I've built[1] a quick prototype[2] with PATs It appears that ios16 only successfully provides the token challenge once every minute. Is this intentional?
From an implementation perspective, are website implementors intended to:
- add add a cookie to capture the state of a previous successful challenge?
- should we use the
max-age=and expect the Authorization token to repeated during burst of requests? - should we present unique redemption contexts on each request?
- is there a way to get context on why the token generation failed (eg: issuer cannot be contacted? malformed challenge?)
General feedback:
- debugging tools would be useful to know if the challenge or issuer has issues. Even console debug messages would be appreciated
- issuer requests bypass any proxy setups with root-CAs (related to debugging needs)
[1] https://github.com/colinbendell/private-access-token
[2] https://private-access-token.colinbendell.dev/test.html