It appears that the user is prompted for authentication each time they click on the SIWA button on a web site, not just the first time. I would expect the user to only be prompted on the first login, and not subsequent ones. Is this something that is still being worked on, or is this intended functionality?
Thanks!
Example screen-capture: http://share.genealabs.com/IBJ7LFA+
This is correct, the length of session is up to the developer.
I'm not so worried about the session itself.
Rather, if I already approved a website using OAuth, I should not be required to approve it again, unless I revoke it. No other OAuth providers seem to do this. I would expect Apple to respond to a non-revoked request without prompting the user to enter their password.
