localStorage.redirect_origin in :start. Apple's JS SDK uses a postMessage popup, so the redirect URI is validated but the browser never actually loads it.:start for Apple: Apple's own web JS SDK
(AppleID.auth.init) does not expose a code_challenge hook, and threading a verifier
through the popup adds complexity without changing the security boundary (Apple's state + nonce
already cover this flow). For native iOS use the id_token verify tab instead.