XPost: misc.phone.mobile.iphone   
   From: mariasophia@comprehension.com   
      
   Chris wrote:   
   > Maria Sophia  wrote:   
   >> Chris wrote:   
   >>> Maria Sophia  wrote:   
   >>>> Chris wrote:   
   >>>>> Let's see how DonGPT responds to this...?   
   >>>>   
   >>>> I'm not going to respond to your incessant personal attacks,   
   >>>   
   >>> Firstly, calling you out on posting AI slop is not a personal attack. It's   
   >>> criticising you for being disingenuous and lying.   
   >>>   
   >>> Secondly, if you're going to not respond then don't. Responding by saying   
   >>> you're not going to respond is ... well, let's go with ... daft.   
   >>>   
   >>>> Chris, with all due respect, you are conflating one specific OAuth flow,   
   >>>   
   >>> Apple does not use OAuth.   
   >>>   
   >>> Seriously, give it up. You're out of your depth.   
   >>>   
   >>>> Sign in with Apple, with the authentication architecture of iOS as a   
   whole.   
   >>>   
   >>> It's Apple authentication. iOS/iPadOS doesn't have an "authentication   
   >>> architecture".   
   >>>   
   >>>> The identity token and refresh token described in the Sign in with Apple   
   >>>> docs apply only to third party app login. They do not represent the tokens   
   >>>> used by iCloud, Apple Media Services, IDS for iMessage and FaceTime, Find   
   >>>> My, Activation Lock, or device activation.   
   >>>   
   >>> Prove it.   
   >>>   
   >>>> Sign in with Apple is implemented through the Authentication Services   
   >>>> framework. It issues an ID token and a refresh token that are valid only   
   >>>> for that OAuth client. The once-per-day refresh rule applies only to   
   >>>> that OAuth flow. It does not apply to iCloud service tokens, Apple Media   
   >>>> Services tokens, IDS tokens, or activation tokens.   
   >>>   
   >>> Are you using chatgpt again? Apple doesn't use OAuth.   
   >>>   
   >>>> iCloud uses its own account token and service specific credentials for   
   >>>> Drive, Photos, Backup, Keychain, Mail, Contacts, Calendars, Notes,   
   >>>> Reminders, and Safari sync. These services do not use the Sign in with   
   >>>> Apple token and do not share its refresh rules.   
   >>>   
   >>> Prove it.   
   >>>   
   >>>> Apple Media Services, which covers the App Store, iTunes Store, TV,   
   >>>> Music, Books, and Podcasts, uses a different token family entirely. AMS   
   >>>> tokens are issued by a separate backend and have their own expiration   
   >>>> and refresh behavior.   
   >>>   
   >>> Prove it.   
   >>>   
   >>>> iMessage and FaceTime use IDS authentication, which is documented as a   
   >>>> separate protocol with its own key material and its own token lifecycle.   
   >>>> IDS tokens are not interchangeable with iCloud or AMS tokens.   
   >>>   
   >>> Prove it.   
   >>>   
   >>>> Find My uses FMIP authentication, which again is a separate service with   
   >>>> its own credentials and its own validation rules.   
   >>>   
   >>> Prove it.   
   >>>   
   >>>> Activation and Activation Lock use activation certificates and device   
   >>>> specific credentials that are not part of any of the above systems.   
   >>>   
   >>> Prove it.   
   >>>   
   >>> I suspect all the above is again AI slop. Given you have not provided any   
   >>> cites which you say you always do.   
   >>>   
   >>>> Because these authentication domains are independent, a failure or   
   >>>> expiration in any one of them can trigger a password prompt such as   
   >>>> Jan 10th 2026    
   >>>>   
   >>>> This is why users can see Apple ID password prompts even when they have   
   not   
   >>>> logged out or made a purchase. It is not caused by user behavior.   
   >>>   
   >>> You wish!   
   >>>   
   >>> Given no single person on here concurs with you - I discount candycaneeater   
   >>> as he's probably a sock - we have to apply Occam's Razor and look at the   
   >>> simplest explanation: you are doing this to yourself.   
   >>>   
   >>>> That's why everyone on this newsgroup who responded, except you and   
   Tyrone,   
   >>>> have easily admitted remembering these standard Apple ID password prompts.   
   >>>>    
   >>>   
   >>> We've all admitted to have been asked for a password once of twice a year   
   >>> at most. No one gets prompts several times a day. Only you.   
   >>>   
   >>>> It is caused by the fact that iOS uses multiple authentication domains   
   with   
   >>>> different lifetimes and different refresh rules.   
   >>>   
   >>> That's your baseless assertion.   
   >>>   
   >>>> If you truly believe that all Apple services share a single token, please   
   >>>> cite Apple documentation that states this explicitly.   
   >>>   
   >>> I did.   
   >>>   
   >>> You have yet to prove that Apple uses multiple ones.   
   >>   
   >> Chris,   
   >>   
   >> I am going to ignore any accurate criticisms of my argument and hide   
   >> behind fake victimhood.   
   >   
   > There. Fixed it for you.   
   >   
   >> You appear to be making two very strong claims, both of which I dispute.   
   >>   
   >> 1. "Apple does not use OAuth."   
   >> 2. The one identity token in the Sign in with Apple doc is   
   >>    "Apple authentication" for everything.   
   >>   
   >> On the first point, the label does not matter. Call it OAuth, OpenID   
   >> Connect, or "Apple web sign in", the document you keep citing is about   
   >> a specific browser / app sign in flow for third party clients. It is   
   >> scoped to that use case. It does not describe device activation, Find   
   >> My, iCloud, or Apple Media Services. It just doesn't. And never did.   
   >   
   > Of course it matters. They are specific brands and have different   
   > mechanisms. Anyone who values facts would stick to accuracy and stop making   
   > stuff up.   
   >   
   > The fact you don't care about accuracy adds even more weight to your   
   > disinterest in truth. All you want is a nodding dog audience. Which is very   
   > reminiscent of a well known personality...   
   >   
   >> On the second point, you say you "proved" Apple uses a single token by   
   >> pointing to that page. But that page does not say any of the following:   
   >   
   > Further evidence that accuracy and facts are alien concepts to you. I never   
   > claimed any proof. You asked for cites to evidence my position. Which I   
   > gave. Something you've refused to do. Because you can't.   
   >   
   >> 1. It does not say that iCloud uses the Sign in with Apple identity   
   >>    token.   
   >> 2. It does not say that App Store/Apple Media Services use that   
   >>    token.   
   >> 3. It does not say that iMessage/FaceTime (IDS) use that token.   
   >> 4. It does not say that Find My/FMIP use that token.   
   >> 5. It does not say that device activation or Activation Lock use that   
   >>    token.   
   >   
   > It's the only documented mechanism we have. Why wouldn't Apple use it?   
   >   
   >> You are reading far more into that page than Apple actually wrote.   
   >> Now to your repeated "prove it" challenge.   
   >>   
   >> Apple does not publish a complete internal map of every token, key, and   
   >> certificate used by every service. Neither of us can "prove" the exact   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)