Can a macOS Platform SSO extension reliably identify the original app behind a Safari or ASWebAuthenticationSession-mediated request, or does ASAuthorizationProviderExtensionAuthorizationRequest only expose the immediate caller such as Safari ?
We are seeing:
- callerBundleIdentifier = com.apple.Safari
- callerTeamIdentifier = Apple
audit-token-based validation also resolves to Safari
So the question is whether this is the expected trust model, and if so, what Apple-recommended mechanism should be used to restrict SSO participation to approved apps when the flow is browser-mediated.