在iOS上处理删除帐户时如何成功验证苹果撤销令牌api(appleid.apple.com/auth/revoke)?
[英]How to validate the apple revoke token api (appleid.apple.com/auth/revoke) successfully when handle delete account on iOS?
问题描述
Per Account deletion requirement iOS
每个帐户删除要求 iOS
If your app offers Sign in with Apple, you'll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account.
Referring to this answer , we are trying to send this revoke token API on our server-side.参考这个答案,我们正在尝试在我们的服务器端发送这个撤销令牌 API。 Here are some snippet这是一些片段
privateKey = fs.readFileSync("xxxxxxxx.p8")
client_secret = jwt.sign({
iss: 'xxxx-xxx-xx-xxxx-xxxxxxxx',
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 1200,
aud: 'https://appleid.apple.com',
sub: "sample.com"
},
privateKey,
{
algorithm: 'ES256',
header: {
alg: 'ES256',
kid: 'xxxxxxxxxxx'
}
});
data = {
'token': token,
'client_id': "sample.com",
'client_secret': client_secret
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/revoke'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
// call https to send this opts message
And the status code of the above codes could be 200 and the response body is empty.上述代码的状态码可能为 200,响应体为空。
However, the response code 200 of revoke token api但是, revoke token api的响应码 200
The request was successful;
It seems the status code 200 includes the provided token was previously invalid.状态代码 200 似乎包含提供的令牌以前无效。 How could we distinguish whether the revoke token API was returned by the invalid token or revoked successfully?我们如何区分撤销令牌API是由无效令牌返回还是撤销成功?
We also try to test this revoke token API through curl with invalid client_secret and token , the status code 200 could be returned either and the response body is empty.我们还尝试通过curl使用无效的client_secret和token测试此撤销令牌 API,也可能返回状态码 200 并且响应正文为空。 It is so weird.太奇怪了。
curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=xxx.xxxx.yyyy' \
-d 'client_secret=ddddddeyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlBGUVRYTTVWUlcifQ.dddd.DmMifw6qWHMqKgDIbO8KrIzDvbF7T4WxxEo9TmtN0kmTISsi8D8FG52k_LPGkbNEnS_-w_SRimEKIH1rsuawFA' \
-d 'token=dddddd' \
-d 'token_type_hint=access_token'
> POST /auth/revoke HTTP/1.1
> Host: appleid.apple.com
> User-Agent: curl/7.77.0
> Accept: */*
> content-type: application/x-www-form-urlencoded
> Content-Length: 240
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Server: Apple
< Date: Thu, 09 Jun 2022 07:36:31 GMT
< Content-Length: 0
< Connection: keep-alive
< Host: appleid.apple.com
1 个解决方案
解决方案1
3 2022-06-17 08:25:48
Finally, we could call revoke token api (appleid.apple.com/auth/revoke) successfully, and the apple id binding information is deleted under Apps Using Apple ID of Settings最后我们就可以调用revoke token api(appleid.apple.com/auth/revoke)成功了,在Settings的Apps Using Apple ID下删除了apple id绑定信息
The root cause is that an invalid token has been used before.根本原因是之前使用了无效的令牌。 We try the identity token of the apple signing result, it is not the correct token.我们尝试苹果签名结果的身份令牌,它不是正确的令牌。
The correct token is access_token or refresh_token returned from auth/token .正确的令牌是从auth/token返回的access_token或refresh_token 。
code - The authorization code received in an authorization response sent to your app.
In order to get access_token or refresh_token through auth/token , the code parameter of auth/token request should be paid attention.要通过auth/token获取access_token或refresh_token ,需要注意auth/token请求的code参数。 The code authorization response of apple signing, and its type is base64 .苹果签名的code授权响应,类型为base64 。 It should be decoded to utf-8 before assigning to auth/token API.在分配给auth/token API 之前,它应该被解码为utf-8 。
Summary the whole process as below.将整个过程总结如下。
- Get authorizationCode from Apple login.从 Apple 登录获取授权码。
- Get a refresh token \ access token with no expiry time using authorizationCode through
auth\token使用授权码通过auth\token - Revoke the refresh token or access token through
token\revoke通过token\revoke刷新令牌或访问令牌
Hope the above could help someone who meet the same issue.希望以上内容可以帮助遇到同样问题的人。 Here are node.js code snippets.以下是 node.js 代码片段。
getClientSecret: () ->
client_secret = jwt.sign({
iss: 'xxxxxxxxx',
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 360000,
aud: 'https://appleid.apple.com',
sub: bundleID
},
@privateKey,
{
algorithm: 'ES256',
header: {
alg: 'ES256',
kid: 'xxxxxxxxxx'
}
});
client_secret
decodeBase64: (base64Data) ->
buff = Buffer.from(base64Data, 'base64')
return buff.toString('utf-8')
revokeToken: (token) ->
client_secret = @getClientSecret()
data = {
'token': token,
'client_id': bundleID,
'client_secret': client_secret,
'token_type_hint': 'access_token'
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/revoke'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
http.post(body, opts)
authToken: (authCode) ->
client_secret = @getClientSecret()
code = @decodeBase64(authCode)
data = {
'code': code,
'client_id': bundleID,
'client_secret': client_secret,
'grant_type': 'authorization_code'
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/token'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
http.post(body, opts)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.