Can Authentication Services be used to cover my whole app security?

Hello,

I'm writing a small app which requires user accounts and authenticating against a remote backend (REST API) which belongs to the app.

What I've done so far, is adding the "Sign in with Apple" button to my SwiftUI and receiving a ASAuthorization object containing user, IdToken, AuthCode, ...

When a user signs in the first time, I have to create an account in the backend, saving the userId and Name. This and all future calls to my backend API I want to secure by using the IdToken as Bearer for Authentication. My backend will verify the token as described here.

For me, it's not clear how to refresh the IdToken in my App without asking the user again for his sign in (like the button does). Or what should I save on the users' device that he has not to sign in after restarting the app. This documentation saves the userid in the Keychain and tries to get the userid again on app start - but where is the idToken / what if the idToken is expired?

The answer I found is: No.

The only way to refresh tokens is Apple's REST API, which should be requested once per day per user. Otherwise, the API will throttle you. And that's the reason why it's recommended to use an own user session between app and backend.

Can Authentication Services be used to cover my whole app security?
 
 
Q