XPost: misc.phone.mobile.iphone   
   From: mariasophia@comprehension.com   
      
   Chris wrote:   
   > Maria Sophia  wrote:   
   >> Chris wrote:   
   >>> Let's see how DonGPT responds to this...?   
   >>   
   >> I'm not going to respond to your incessant personal attacks,   
   >   
   > Firstly, calling you out on posting AI slop is not a personal attack. It's   
   > criticising you for being disingenuous and lying.   
   >   
   > Secondly, if you're going to not respond then don't. Responding by saying   
   > you're not going to respond is ... well, let's go with ... daft.   
   >   
   >> Chris, with all due respect, you are conflating one specific OAuth flow,   
   >   
   > Apple does not use OAuth.   
   >   
   > Seriously, give it up. You're out of your depth.   
   >   
   >> Sign in with Apple, with the authentication architecture of iOS as a whole.   
   >   
   > It's Apple authentication. iOS/iPadOS doesn't have an "authentication   
   > architecture".   
   >   
   >> The identity token and refresh token described in the Sign in with Apple   
   >> docs apply only to third party app login. They do not represent the tokens   
   >> used by iCloud, Apple Media Services, IDS for iMessage and FaceTime, Find   
   >> My, Activation Lock, or device activation.   
   >   
   > Prove it.   
   >   
   >> Sign in with Apple is implemented through the Authentication Services   
   >> framework. It issues an ID token and a refresh token that are valid only   
   >> for that OAuth client. The once-per-day refresh rule applies only to   
   >> that OAuth flow. It does not apply to iCloud service tokens, Apple Media   
   >> Services tokens, IDS tokens, or activation tokens.   
   >   
   > Are you using chatgpt again? Apple doesn't use OAuth.   
   >   
   >> iCloud uses its own account token and service specific credentials for   
   >> Drive, Photos, Backup, Keychain, Mail, Contacts, Calendars, Notes,   
   >> Reminders, and Safari sync. These services do not use the Sign in with   
   >> Apple token and do not share its refresh rules.   
   >   
   > Prove it.   
   >   
   >> Apple Media Services, which covers the App Store, iTunes Store, TV,   
   >> Music, Books, and Podcasts, uses a different token family entirely. AMS   
   >> tokens are issued by a separate backend and have their own expiration   
   >> and refresh behavior.   
   >   
   > Prove it.   
   >   
   >> iMessage and FaceTime use IDS authentication, which is documented as a   
   >> separate protocol with its own key material and its own token lifecycle.   
   >> IDS tokens are not interchangeable with iCloud or AMS tokens.   
   >   
   > Prove it.   
   >   
   >> Find My uses FMIP authentication, which again is a separate service with   
   >> its own credentials and its own validation rules.   
   >   
   > Prove it.   
   >   
   >> Activation and Activation Lock use activation certificates and device   
   >> specific credentials that are not part of any of the above systems.   
   >   
   > Prove it.   
   >   
   > I suspect all the above is again AI slop. Given you have not provided any   
   > cites which you say you always do.   
   >   
   >> Because these authentication domains are independent, a failure or   
   >> expiration in any one of them can trigger a password prompt such as   
   >>  Jan 10th 2026    
   >>   
   >> This is why users can see Apple ID password prompts even when they have not   
   >> logged out or made a purchase. It is not caused by user behavior.   
   >   
   > You wish!   
   >   
   > Given no single person on here concurs with you - I discount candycaneeater   
   > as he's probably a sock - we have to apply Occam's Razor and look at the   
   > simplest explanation: you are doing this to yourself.   
   >   
   >> That's why everyone on this newsgroup who responded, except you and Tyrone,   
   >> have easily admitted remembering these standard Apple ID password prompts.   
   >>     
   >   
   > We've all admitted to have been asked for a password once of twice a year   
   > at most. No one gets prompts several times a day. Only you.   
   >   
   >> It is caused by the fact that iOS uses multiple authentication domains with   
   >> different lifetimes and different refresh rules.   
   >   
   > That's your baseless assertion.   
   >   
   >> If you truly believe that all Apple services share a single token, please   
   >> cite Apple documentation that states this explicitly.   
   >   
   > I did.   
   >   
   > You have yet to prove that Apple uses multiple ones.   
      
   Chris,   
      
   I am going to ignore personal attacks for this coming year as a long-term   
   experiment to see if the conversations on this Apple ng can be improved.   
      
   You appear to be making two very strong claims, both of which I dispute.   
      
   1. "Apple does not use OAuth."   
   2. The one identity token in the Sign in with Apple doc is   
      "Apple authentication" for everything.   
      
   On the first point, the label does not matter. Call it OAuth, OpenID   
   Connect, or "Apple web sign in", the document you keep citing is about   
   a specific browser / app sign in flow for third party clients. It is   
   scoped to that use case. It does not describe device activation, Find   
   My, iCloud, or Apple Media Services. It just doesn't. And never did.   
      
   On the second point, you say you "proved" Apple uses a single token by   
   pointing to that page. But that page does not say any of the following:   
      
   1. It does not say that iCloud uses the Sign in with Apple identity   
      token.   
   2. It does not say that App Store/Apple Media Services use that   
      token.   
   3. It does not say that iMessage/FaceTime (IDS) use that token.   
   4. It does not say that Find My/FMIP use that token.   
   5. It does not say that device activation or Activation Lock use that   
      token.   
      
   You are reading far more into that page than Apple actually wrote.   
   Now to your repeated "prove it" challenge.   
      
   Apple does not publish a complete internal map of every token, key, and   
   certificate used by every service. Neither of us can "prove" the exact   
   internal structure short of working on the inside at Apple.   
      
   I do have friends and neighbors high up at Apple but I'm not hitting them   
   up for something that we can work out ourselves if we're intelligent about   
   it.   
      
   What we can say with confidence is:   
      
   1. Apple itself separates its systems into distinct services:   
      1. iCloud   
      2. Apple Media Services (App Store, TV, Music, etc.)   
      3. iMessage / FaceTime (IDS)   
      4. Find My   
      5. Device activation and Activation Lock   
      
   2. Each of those services has its own client APIs and its own servers.   
      They use different URLs, parameters, and error codes.   
      
   3. At minimum, that means they are separate authentication domains,   
      even if they ultimately derive from the same Apple ID.   
      
   You asked me to "prove" that these services do not all share one   
   magical token. The simplest observation is this:   
      
   If every Apple service used the Sign in with Apple identity token, the   
   developer documentation for those services would say so. It does not.   
      
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)