We are currently developing a new iOS application, and we plan to use Sign in with Apple for user authentication. We have a few questions related to this.
-
We understand that Sign in with Apple is compliant with OpenID Connect. However, in our service, the use cases for access_token and refresh_token are limited. Therefore, even if we do not use these tokens, is there a possibility that we will receive a rejection in the Apple Store Review process? Specifically, we are thinking of saving the user's identifier, which can be obtained at the time of authentication, on our server and using it to identify the user. ASAuthorizationAppleIDCredential
-
According to Apple's guidelines (5.1.1 Data Collection and Storage), we need to invalidate the user's tokens when the account is deleted. Does this requirement apply even if the token has already expired?
App Store Review Guidelines 5.1.1
Thank you in advance for your help!
