Down vote reply of kirill_lutarevich
Add a Comment