Apple Sign-In: How to use it for custom server endpoint authentication?

This is a copy of a question I've already asked on Stackoverflow-- https://stackoverflow.com/questions/58178187/apple-sign-in-how-to-use-it-for-custom-server-endpoint-authentication

but I'm posting a summary here too in the hopes of getting some feedback from Apple engineers.


My use case is that once I have a user signed into my app, I use the Oauth token, resulting from the sign-in, when I make endpoint calls from my app to my custom server-- to authenticate the caller. E.g., I use Google Sign Inin this way.


This method (e.g., with Google Sign In) has several useful properties:

1) Updated tokens are created automatically on the client app.


2) My custom server can easily verify the validity of the token, using Google's endpoints.


3) Initial token verification can take place early in the endpoint request processing-- without access to the custom servers database (as in the style in https://github.com/IBM-Swift/Kitura-Credentials).


My question is: Given that we're being told we have to incorporate Apple Sign-In into our iOS apps (if we offer general purpose sign-in facilities), how can I do endpoint authentication with my custom server?


(A few more details are on my SO post, linked above).


Thanks for your thoughts.

Replies

A few more details-- this problem seems difficult because:

1) The id tokens I get on iOS when the user signs in with Apple Sign In have a relatively short expiry duration (seems like 10 minutes).

2) Apple throttles the frequency with which you can use the refresh token (e.g., server-side) to generate an id token to once per 24 hours (https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_user).

3) We apparently cannot automatically get a refreshed id token client side on iOS (see https://forums.developer.apple.com/thread/117867).


Update on 10/5/19-- Upon actual use of https://developer.apple.com/documentation/signinwithapplerestapi/generate_and_validate_tokens for refresh token validation, I find that it is not actually generating an updated id token. It is generating an access token-- but Apple doesn't define a use for that, and is validating the refresh token.


Update on 10/10/19-- A blog article on these issues https://medium.com/@crspybits/apple-sign-in-custom-servers-and-an-expiry-conundrum-d1ad63223870

It's frustrating that Apple is so vague on all of this, especially as they are demanding that we use it. I'm wrestling with the same issue: once I've SIWA'd a user on the device, how do I then create a server-side acount for them in my system and verify authz/authn on subsequent calls to my API? Apple says this in their "Verifying a User" doc on the REST API (https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_user):


"On success, the server issues a refresh token, which you use to obtain access tokens with future calls."


Future calls to...what, exactly? What are these access tokens supposed to be granting access to?


I think I might throw in the towel here and just sign up with Auth0, who seem to have somehow figured this out.