Sign in with Apple and backend account deletion

Question

Created Feb ’21

Replies 4

Boosts 1

Views 2.8k

Participants 4

Hi, I´m implementing SIWA in an existing app. The app has the function to delete the user account, the problem comes when I want to delete the account from SIWA too, there is not an API to do that. Anyway I can handle that, I just delete the data from my server and when the user logins again with SIWA I register him again. But the problem is that with SIWA you can only get the name and mail the first time you do the sign in, so if the user deleted the account I can not get again the name or the user e-mail for the register.

Is there any workaround for this?

Thanks in advance.

Boost

Answer 1

ArticFox OP

Dec ’21

Yes, we have the same issue, this seems to be a broken flow by Apple to be honest. And the new guideline 5.1.1 to start the enforcement January 31th 2022 says that you have to delete the user account if the user wish, but if you do a fully delete data of the user and the user laters on wants to use the application again, the user full name won't be given to you again.

1

Answer 2

alexdoo OP

Jan ’22

Hi everyone,

I was struggling with the same issue and revisited Sign In With Apple documentation. I don't know if this is new, but there is a server-to-server notification system for Apple to let your backend know about a SIWA account being revoked.

See "Processing changes for sign in with apple accounts" on the developer website. (link is being blocked here... )

As a result, I believe the following approach will be the best: • in your app, if a SIWA user initiates an account deletion request, provide instruction to guide the user into the SIWA revocation system, and indicate that all account information will be deleted after the revocation. • On receipt of a server-to-server notification, delete all user data in your backend.

The only missing bit here would be the ability to notify the user of the completion of the deletion process. If the user has not shared an actual email address with you, you won't be in capacity to successfully notify the user through a relay address as it should be deactivated by the time you get notified.

Maybe a perfect approach would be to offer the user to submit a notification email address if they wish to receive confirmation of the account deletion.

Hope this helps!

1

Answer 3

Yon123 OP

Jun ’22

Thanks for the idea Alexdoo. From a UX perspective this doesn't seem like an optimal solution... The user now has to jump through a few hoops just to delete their account. Hopefully Apple provide a nicer solution for users.

In the mean time, I think this is a fringe issue... most users that delete their account don't want to sign in again.

1

Answer 4

alexdoo OP

Jun ’22

Apple has now provided API that allows a much better flow: when a SIWA user wants to delete their account, you should use the SIWA Rest API to revoke the SIWA account on Apple's server. This requires that you have an access token for the user, which you can get thought the sign in action in your app. If you did not initially obtained and stored access tokens for accounts created, you can request a new sign-in when the user requests the account deletion, which also has the benefit of ensuring the account deletion requests come from the actual device owner. With the new sign in, you get a short-lived authorization code that you can exchange against an access token. Then the access token allows you to request the account revocation. There is quite a lot of coding involved as all this works by exchaging JWT tokens with Apple servers.

1