What are we supposed to do with the access_token?

Question

Created Aug ’19

Replies 8

Boosts 0

Views 6.2k

Participants 6

During a successful first time Apple Sign in, we get an `access_token` field back that has data in it (in addition to a refresh_token, and expires_at). I know that to validate a sign in we use the refresh_token, but I was wondering what to do with the access_token we get back? Do we need it for anything?
The apple documention on it says
(Reserved for future use) A token used to access allowed data. Currently, no data set has been defined for access.
So can we ignore it for now?

Answered by in 378372022

Hi concept47and angelatestapple

Currently, the access token only indicates a successful refresh token validation. There are currently no endpoints where it can be used and it is reserved for future use. So, it can be ignored for now.

Boost

Answer 1

angelatestapple OP

Aug ’19

Hi, have you ever tried to validate the refresh_token? I tried but always got the error of "unsupported_grant_type". Does it apply to you too?

The Post Body I have is:

client_id: "App ID" // same as authorization

client_secret: "App Token" // same as authorization

grant_type: "refresh_token"

code: "refresh_token received from authorization"

0

Answer 2

concept47 OP

Aug ’19

Try replacing code with refresh_token ... as per the documentation
The validation server returns a TokenResponse object on a successful validation. When using this endpoint for authorizing the user, use the following parameters:

client_id

, client_secret
, grant_type
, code
, and redirect_uri
. When using this endpoint for validating the refresh token, use the following parameters: client_id
, client_secret
, grant_type
, and refresh_token
.
let me know if that works.

0

Answer 3

angelatestapple OP

Aug ’19

Thank you very much for your reply!

There was a typo in my last response and I did use key-value pair of refresh_token: "refresh_token received from authorization". Thank you for the catch! I finally found that the problem was I didn't use "x-www-form-urlencoded" as the body format. After I fixed that, the request to validate refresh token is successful.

I have the same question as yours. Access_token expires in 3600 seconds(1 hour) and it seems to be useless. Let's see whether there will be any Apple staff can answer this question...

0

Answer 4

OP

Apple

Aug ’19

Accepted Answer

Hi concept47and angelatestapple

Currently, the access token only indicates a successful refresh token validation. There are currently no endpoints where it can be used and it is reserved for future use. So, it can be ignored for now.

0

Answer 5

angelatestapple OP

Aug ’19

Thank you @sudhaker19 for the reply.

If access_token is useless now, may I know what the use for refresh_token is? If I understand the authorization flow correctly, after our server validates the auth code with Apple, the authorization for this one user is done. Why do we need to store the refresh_token as shown in the apple documentation "The refresh token used to regenerate new access tokens. Store this token securely on your server."? Is the refresh_token valid for each user, or each server?

1

Answer 6

tsmmark OP

Apr ’21

I have the same question as AngelateStapple. If refresh_token can't be used to obtain access tokens that can be used as authentication tokens, what is the point of the refresh_token?

But more importantly, if not with a refresh token, what is the procedure for authenticating apple music api calls for a user after the initial short-lived access token has expired?

0

Answer 7

leo-cost OP

Mar ’22

Olá, como você conseguiu chegar a retornar o access-token? faz 15 dias que tento implementar o login com a apple em python, mas ele estagnei nesse erro: Error retrieving access token: b'{"error":"invalid_grant","error_description":"The code has expired or has been revoked."}'. Alguém sabe o que fazer?

0

Answer 8

imrahulvyas OP

Jul ’22

How to get access token on second time using authcode?

0