3

We are implementing the new guidelines imposed by Apple on user deletion. The problem is that users registered by Apple Sign In have Apple Id associated with the app by token, and by using the token revoke API, the user still remains associated via Apple Id with the app and has to manually remove the association into their Apple id settings. Is this the correct way? Is there a service I can call to disassociate the Apple Id from the app?

Vadim Belyaev
  • 2,456
  • 2
  • 18
  • 23
Koby
  • 49
  • 1
  • 5
  • How are you using the token revoke API? This even remains unclear to me with the documentation, unfortunately – Andre May 27 '22 at 00:56
  • What is unclear? the parameters? – Koby May 28 '22 at 10:43
  • I could never manage. Is there a tutorial about that? I could not find. – ursan526 May 28 '22 at 10:46
  • @ursan526 about token revoke API? or disassociate the Apple Id from the app? – Koby May 28 '22 at 10:57
  • 1
    I am beginning to think that only the user can dissassociate their Apple Id from the app by going into their settings (Password & security). There is no programmatic way to remove their association. I think the token revoke API is simply for removing an auth session. – Andre May 28 '22 at 12:31
  • @kobi , I can't revoke. I have added my codes in detail here. https://stackoverflow.com/questions/72415745/i-cant-delete-the-user-logged-in-with-apple – ursan526 May 28 '22 at 12:34
  • @Andre there is programetically way available, you must have manage it in backed – Berlin Jul 08 '22 at 09:26

2 Answers2

3

The following github readme solution assumes one is using Firebase for their backend auth services:

Explanation by jooyoungho

I used this solution for my app which integrates with Firebase auth for Sign In With Apple and it worked well. Do not forget to create a key in your Apple Developer portal.

If you are not using Firebase, you can reverse engineer a solution based on the javascript shown in the readme. Your HTTP request function flow and parameter info should be an exact match to this solution, but your syntax would be different.

The benefit of this solution is that you do not need to rely on the client to perform this sensitive action, and the computation is outsourced to a persistent container so you can guarantee revocation of the token.

Andre
  • 562
  • 2
  • 7
  • 18
1

Follow 3 steps to revoke/delete account.

  1. Generate Refresh token
  2. Validate Refresh token
  3. Revoke Access token

https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens

https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens

Dharmendra
  • 189
  • 3
  • 11