Can a third-party macOS app silently obtain IdP tokens via Apple Platform SSO / SSO Extension?

We are evaluating whether Apple Platform SSO can be used by a native macOS application to silently authenticate against our backend through an identity provider's SSO extension.

Our environment is as follows:

• Apple Platform SSO is configured and active.
• Device registration and user registration have completed successfully.
• Authentication is backed by Secure Enclave / Platform SSO.
• The identity provider is integrated through an SSO extension.
• Tokens are active and Not Expired

We would like to understand the intended behavior and supported usage patterns of Platform SSO from the perspective of a third-party native macOS application.

Specifically:

1. Once Platform SSO is active, is there a supported way for a third-party macOS application to obtain IdP bearer/access tokens silently (without UI, password prompts, or web-based authentication) through the SSO extension?

2. If silent token acquisition is supported, is it intended to work for any third-party application, or only for applications developed and distributed by the IdP/vendor that provides the SSO extension?

3. In our testing, requests created via ASAuthorizationSingleSignOnRequest are rejected by the extension with doNotHandle. Does this generally indicate that:

   • the request falls outside the extension's supported flow,
   • a different request configuration is expected, or
   • ASAuthorizationSingleSignOnRequest is not intended for this Platform SSO scenario?

4. For native macOS applications that need silent authentication, should the recommended approach be:

   • standard OAuth/OIDC flows,
   • Platform SSO APIs,
   • or a combination of both?

If OAuth/OIDC is involved, which parts of those flows are expected to be handled transparently by Platform SSO and the SSO extension?

If a combination of both is the recommended approach, many OAuth/OIDC flows rely on flow-specific security mechanisms such as client secrets, private keys, client certificates, or signed client assertions. In that case, the overall model becomes unclear

1. Is there a standard protocol or capability that SSO extensions are expected to implement to support application authentication under Platform SSO, or is this entirely vendor-specific and dependent on the IdP's implementation and SDK?

If there is an Apple-recommended pattern for enabling silent authentication from native third-party macOS applications when an IdP SSO extension is present, we would appreciate any guidance or references to relevant documentation.

Thank you.