I am experimenting with Sign in with Apple and I have a few questions:
First, regarding initial login: An ASAuthorizationAppleIDCredential includes both an authorizationCode so that the server can perform validation, and an identityToken with a signed JWT. If my server uses the authorizationCode to get credential information from appleid.apple.com, can I safely ignore the identityToken returned to the ASAuthorizationControllerDelegate? Or is there a reason I should verify that as well. If I do not verify the identityToken should I still set a nonce on the ASAuthorizationAppleIDRequest?
Second, regarding notifications of Apple ID changes: It seems like getCredentialState, server-side token requests based on refresh tokens, and Server to Server notifications all serve the purpose of letting an app find out about changes to an Apple ID. Do I need to implement all three of these, or should any one be sufficient? Finally, I am not sure I need to know about Apple ID changes at all. Can I ignore all of these, and not worry about Apple ID status changes for users already logged into a device? I do not use the account name or email address at all, just the user identifier.
Thanks.
John