OAuth2

open class OAuth2 : OAuth2Base

Base class for specific OAuth2 flow implementations.

  • Whether the flow type mandates client identification.

    Declaration

    Swift

    open class var clientIdMandatory: Bool { get }
  • If non-nil, will be called before performing dynamic client registration, giving you a chance to instantiate your own registrar.

    Declaration

    Swift

    public final var onBeforeDynamicClientRegistration: ((URL) -> OAuth2DynReg?)?
  • The authorizer to use for UI handling, depending on platform.

    Declaration

    Swift

    open var authorizer: OAuth2AuthorizerUI!
  • Designated initializer.

    The following settings keys are currently supported:

    • client_id (String)
    • client_secret (String), usually only needed for code grant
    • authorize_uri (URL-String)
    • token_uri (URL-String), if omitted the authorize_uri will be used to obtain tokens
    • refresh_uri (URL-String), if omitted the token_uri will be used to obtain tokens
    • redirect_uris (Array of URL-Strings)
    • scope (String)

    • client_name (String)

    • registration_uri (URL-String)

    • logo_uri (URL-String)

    • keychain (Bool, true by default, applies to using the system keychain)

    • keychain_access_mode (String, value for keychain kSecAttrAccessible attribute, kSecAttrAccessibleWhenUnlocked by default)

    • keychain_access_group (String, value for keychain kSecAttrAccessGroup attribute, nil by default)

    • keychain_account_for_client_credentials(String, “clientCredentials” by default)

    • keychain_account_for_tokens(String, “currentTokens” by default)

    • secret_in_body (Bool, false by default, forces the flow to use the request body for the client secret)

    • token_assume_unexpired (Bool, true by default, whether to use access tokens that do not come with an “expires_in” parameter)

    • use_pkce (Bool, false by default)

    • verbose (bool, false by default, applies to client logging)

    Declaration

    Swift

    override public init(settings: OAuth2JSON)

Authorization

  • Use this method to obtain an access token. Take a look at authConfig on how to configure how authorization is presented to the user.

    This method is running asynchronously and can only be run one at a time.

    This method will first check if the client already has an unexpired access token (possibly from the keychain), if not and it’s able to use a refresh token it will try to use the refresh token. If this fails it will check whether the client has a client_id and show the authorize screen if you have authConfig set up sufficiently. If authConfig is not set up sufficiently this method will end up calling the callback with a failure. If client_id is not set but a “registration_uri” has been provided, a dynamic client registration will be attempted and if it success, an access token will be requested.

    Declaration

    Swift

    public final func authorize(params: OAuth2StringDict? = nil, callback: @escaping ((OAuth2JSON?, OAuth2Error?) -> Void))

    Parameters

    params

    Optional key/value pairs to pass during authorization and token refresh

    callback

    The callback to call when authorization finishes (parameters will be non-nil but may be an empty dict), fails or is canceled (error will be non-nil, e.g. .requestCancelled if auth was aborted)

  • Shortcut function to start embedded authorization from the given context (a UIViewController on iOS, an NSWindow on OS X).

    This method sets authConfig.authorizeEmbedded = true and authConfig.authorizeContext = <# context #>, then calls authorize()

    Declaration

    Swift

    @available(*, deprecated, message: "Use ASWebAuthenticationSession (preferred﹚ or SFSafariWebViewController. This will be removed in v6.")
    open func authorizeEmbedded(from context: AnyObject, params: OAuth2StringDict? = nil, callback: @escaping ((_ authParameters: OAuth2JSON?, _ error: OAuth2Error?) -> Void))

    Parameters

    from

    The context to start authorization from, depends on platform (UIViewController or NSWindow, see authorizeContext)

    params

    Optional key/value pairs to pass during authorization

    callback

    The callback to call when authorization finishes (parameters will be non-nil but may be an empty dict), fails or is canceled (error will be non-nil, e.g. .requestCancelled if auth was aborted)

  • If the instance has an accessToken, checks if its expiry time has not yet passed. If we don’t have an expiry date we assume the token is still valid.

    Declaration

    Swift

    open func hasUnexpiredAccessToken() -> Bool

    Return Value

    A Bool indicating whether a probably valid access token exists

  • Attempts to receive a new access token by:

    1. checking if there still is an unexpired token
    2. attempting to use a refresh token

    Indicates, in the callback, whether the client has been able to obtain an access token that is likely to still work (but there is no guarantee!) or not.

    Declaration

    Swift

    open func tryToObtainAccessTokenIfNeeded(params: OAuth2StringDict? = nil, callback: @escaping ((OAuth2JSON?, OAuth2Error?) -> Void))

    Parameters

    params

    Optional key/value pairs to pass during authorization

    callback

    The callback to call once the client knows whether it has an access token or not; if success is true an access token is present

  • Method to actually start authorization. The public authorize() method only proceeds to this method if there is no valid access token and if optional client registration succeeds.

    Can be overridden in subclasses to perform an authorization dance different from directing the user to a website.

    Declaration

    Swift

    open func doAuthorize(params: OAuth2StringDict? = nil) throws

    Parameters

    params

    Optional key/value pairs to pass during authorization

  • Open the authorize URL in the OS’s browser. Forwards to the receiver’s authorizer, which is a platform-dependent implementation of OAuth2AuthorizerUI.

    Throws

    UnableToOpenAuthorizeURL on failure

    Declaration

    Swift

    final func doOpenAuthorizeURLInBrowser(params: OAuth2StringDict? = nil) throws

    Parameters

    params

    Additional parameters to pass to the authorize URL

  • Tries to use the current auth config context, which on iOS should be a UIViewController and on OS X a NSViewController, to present the authorization screen. Set oauth2.authConfig.authorizeContext accordingly.

    Forwards to the receiver’s authorizer, which is a platform-dependent implementation of OAuth2AuthorizerUI.

    Throws

    Can throw OAuth2Error if the method is unable to show the authorize screen

    Declaration

    Swift

    final func doAuthorizeEmbedded(with config: OAuth2AuthConfig, params: OAuth2StringDict? = nil) throws

    Parameters

    with

    The configuration to be used; usually uses the instance’s authConfig

    params

    Additional authorization parameters to supply during the OAuth dance

  • Method that creates the OAuth2AuthRequest instance used to create the authorize URL

    Declaration

    Swift

    func authorizeRequest(withRedirect redirect: String, scope: String?, params: OAuth2StringDict?) throws -> OAuth2AuthRequest

    Parameters

    redirect

    The redirect URI string to supply. If it is nil, the first value of the settings’ redirect_uris entries is used. Must be present in the end!

    scope

    The scope to request

    params

    Any additional parameters as dictionary with string keys and values that will be added to the query part

    Return Value

    OAuth2AuthRequest to be used to call to the authorize endpoint

  • Most convenient method if you want the authorize URL to be created as defined in your settings dictionary.

    Declaration

    Swift

    open func authorizeURL(params: OAuth2StringDict? = nil) throws -> URL

    Parameters

    params

    Optional, additional URL params to supply to the request

    Return Value

    NSURL to be used to start the OAuth dance

  • Convenience method to be overridden by and used from subclasses.

    Declaration

    Swift

    open func authorizeURL(withRedirect redirect: String?, scope: String?, params: OAuth2StringDict?) throws -> URL

    Parameters

    redirect

    The redirect URI string to supply. If it is nil, the first value of the settings’ redirect_uris entries is used. Must be present in the end!

    scope

    The scope to request

    params

    Any additional parameters as dictionary with string keys and values that will be added to the query part

    Return Value

    NSURL to be used to start the OAuth dance

Refresh Token

  • Generate the request to be used for token refresh when we have a refresh token.

    This will set “grant_type” to “refresh_token”, add the refresh token, and take care of the remaining parameters.

    Declaration

    Swift

    open func tokenRequestForTokenRefresh(params: OAuth2StringDict? = nil) throws -> OAuth2AuthRequest

    Parameters

    params

    Additional parameters to pass during token refresh

    Return Value

    An OAuth2AuthRequest instance that is configured for token refresh

  • If there is a refresh token, use it to receive a fresh access token.

    If the request returns an error, the refresh token is thrown away.

    Declaration

    Swift

    open func doRefreshToken(params: OAuth2StringDict? = nil, callback: @escaping ((OAuth2JSON?, OAuth2Error?) -> Void))

    Parameters

    params

    Optional key/value pairs to pass during token refresh

    callback

    The callback to call after the refresh token exchange has finished

Registration

  • Use OAuth2 dynamic client registration to register the client, if needed.

    Returns immediately if the receiver’s clientId is nil (with error = nil) or if there is no registration URL (with error). Otherwise calls onBeforeDynamicClientRegistration() – if it is non-nil – and uses the returned OAuth2DynReg instance – if it is non-nil. If both are nil, instantiates a blank OAuth2DynReg instead, then attempts client registration.

    Declaration

    Swift

    public func registerClientIfNeeded(callback: @escaping ((OAuth2JSON?, OAuth2Error?) -> Void))

    Parameters

    callback

    The callback to call on the main thread; if both json and error is nil no registration was attempted; error is nil on success