User Profile

The requirement to revoke authorization tokens when a user deletes their account for an ios app requires two api calls to the appleid.apple.com framework. The first requires passing the authorization code to the /auth/token which returns a token that can be used to revoke app credentials. But this code is returned as part of the sign-in authentication, and expires in 5 minutes. So, if a user signs in, has an app session for longer than 5 minutes, then wants to delete their account, how is this managed? Would they need to sign in again to apple to get a valid code that can be used to revoke authentication? Is there any other way to get a "fresh" authorization code?