User Profile

Post marked as solved

Click to stop watching this thread.

You have stopped watching this post. Click to start watching again.

8 Replies

contentPostList.repliessolved.tooltip

Replied In What are we supposed to do with the access_token?

Thank you @sudhaker19 for the reply.If access_token is useless now, may I know what the use for refresh_token is? If I understand the authorization flow correctly, after our server validates the auth code with Apple, the authorization for this one user is done. Why do we need to store the refresh_token as shown in the apple documentation "The refresh token used to regenerate new access tokens. Store this token securely on your server."? Is the refresh_token valid for each user, or each server?

Post marked as solved

Click to stop watching this thread.

You have stopped watching this post. Click to start watching again.

8 Replies

contentPostList.repliessolved.tooltip

Replied In What are we supposed to do with the access_token?

Thank you very much for your reply!There was a typo in my last response and I did use key-value pair of refresh_token: "refresh_token received from authorization". Thank you for the catch! I finally found that the problem was I didn't use "x-www-form-urlencoded" as the body format. After I fixed that, the request to validate refresh token is successful. I have the same question as yours. Access_token expires in 3600 seconds(1 hour) and it seems to be useless. Let's see whether there will be any Apple staff can answer this question...

Post marked as solved

Click to stop watching this thread.

You have stopped watching this post. Click to start watching again.

17 Replies

contentPostList.repliessolved.tooltip

Replied In `invalid_grant` when exchanging authorization code obtained from `ASAuthorizationAppleIDCredential` on the server-side

Hi billinghamj, thank you for providing the example. Would you mind let us know how you generated the key for signing JSON web token?Update:Never mind. For those who have the same question: the private key can be downloaded from the developer portal for only one time. It's a p8 file containing the private key string.

Post marked as solved

Click to stop watching this thread.

You have stopped watching this post. Click to start watching again.

8 Replies

contentPostList.repliessolved.tooltip

Replied In What are we supposed to do with the access_token?

Hi, have you ever tried to validate the refresh_token? I tried but always got the error of "unsupported_grant_type". Does it apply to you too?The Post Body I have is: client_id: "App ID" // same as authorizationclient_secret: "App Token" // same as authorizationgrant_type: "refresh_token" code: "refresh_token received from authorization"