I have implemented Sign in with Apple in my (SWIFT UI) app.
The flow goes like this:
- User taps sign in button
- In the delegate method I take the auth code and post it to my server.
- My server sends an activation request to apple and gets an id, refresh, and access tokens.
This is where I have a problem:
- A user requests account deletion.
- The server sends a request to revoke the access and refresh tokens
- User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way)
- The user then load the app again and taps the Sign in with Apple button.
- The delegate method provides a valid id token, but the same original auth code instead of generating a new one.
- The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token.
- The server also can't use the old refresh token as it's been revoked during deletion.
Can someone tell me where I'm going wrong?
I can't find any documentation for regenerating a refresh token after revoking it.
With the described flow I expect to get a new auth code when a user re-authenticates with Apple after their tokens were revoked, so that I can get new refresh tokens from Apple's auth server.