I am trying to follow the documentation to verify a user in my backend. My App follows the schema that appears in the diagram at the top of the page. I am using npm and:
nextinfrontend(App)expressinbackend(API Server)
Once I receive the token in the API Server from the App, I check it's validity following the steps under the heading Verify the identity token without problem.
I have trouble understanding if I am doing enough when I try to follow the stpes in Obtain a refresh token. In this step, I am sent to the page in the documentation to Generate and validate tokens. However, that part of the documentation refers to client tokens, not to user tokens. I can get a new access_token and id_token for the user from my API using the following request:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=REFRESH_TOKEN'
Is this enough to verify the identity? Should I then check that the id_token I receive matches the one I have or is it enough that I have checked the jwt information and validated the refresh_token?
Thanks!