Obtaining an access or refresh token

[lawmaestro]

I've used this library to implement the Apple Sign in integration with my native App and I'm now at the point where I need to implement the delete account feature. However, I'm struggling to see how this should be done from the documentation.

I'm using Apple's AuthenticationServices to start the register/login process from the App, summarised by:

1. Get a request object from ASAuthorizationAppleIDProvider().createRequest()
2. Create a ASAuthorizationController, set the delegate & call performRequests()
3. The outcome of this either means I make a login or register call to my backend with an ASAuthorizationAppleIDCredential object

On my backend the flow continues:

1. Receive register/login call
2. Call AppleSignin.verifyIdToken with the identity token from the passed ASAuthorizationAppleIDCredential object info
3. Creates an account in my database with the identity token, auth code, user id, name & email
4. Reports success back to App which then completes the flow.

Note: At no point have I got an access or refresh token and either stored this or reported this back to the calling App.

Now I'm approaching the delete account implementation and my understanding is that I need to get:

1. An authorization url - appleSignin.getAuthorizationUrl
2. Use the code from that URL to get an access token - appleSignin.getAuthorizationToken(code, options)
3. Call the revoke API - appleSignin.revokeAuthorizationToken(refreshToken, options)

I haven't created a Service ID and private key for the Service ID my Apple Developer Account because I'm not (and probably never) looking to support sign in via my website.

So my my questions at this point are:

1. The flow is entirely native, at no point has it left to go out to a web view, so it's not clear what redirect URI I would need to set for the auth URL call (perhaps this doesn't matter as long as this URI matches the one fed to following get auth token call?)
2. Using a code from a call to appleSignin.getAuthorizationUrl seems wrong by this point and calling this API returns an empty code anyway which seems to confirm this - probably because I've not registered a service ID?
3. If yes to 2. Can the revoke be performed in a different way which doesn't involve needing a service ID? Current thinking is a call to ASAuthorizationAppleIDProvider().createRequest() from the app to get a fresh auth code which can then be passed to my revoke API which then calls appleSignin.getAuthorizationToken(code, options) & appleSignin.revokeAuthorizationToken(refreshToken, options)?

Ideally, I'd have stored a refresh token (and perhaps access token) against an account at the point of creation, but the opportunity to do that has passed and these tokens weren't available from the apple sign in calls I outlined above (at least not that I saw). So the question now is what is my best way to proceed?

Thanks and apologies for the long message!

[lawmaestro]

To answer my own question, I pursued option 3 from the question block above and this seems to be working nicely. It does however mean the user needs to authenticate again when making an account delete request. This however I think is probably a good thing since it's an added step which ensures the person performing the delete request is the owner of the account.