Support making nonce nullable (#169)

* add a new useNonce param to authorize on iOS to support making nonce nullable

* fix failing test

* forgot to declare paramenter in the authorize call

* update implementation according to maintainer from AppAuth to not depend on a change to their codebase

* support additional parameters in the response

* support sending back additional params on android

* clean up the hack a bit

* fix unexpected typo

* fix unexpected typo reloaded

Author: FelipeBuiles

android/src/main/java/com/rnappauth/RNAppAuthModule.java

@@ -207,7 +207,7 @@ public void onFetchConfigurationCompleted(
     @Override
     public void onActivityResult(Activity activity, int requestCode, int resultCode, Intent data) {
         if (requestCode == 0) {
-            AuthorizationResponse response = AuthorizationResponse.fromIntent(data);
+            final AuthorizationResponse response = AuthorizationResponse.fromIntent(data);
             AuthorizationException exception = AuthorizationException.fromIntent(data);
             if (exception != null) {
                 promise.reject("RNAppAuth Error", "Failed to authenticate", exception);
@@ -229,7 +229,7 @@ public void onActivityResult(Activity activity, int requestCode, int resultCode,
                 public void onTokenRequestCompleted(
                         TokenResponse resp, AuthorizationException ex) {
                     if (resp != null) {
-                        WritableMap map = tokenResponseToMap(resp);
+                        WritableMap map = tokenResponseToMap(resp, response.additionalParameters);
                         authorizePromise.resolve(map);
                     } else {
                         promise.reject("RNAppAuth Error", "Failed exchange token", ex);
@@ -394,7 +394,7 @@ private String arrayToString(ReadableArray array) {
         return strBuilder.toString();
     }
 
-    /*
+/*
      * Read raw token response into a React Native map to be passed down the bridge
      */
     private WritableMap tokenResponseToMap(TokenResponse response) {
@@ -430,6 +430,52 @@ private WritableMap tokenResponseToMap(TokenResponse response) {
         return map;
     }
 
+    /*
+     * Read raw token response into a React Native map to be passed down the bridge
+     */
+    private WritableMap tokenResponseToMap(TokenResponse response, Map<String, String> responseAdditionalParameters) {
+        WritableMap map = Arguments.createMap();
+
+        map.putString("accessToken", response.accessToken);
+
+        if (response.accessTokenExpirationTime != null) {
+            Date expirationDate = new Date(response.accessTokenExpirationTime);
+            SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'", Locale.US);
+            formatter.setTimeZone(TimeZone.getTimeZone("UTC"));
+            String expirationDateString = formatter.format(expirationDate);
+            map.putString("accessTokenExpirationDate", expirationDateString);
+        }
+
+        WritableMap additionalParametersMap = Arguments.createMap();
+
+        if (!responseAdditionalParameters.isEmpty()) {
+
+            Iterator<String> iterator = responseAdditionalParameters.keySet().iterator();
+
+            while(iterator.hasNext()) {
+                String key = iterator.next();
+                additionalParametersMap.putString(key, responseAdditionalParameters.get(key));
+            }
+        }
+
+        if(!this.additionalParametersMap.isEmpty()) {
+
+            Iterator<String> iterator = this.additionalParametersMap.keySet().iterator();
+
+            while(iterator.hasNext()) {
+                String key = iterator.next();
+                additionalParametersMap.putString(key, this.additionalParametersMap.get(key));
+            }
+        }
+
+        map.putMap("additionalParameters", additionalParametersMap);
+        map.putString("idToken", response.idToken);
+        map.putString("refreshToken", response.refreshToken);
+        map.putString("tokenType", response.tokenType);
+
+        return map;
+    }
+
     /*
      * Create an App Auth configuration using the provided connection builder
      */

index.js

@@ -28,6 +28,7 @@ export const authorize = ({
   clientId,
   clientSecret,
   scopes,
+  useNonce = true,
   additionalParameters,
   serviceConfiguration,
   dangerouslyAllowInsecureHttpRequests = false,
@@ -48,6 +49,10 @@ export const authorize = ({
   ];
   if (Platform.OS === 'android') {
     nativeMethodArguments.push(dangerouslyAllowInsecureHttpRequests);
+  } else {
+    // add a new useNonce param on iOS to support making it optional
+    const nonceParamIndex = 5;
+    nativeMethodArguments.splice(nonceParamIndex, 0, useNonce);
   }
 
   return RNAppAuth.authorize(...nativeMethodArguments);

index.spec.js

@@ -32,6 +32,7 @@ describe('AppAuth', () => {
     additionalParameters: { hello: 'world' },
     serviceConfiguration: null,
     scopes: ['my-scope'],
+    useNonce: true,
   };
 
   describe('authorize', () => {
@@ -86,6 +87,7 @@ describe('AppAuth', () => {
         config.clientId,
         config.clientSecret,
         config.scopes,
+        config.useNonce,
         config.additionalParameters,
         config.serviceConfiguration
       );

ios/RNAppAuth.m

@@ -20,6 +20,14 @@ - (dispatch_queue_t)methodQueue
     return dispatch_get_main_queue();
 }
 
+/*! @brief Number of random bytes generated for the @ state.
+ */
+static NSUInteger const kStateSizeBytes = 32;
+
+/*! @brief Number of random bytes generated for the @ codeVerifier.
+ */
+static NSUInteger const kCodeVerifierBytes = 32;
+
 RCT_EXPORT_MODULE()
 
 RCT_REMAP_METHOD(authorize,
@@ -28,6 +36,7 @@ - (dispatch_queue_t)methodQueue
                  clientId: (NSString *) clientId
                  clientSecret: (NSString *) clientSecret
                  scopes: (NSArray *) scopes
+                 useNonce: (BOOL *) useNonce
                  additionalParameters: (NSDictionary *_Nullable) additionalParameters
                  serviceConfiguration: (NSDictionary *_Nullable) serviceConfiguration
                  resolve: (RCTPromiseResolveBlock) resolve
@@ -41,6 +50,7 @@ - (dispatch_queue_t)methodQueue
                                 clientId: clientId
                             clientSecret: clientSecret
                                   scopes: scopes
+                                useNonce: useNonce
                     additionalParameters: additionalParameters
                                  resolve: resolve
                                   reject: reject];
@@ -56,6 +66,7 @@ - (dispatch_queue_t)methodQueue
                                                                                         clientId: clientId
                                                                                     clientSecret: clientSecret
                                                                                           scopes: scopes
+                                                                                        useNonce: useNonce
                                                                             additionalParameters: additionalParameters
                                                                                          resolve: resolve
                                                                                           reject: reject];
@@ -126,6 +137,25 @@ - (OIDServiceConfiguration *) createServiceConfiguration: (NSDictionary *) servi
     return configuration;
 }
 
++ (nullable NSString *)generateCodeVerifier {
+  return [OIDTokenUtilities randomURLSafeStringWithSize:kCodeVerifierBytes];
+}
+
++ (nullable NSString *)generateState {
+  return [OIDTokenUtilities randomURLSafeStringWithSize:kStateSizeBytes];
+}
+
++ (nullable NSString *)codeChallengeS256ForVerifier:(NSString *)codeVerifier {
+  if (!codeVerifier) {
+    return nil;
+  }
+  // generates the code_challenge per spec https://tools.ietf.org/html/rfc7636#section-4.2
+  // code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
+  // NB. the ASCII conversion on the code_verifier entropy was done at time of generation.
+  NSData *sha256Verifier = [OIDTokenUtilities sha256:codeVerifier];
+  return [OIDTokenUtilities encodeBase64urlNoPadding:sha256Verifier];
+}
+
 /*
  * Authorize a user in exchange for a token with provided OIDServiceConfiguration
  */
@@ -134,18 +164,29 @@ - (void)authorizeWithConfiguration: (OIDServiceConfiguration *) configuration
                           clientId: (NSString *) clientId
                       clientSecret: (NSString *) clientSecret
                             scopes: (NSArray *) scopes
+                          useNonce: (BOOL *) useNonce
               additionalParameters: (NSDictionary *_Nullable) additionalParameters
                            resolve: (RCTPromiseResolveBlock) resolve
                             reject: (RCTPromiseRejectBlock)  reject
 {
+
+    NSString *codeVerifier = [[self class] generateCodeVerifier];
+    NSString *codeChallenge = [[self class] codeChallengeS256ForVerifier:codeVerifier];
+    NSString *nonce = useNonce ? [[self class] generateState] : nil;
+
     // builds authentication request
     OIDAuthorizationRequest *request =
     [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
                                                   clientId:clientId
                                               clientSecret:clientSecret
-                                                    scopes:scopes
+                                                     scope:[OIDScopeUtilities scopesWithArray:scopes]
                                                redirectURL:[NSURL URLWithString:redirectUrl]
                                               responseType:OIDResponseTypeCode
+                                                     state:[[self class] generateState]
+                                                     nonce:nonce
+                                              codeVerifier:codeVerifier
+                                             codeChallenge:codeChallenge
+                                      codeChallengeMethod:OIDOAuthorizationRequestCodeChallengeMethodS256
                                       additionalParameters:additionalParameters];
 
     // performs authentication request
@@ -163,7 +204,8 @@ - (void)authorizeWithConfiguration: (OIDServiceConfiguration *) configuration
                                                        typeof(self) strongSelf = weakSelf;
                                                        strongSelf->_currentSession = nil;
                                                        if (authState) {
-                                                           resolve([self formatResponse:authState.lastTokenResponse]);
+                                                           resolve([self formatResponse:authState.lastTokenResponse
+                                                               withAdditionalParameters:authState.lastAuthorizationResponse.additionalParameters]);
                                                        } else {
                                                            reject(@"RNAppAuth Error", [error localizedDescription], error);
                                                        }
@@ -225,4 +267,24 @@ - (NSDictionary*)formatResponse: (OIDTokenResponse*) response {
              };
 }
 
+/*
+ * Take raw OIDTokenResponse and additional paramaeters from an OIDAuthorizationResponse
+ *  and turn them into an extended token response format to pass to JavaScript caller
+ */
+- (NSDictionary*)formatResponse: (OIDTokenResponse*) response
+       withAdditionalParameters:(NSDictionary*) params{
+    NSDateFormatter *dateFormat = [[NSDateFormatter alloc] init];
+    dateFormat.timeZone = [NSTimeZone timeZoneWithAbbreviation: @"UTC"];
+    [dateFormat setLocale:[NSLocale localeWithLocaleIdentifier:@"en_US_POSIX"]];
+    [dateFormat setDateFormat:@"yyyy-MM-dd'T'HH:mm:ss'Z'"];
+    
+    return @{@"accessToken": response.accessToken ? response.accessToken : @"",
+             @"accessTokenExpirationDate": response.accessTokenExpirationDate ? [dateFormat stringFromDate:response.accessTokenExpirationDate] : @"",
+             @"additionalParameters": params,
+             @"idToken": response.idToken ? response.idToken : @"",
+             @"refreshToken": response.refreshToken ? response.refreshToken : @"",
+             @"tokenType": response.tokenType ? response.tokenType : @"",
+             };
+}
+
 @end