[英]How to validate the apple revoke token api (appleid.apple.com/auth/revoke) successfully when handle delete account on iOS?
Per Account deletion requirement iOS每个帐户删除要求 iOS
If your app offers Sign in with Apple, you'll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account.如果您的应用程序提供通过 Apple 登录,您将需要在删除帐户时使用 Sign in with Apple REST API 来撤销用户令牌。
Referring to this answer , we are trying to send this revoke token API on our server-side.参考这个答案,我们正在尝试在我们的服务器端发送这个撤销令牌 API。 Here are some snippet这是一些片段
privateKey = fs.readFileSync("xxxxxxxx.p8")
client_secret = jwt.sign({
iss: 'xxxx-xxx-xx-xxxx-xxxxxxxx',
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 1200,
aud: 'https://appleid.apple.com',
sub: "sample.com"
},
privateKey,
{
algorithm: 'ES256',
header: {
alg: 'ES256',
kid: 'xxxxxxxxxxx'
}
});
data = {
'token': token,
'client_id': "sample.com",
'client_secret': client_secret
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/revoke'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
// call https to send this opts message
And the status code of the above codes could be 200 and the response body is empty.上述代码的状态码可能为 200,响应体为空。
However, the response code 200 of revoke token api但是, revoke token api的响应码 200
The request was successful;请求成功; the provided token has been revoked successfully or was previously invalid.提供的令牌已成功撤销或以前无效。
It seems the status code 200 includes the provided token was previously invalid.状态代码 200 似乎包含提供的令牌以前无效。 How could we distinguish whether the revoke token API was returned by the invalid token or revoked successfully?我们如何区分撤销令牌API是由无效令牌返回还是撤销成功?
We also try to test this revoke token API through curl
with invalid client_secret
and token
, the status code 200 could be returned either and the response body is empty.我们还尝试通过curl
使用无效的client_secret
和token
测试此撤销令牌 API,也可能返回状态码 200 并且响应正文为空。 It is so weird.太奇怪了。
curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=xxx.xxxx.yyyy' \
-d 'client_secret=ddddddeyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlBGUVRYTTVWUlcifQ.dddd.DmMifw6qWHMqKgDIbO8KrIzDvbF7T4WxxEo9TmtN0kmTISsi8D8FG52k_LPGkbNEnS_-w_SRimEKIH1rsuawFA' \
-d 'token=dddddd' \
-d 'token_type_hint=access_token'
> POST /auth/revoke HTTP/1.1
> Host: appleid.apple.com
> User-Agent: curl/7.77.0
> Accept: */*
> content-type: application/x-www-form-urlencoded
> Content-Length: 240
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Server: Apple
< Date: Thu, 09 Jun 2022 07:36:31 GMT
< Content-Length: 0
< Connection: keep-alive
< Host: appleid.apple.com
Finally, we could call revoke token api (appleid.apple.com/auth/revoke) successfully, and the apple id binding information is deleted under Apps Using Apple ID
of Settings
最后我们就可以调用revoke token api(appleid.apple.com/auth/revoke)成功了,在Settings
的Apps Using Apple ID
下删除了apple id绑定信息
The root cause is that an invalid token has been used before.根本原因是之前使用了无效的令牌。 We try the identity token of the apple signing result, it is not the correct token.我们尝试苹果签名结果的身份令牌,它不是正确的令牌。
The correct token is access_token
or refresh_token
returned from auth/token
.正确的令牌是从auth/token
返回的access_token
或refresh_token
。
code - The authorization code received in an authorization response sent to your app. code - 在发送到您的应用的授权响应中收到的授权代码。 The code is single-use only and valid for five minutes.该代码仅供一次性使用,有效期为五分钟。 Authorization code validation requests require this parameter.授权码验证请求需要此参数。
In order to get access_token
or refresh_token
through auth/token
, the code
parameter of auth/token
request should be paid attention.要通过auth/token
获取access_token
或refresh_token
,需要注意auth/token
请求的code
参数。 The code
authorization response of apple signing, and its type is base64
.苹果签名的code
授权响应,类型为base64
。 It should be decoded to utf-8
before assigning to auth/token
API.在分配给auth/token
API 之前,它应该被解码为utf-8
。
Summary the whole process as below.将整个过程总结如下。
auth\token
使用授权码通过auth\token
token\revoke
通过token\revoke
刷新令牌或访问令牌Hope the above could help someone who meet the same issue.希望以上内容可以帮助遇到同样问题的人。 Here are node.js code snippets.以下是 node.js 代码片段。
getClientSecret: () ->
client_secret = jwt.sign({
iss: 'xxxxxxxxx',
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 360000,
aud: 'https://appleid.apple.com',
sub: bundleID
},
@privateKey,
{
algorithm: 'ES256',
header: {
alg: 'ES256',
kid: 'xxxxxxxxxx'
}
});
client_secret
decodeBase64: (base64Data) ->
buff = Buffer.from(base64Data, 'base64')
return buff.toString('utf-8')
revokeToken: (token) ->
client_secret = @getClientSecret()
data = {
'token': token,
'client_id': bundleID,
'client_secret': client_secret,
'token_type_hint': 'access_token'
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/revoke'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
http.post(body, opts)
authToken: (authCode) ->
client_secret = @getClientSecret()
code = @decodeBase64(authCode)
data = {
'code': code,
'client_id': bundleID,
'client_secret': client_secret,
'grant_type': 'authorization_code'
};
body = qs.stringify(data)
opts =
protocol: 'https:'
host: 'appleid.apple.com'
path: '/auth/token'
method: 'POST'
timeout: 6000
headers:
'Content-Type': 'application/x-www-form-urlencoded'
'Content-Length': Buffer.byteLength(body)
http.post(body, opts)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.