How to validate the apple revoke token api (appleid.apple.com/auth/revoke) successfully

Question

zangw OP

Created Jun ’22

Replies 1

Boosts 2

Views 3.2k

Participants 3

Per Account deletion requirement iOS

If your app offers Sign in with Apple, you’ll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account.

Referring to this answer, we are trying to send this revoke token API on our server-side. Here are some snippet

        privateKey = fs.readFileSync("xxxxxxxx.p8")
		client_secret = jwt.sign({ 
				iss: 'xxxx-***-xx-xxxx-xxxxxxxx',
				iat: Math.floor(Date.now() / 1000),
				exp: Math.floor(Date.now() / 1000) + 1200,
				aud: 'https://appleid.apple.com',
				sub: "sample.com"
			}, 
			privateKey, 
			{ 
				algorithm: 'ES256',
				header: {
					alg: 'ES256',
					kid: 'xxxxxxxxxxx'
				} 
			});

		data = {
			'token': token,
			'client_id': "sample.com",
			'client_secret': client_secret
		};
		body = qs.stringify(data)

		opts =
			protocol: 'https:'
			host: 'appleid.apple.com'
			path: '/auth/revoke'
			method: 'POST'
			timeout: 6000
			headers:
				'Content-Type': 'application/x-www-form-urlencoded'
				'Content-Length': Buffer.byteLength(body)
       // call https to send this opts message

And the status code of the above codes could be 200.

However, the response code 200 of revoke token api

The request was successful; the provided token has been revoked successfully or was previously invalid.

It seems the status code 200 includes the provided token was previously invalid. How could we distinguish whether the revoke token API was returned by the invalid token or revoked successfully?

We also try to test this revoke token API through curl with invalid client_secret and token, the status code 200 could be returned either. It is so weird.

curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=***.xxxx.yyyy' \
-d 'client_secret=ddddddeyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlBGUVRYTTVWUlcifQ.dddd.DmMifw6qWHMqKgDIbO8KrIzDvbF7T4WxxEo9TmtN0kmTISsi8D8FG52k_LPGkbNEnS_-w_SRimEKIH1rsuawFA' \
-d 'token=dddddd' \
-d 'token_type_hint=access_token'

> POST /auth/revoke HTTP/1.1
> Host: appleid.apple.com
> User-Agent: curl/7.77.0
> Accept: */*
> content-type: application/x-www-form-urlencoded
> Content-Length: 240
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Server: Apple
< Date: Thu, 09 Jun 2022 07:36:31 GMT
< Content-Length: 0
< Connection: keep-alive
< Host: appleid.apple.com

Boost

Answer 1

ihmgsm OP

Jun ’22

My experience is similar to yours. I've posted an edited snippet of my .net solution on Stack Overflow, but I am not sure if this is sufficient. Also, status code 200 is returned even with a randomly typed string for 'token'. It isn't very clear if that solution is enough. I will appreciate it if someone with more experience helps. Thanks.

0