[ad_1]
As everyone is aware that Apple has a new requirement for apps with Sign in with apple option to enable the functionality of account deletion.
They have two main requirements
Step 1. Revoke user tokens
Step 2. Delete all data associated with this account
So, Step 2 is clear and every developer is clear about this but I (and all of the other developers) have some complications/problems regarding step 1 which are stated below.
Problem 1: As stated here we can use https://appleid.apple.com/auth/revoke to revoke the user token, but this API always responds with 200 even if your client_id is wrong. maybe it’s for security reasons and we can verify the revoke of the token by accessing some information using it. Am I right about this?
Problem 2: I know that the max-age for client_secret JWT is 6 months. can we implement this token revoke process on the client-side (app) and after that hit backend for account data deletion request or the other way around?
or is it best to do this all in the backend after properly verifying the user account deletion request by requesting a secret code sent to the email of the user?
Problem 3: Is it better to create the client_secret for every new request of deletion? or we can use set the max age to 6 months without any security concerns?
PS: If you want more context regarding these above queries you can see below question.
[ad_2]