We are having trouble implementing the Account Deletion, so we would like to get some helpful information about this, especially about revoking user tokens. From what we understand from Apple documentation, there are 3 main steps to revoke user token.
- Create a client secret.
- Get the user refresh token from authorization code.
- Revoke the user refresh token.
The problem is we always getting an error "invalid_client" when trying the 2nd step. And according to the documentation (https://developer.apple.com/documentation/sign_in_with_apple/errorresponse), there's like bunch of possibilities about this "invalid_client" error. We assumed there's something wrong with our client secret, which leads to 2nd step error.
Our Sign In with Apple was implemented easily without creating any keys or services, the only changes we made was adding capabilities to our app and build the app with the new provision. So that leads us to the question: Which private key should we use to create the client secret? Are we supposed to create a new key so we can use it as the private key to create client secret?
Our current generated client secret is using the private key which we get from a newly created key with "Sign In with Apple" enabled in it. And here's the properties we used to create the client secret:
- algorithm : "ES256"
- keyid : "AJKXXXX572" // key id from the newly generated key
- iss : "H49XXXRBA6" // team ID
- iat : currentTime // Math.round((new Date()).getTime() / 1000)
- exp : currentTime + 600
- aud : "https://appleid.apple.com"
- sub : "com.xxxx.ios" // our app bundle id