We have a multiplatform app and use both the web and iOS Sign in with Apple flows. Our backend service is shared. We can negotiate the id_token and validate the grant code with the apple /token endpoint as described in the "Verifying a User" article.
We have multiple environments for test and production. In order to keep the production client_secret "secret", we need a separate secret for test environments that will not work on production. How can we achieve this?
It looks like we have to create a separate Application ID, service (client_id) and associated key. This is fine for web since it can just pass an arbitrary client_id but what about iOS? iOS apps are tightly-coupled to their Applications (and therefore their client_ids). Is there no way to use an arbitrary client_id for SIWA on iOS?
Do we really need a separate version of our iOS app for the test environment? This would be really disruptive to our workflow.