It may come that the APP never receives any reply to its request from the HAS.

There can be many reasons for this, like users not starting their PKSA or not approving or denying authentication requests they receive.

The APP should monitor requests' expiration against the expire timeout provided in the auth_wait message. They should abort the authentication process and discard pending requests as well as any related reply they may receive.