问题
In Sign in with Apple REST API | Apple Developer Documentation, there are two articles, Authenticating Users with Sign in with Apple | Apple Developer Documentation and Verifying a User | Apple Developer Documentation.
I can get the user identifier in "Authenticating Users with Sign in with Apple", but I'm having trouble understanding why "Verify the Identity Token" is needed giving that we have already got the user identifier. What's the purpose of "Verify the Identity Token"? And what's the purpose of "Obtain a Refresh Token"? What can we do using the refresh token and access token?
I can't find my answer in "Apple Developer Documentation".
回答1:
The user identity token that you get from sign-in with Apple is only valid for 10 minutes, because it could be intercepted and used in a replay attack. It could also, conceivably, be forged.
You submit the user token to the verification endpoint in order to verify that it is a valid identity token that was issued by Apple.
You may also need some set of credentials in your server to allow it to issue access tokens; think "username and password", however in the case of Sign in With Apple you don't have a password; That is the role of the refresh token.
You can store the user's identifier and the refresh token in your server in lieu of an encrypted password and also store this in your app's keychain, for example. Then the app can present the user identifier and the refresh token to your server in order to obtain an access token.
On iOS you can use getCredentialState(forUserID:completion:) to verify that the user is still valid. On other systems you can periodically (once per day maximum) validate the refresh token to ensure that the user account is still in good standing with Apple.
来源:https://stackoverflow.com/questions/60663601/whats-the-purpose-of-verify-a-user-in-sign-in-with-apple