I am experimenting with Sign in with Apple and I have a few questions:
First, regarding initial login: An ASAuthorizationAppleIDCredential
includes both an authorizationCode
so that the server can perform validation, and an identityToken
with a signed JWT. If my server uses the authorizationCode
to get credential information from appleid.apple.com
, can I safely ignore the identityToken
returned to the ASAuthorizationControllerDelegate
? Or is there a reason I should verify that as well. If I do not verify the identityToken
should I still set a nonce
on the ASAuthorizationAppleIDRequest
?
Second, regarding notifications of Apple ID changes: It seems like getCredentialState
, server-side token requests based on refresh tokens, and Server to Server notifications all serve the purpose of letting an app find out about changes to an Apple ID. Do I need to implement all three of these, or should any one be sufficient? Finally, I am not sure I need to know about Apple ID changes at all. Can I ignore all of these, and not worry about Apple ID status changes for users already logged into a device? I do not use the account name or email address at all, just the user identifier.
Thanks.
John