Apple Sign In Revoke Token

The requirement to revoke authorization tokens when a user deletes their account for an ios app requires two api calls to the appleid.apple.com framework. The first requires passing the authorization code to the /auth/token which returns a token that can be used to revoke app credentials. But this code is returned as part of the sign-in authentication, and expires in 5 minutes. So, if a user signs in, has an app session for longer than 5 minutes, then wants to delete their account, how is this managed? Would they need to sign in again to apple to get a valid code that can be used to revoke authentication? Is there any other way to get a "fresh" authorization code?

Post not yet marked as solved Up vote post of jmorley Down vote post of jmorley
2.7k views
  • hi jmroley! i am facing the same issue, also confusing with this, when i'm requesting to revoke the user identity token with all parameter client id client secret (which is JWT token) and token type hint but i get invalid client in error response, what this mean? if you found some solution then please help me too

  • Hi Ziddi Khattak, the correct token to revoke is access token or refresh token, rather than identity token. For details, please refer to this SO

  • Hi, Guy's... I am also getting "invalid client" in the error response. If anyone got the solution for this please help to finish this. Thank you...