Posts

Post not yet marked as solved
0 Replies
1.2k Views
Hello.I've recently started a server side implementation to support SIWA in an iOS app, and I'd like to validate some doubts that have arised during the server side implementation.I used the following post from Curtis Herbert as a guideline (https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/) since I found it clearer than the information provided by the official documentation. The server runs Python's Django Framework, which already has several libraries that handle social network registration/log in, so we tried to integrate this SIWA flow into our existing logic.The implementation done so far:The iOS app uses the SIWA SDK to register the user, which allows it to get the "identityToken" and the "user" valuesThese values are sent to the server, which is in charge of decoding the JWT token and validating its claims(audience, expiration, that the "sub" field matches the "user" value sent by the app, etc)If the token is valid, we register the user on our databaseIt's at this point where, having registed the user which's authenticity has been validated by Apple, our API vends its own Bearer tokens for the apps to authenticate any future calls.This is the most uncertain part, given that the documentation mentions a /token endpoint where a similar process is done (returns an access_token and a refresh_token). Is it mandatory to use the /token endpoint to retrieve access tokens for the apps to use? What benefit does it provide over our app vending its own tokens?Is there something else I'm missing?Thanks.
Posted Last updated
.