Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revoking Apple Sign-In Authentication Tokens from Apple Server Upon User Deletion in AWS Amplify #3564

Closed
Sushants2789 opened this issue Mar 13, 2024 · 9 comments
Assignees
Labels
auth Issues related to the Auth category follow up Requires follow up from maintainers question General question

Comments

@Sushants2789
Copy link

Sushants2789 commented Mar 13, 2024

Describe the bug

I am currently utilizing the Apple Sign-In function in my application through the hosted WebUI in AWS Amplify. Additionally, I have implemented the delete user account feature. However, despite using the delete user API (Amplify.Auth.deleteUser()), the user's account is not fully removed from the Apple Server.

Steps To Reproduce

1. Implement Apple Sign-In functionality in an iOS application using the hosted WebUI .
2. Implement the delete user account feature using the `deleteUser()` function provided by AWS Amplify.
3. Attempt to delete a user account and observe that the user's account is not fully removed from the Apple Server.
4. Verify that the app is still associated with Apple Sign-In: On your iPhone, go to Settings, then tap your name, tap "Sign-In & Security," then tap "Sign in with Apple."

Expected behavior

Upon initiating account deletion through the application, the user's account should be fully removed from the Apple Server, and the app should no longer appear under the settings: On your iPhone, go to Settings, then tap your name, tap "Sign-In & Security," then tap "Sign in with Apple.

Amplify Framework Version

2.27.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.8

CLI version

12.10.0

Xcode version

15.1

Relevant log output

<details>
<summary>Log Messages</summary>


INSERT LOG MESSAGES HERE
```

Is this a regression?

Yes

Regression additional context

No response

Platforms

iOS

OS Version

iOS 17.0

Device

All iPhone Devices

Specific to simulators

No response

Additional context

No response

@harsh62 harsh62 self-assigned this Mar 13, 2024
@harsh62 harsh62 added auth Issues related to the Auth category question General question labels Mar 13, 2024
@harsh62
Copy link
Member

harsh62 commented Mar 13, 2024

@Sushants2789 Thanks for creating this issue. I will follow up with the service team and get an answer for you.

@harsh62 harsh62 added the follow up Requires follow up from maintainers label Mar 13, 2024
@Sushants2789
Copy link
Author

Hi @harsh62 , Do you have any update on this issue?

@harsh62
Copy link
Member

harsh62 commented Mar 18, 2024

@Sushants2789 I am still working with the service team to get an answer for this issue.

@harsh62
Copy link
Member

harsh62 commented Mar 19, 2024

@Sushants2789 I have a confirmation from the Cognito team that this is indeed the intended behaviour. Cognito does not maintain an active connection with any IdP outside of the duration of the federation authentication.
It's on the customer to include/handle that aspect of the application if they offer users the ability to call delete their accounts.

There is this thread that very nicely explains how to handle this scenario in your app.
https://developer.apple.com/forums/thread/708415

Let us know if you have any more questions.

@Sushants2789
Copy link
Author

Sushants2789 commented Mar 19, 2024

Hi @harsh62 ,

Thank you for providing the answers and the reference link. Is there any way I can obtain the latest token and authorization code to call the revoke Apple API endpoint before the user deletes their account? As mentioned, if the user doesn't manually delete their account from setting or if we don't call the endpoint, the next time the user tries to register, AWS Amplify shows an error stating missing name and email attributes.

@harsh62
Copy link
Member

harsh62 commented Mar 22, 2024

You will need to map the refreshToken value onto custom attributes for the userprofile then use them in app code logic to invalidate them.

image

Following are the steps when deleting a user:

  • Call fetchUserAttributes to fetch those attributes(which would fetch the refreshToken stored as custom attribute) on the profile
  • Call Apple APIs to revoke the SIWA tokens using the fetched refreshToken
  • Call deleteUser to delete the user in the userpool

@Sushants2789
Copy link
Author

Hi @harsh62 , Thanks for the response. One more question in order to revoke we need one more required parameter which is client_secret . Where can I get that? Is it also available or I need to map the same in custom attributes
https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens

@harsh62
Copy link
Member

harsh62 commented Mar 25, 2024

@Sushants2789
You can follow the Apple documentation on how to create a client_secret.

Note: Use the same information for TeamId and AppId or ServicesId, that has been provided to Cognito.

@harsh62 harsh62 added the pending-community-response Issue is pending response from the issue requestor label Mar 25, 2024
@harsh62 harsh62 closed this as completed Apr 1, 2024
@github-actions github-actions bot removed the pending-community-response Issue is pending response from the issue requestor label Apr 1, 2024
Copy link
Contributor

github-actions bot commented Apr 1, 2024

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth Issues related to the Auth category follow up Requires follow up from maintainers question General question
Projects
None yet
Development

No branches or pull requests

2 participants