auth0
diff --git a/‎Auth0.xcodeproj/project.pbxproj‎
Lines changed: 48 additions & 4 deletions b/‎Auth0.xcodeproj/project.pbxproj‎
Lines changed: 48 additions & 4 deletions
diff --git a/‎Auth0/Auth0.swift‎
Lines changed: 3 additions & 3 deletions b/‎Auth0/Auth0.swift‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎Auth0/Auth0Log.swift‎
Lines changed: 124 additions & 0 deletions b/‎Auth0/Auth0Log.swift‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎Auth0/CredentialsManager.swift‎
Lines changed: 52 additions & 18 deletions b/‎Auth0/CredentialsManager.swift‎
Lines changed: 52 additions & 18 deletions
diff --git a/‎Auth0/Logger.swift‎
Lines changed: 29 additions & 16 deletions b/‎Auth0/Logger.swift‎
Lines changed: 29 additions & 16 deletions
@@ -219,13 +219,13 @@ public func webAuth(clientId: String, domain: String, session: URLSession = .sha
 func plistValues(bundle: Bundle) -> (clientId: String, domain: String)? {
     guard let path = bundle.path(forResource: "Auth0", ofType: "plist"),
           let values = NSDictionary(contentsOfFile: path) as? [String: Any] else {
-            print("Missing Auth0.plist file with 'ClientId' and 'Domain' entries in main bundle!")
+            Auth0Log.error(.configuration, "Missing Auth0.plist file with 'ClientId' and 'Domain' entries in main bundle!")
             return nil
         }
 
     guard let clientId = values["ClientId"] as? String, let domain = values["Domain"] as? String else {
-            print("Auth0.plist file at \(path) is missing 'ClientId' and/or 'Domain' entries!")
-            print("File currently has the following entries: \(values)")
+            Auth0Log.error(.configuration, "Auth0.plist file at \(path) is missing 'ClientId' and/or 'Domain' entries!")
+            Auth0Log.debug(.configuration, "File currently has the following entries: \(String(describing: values))")
             return nil
         }
     return (clientId: clientId, domain: domain)
 
@@ -0,0 +1,124 @@
+import Foundation
+import os.log
+
+// MARK: - Unified Logging System
+
+/// Represents different categories of logs within the SDK.
+enum LogCategory: String {
+    /// networkTracing category is used for  the network request and response traces
+    case networkTracing = "NetworkTracing"
+    /// configuration category is used for SDK configuration related logs
+    case configuration = "Configuration"
+}
+
+/// Log levels supported by the unified logging system.
+enum LogLevel {
+    /// Detailed information for debugging
+    case debug
+    /// General informational messages
+    case info
+    /// Warning messages for potentially problematic situations
+    case warning
+    /// Error messages for failures
+    case error
+    /// Critical system errors
+    case fault
+}
+
+/// Unified logging interface for the SDK.
+/// Provides a consistent, type-safe API for logging across all SDK components.
+enum Auth0Log {
+    
+    /// Shared logging service instance (can be replaced for testing).
+    static var loggingService: UnifiedLogging = OSUnifiedLoggingService()
+    
+    /// Centralized subsystem identifier for all Auth0 logs.
+    static var subsystem: String { OSUnifiedLoggingService.subsystem }
+    
+    /// Log a message with the specified category and level.
+    ///
+    /// Use this method for fine-grained control over logging. For common use cases,
+    /// prefer the convenience methods: `debug()`, `info()`, `warning()`, `error()`, `fault()`.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering and organization. See `LogCategory` for available categories.
+    ///   - level: The severity level of the log. Defaults to `.debug`. See `LogLevel` for available levels.
+    ///   - message: The message to log. Evaluated lazily via autoclosure for performance.
+    static func log(
+        _ category: LogCategory,
+        level: LogLevel = .debug,
+        message: String
+    ) {
+        loggingService.log(category, level: level, message: message)
+    }
+    
+    /// Log a debug message.
+    ///
+    /// Use for detailed information useful during development and debugging.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering
+    ///   - message: The message to log
+    static func debug(
+        _ category: LogCategory,
+        _ message: String
+    ) {
+        log(category, level: .debug, message: message)
+    }
+    
+    /// Log an informational message.
+    ///
+    /// Use for general informational messages about application state.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering
+    ///   - message: The message to log
+    static func info(
+        _ category: LogCategory,
+        _ message:  String
+    ) {
+        log(category, level: .info, message: message)
+    }
+    
+    /// Log a warning message.
+    ///
+    /// Use for potentially problematic situations that aren't errors.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering
+    ///   - message: The message to log
+    static func warning(
+        _ category: LogCategory,
+        _ message: String
+    ) {
+        log(category, level: .warning, message: message)
+    }
+    
+    /// Log an error message.
+    ///
+    /// Use for error conditions and failures that need attention.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering
+    ///   - message: The message to log
+    static func error(
+        _ category: LogCategory,
+        _ message: String
+    ) {
+        log(category, level: .error, message: message)
+    }
+    
+    /// Log a fault message for critical system errors.
+    ///
+    /// Use for serious errors that may cause data loss or application instability.
+    ///
+    /// - Parameters:
+    ///   - category: The log category for filtering
+    ///   - message: The message to log
+    static func fault(
+        _ category: LogCategory,
+        _ message: @autoclosure () -> String
+    ) {
+        log(category, level: .fault, message: message())
+    }
+}
@@ -37,7 +37,7 @@ public struct CredentialsManager {
         let noSession: TimeInterval = -1
         var lastBiometricAuthTime: TimeInterval = -1
         let lock = NSLock()
-        
+
         init() {
             lastBiometricAuthTime = noSession
         }
@@ -163,9 +163,12 @@ public struct CredentialsManager {
     /// ```
     ///
     /// - Parameter audience: Identifier of the API the stored API credentials are for.
+    /// - Parameter scope: Optional scope for which the  API Credentials are stored. If the credentials were initially fetched/stored with scope,
+    ///   it is recommended to pass scope also while clearing them.
     /// - Returns: If the API credentials were removed.
-    public func clear(forAudience audience: String) -> Bool {
-        return self.storage.deleteEntry(forKey: audience)
+    public func clear(forAudience audience: String, scope: String? = nil) -> Bool {
+        let key = getAPICredentialsStorageKey(audience: audience, scope: scope)
+        return self.storage.deleteEntry(forKey: key)
     }
 
     #if WEB_AUTH_PLATFORM
@@ -180,13 +183,13 @@ public struct CredentialsManager {
     /// - Returns: `true` if the session is valid and biometric authentication can be skipped, `false` otherwise.
     public func isBiometricSessionValid() -> Bool {
         guard let bioAuth = self.bioAuth else { return false }
-        
+
         self.biometricSession.lock.lock()
         defer { self.biometricSession.lock.unlock() }
-        
+
         let lastAuth = self.biometricSession.lastBiometricAuthTime
         if lastAuth == self.biometricSession.noSession { return false }
-        
+
         switch bioAuth.policy {
         case .session(let timeoutInSeconds), .appLifecycle(let timeoutInSeconds):
             let timeoutInterval = TimeInterval(timeoutInSeconds)
@@ -694,24 +697,39 @@ public struct CredentialsManager {
                                  callback: callback)
     }
 
-    public func store(apiCredentials: APICredentials, forAudience audience: String) -> Bool {
+    public func store(apiCredentials: APICredentials, forAudience audience: String, forScope scope: String? = nil) -> Bool {
         guard let data = try? apiCredentials.encode() else {
             return false
         }
 
-        return self.storage.setEntry(data, forKey: audience)
+        let key = getAPICredentialsStorageKey(audience: audience, scope: scope)
+        return self.storage.setEntry(data, forKey: key)
     }
 
     private func retrieveCredentials() -> Credentials? {
         guard let data = self.storage.getEntry(forKey: self.storeKey) else { return nil }
         return try? NSKeyedUnarchiver.unarchivedObject(ofClass: Credentials.self, from: data)
     }
 
-    private func retrieveAPICredentials(audience: String) -> APICredentials? {
-        guard let data = self.storage.getEntry(forKey: audience) else { return nil }
+    private func retrieveAPICredentials(audience: String, scope: String?) -> APICredentials? {
+        let key = getAPICredentialsStorageKey(audience: audience, scope: scope)
+        guard let data = self.storage.getEntry(forKey: key) else { return nil }
         return try? APICredentials(from: data)
     }
 
+    private func getAPICredentialsStorageKey(audience: String, scope: String?) -> String {
+        // Use audience if scope is null else use a combination of audience and scope
+        if let scope = scope {
+            let normalisedScopes = scope
+            .split(separator: " ")
+            .sorted()
+            .joined(separator: "::")
+            return "\(audience)::\(normalisedScopes)"
+        } else {
+            return audience
+        }
+    }
+
     // swiftlint:disable:next function_parameter_count
     private func retrieveCredentials(scope: String?,
                                      minTTL: Int,
@@ -832,10 +850,10 @@ public struct CredentialsManager {
             dispatchGroup.enter()
 
             DispatchQueue.global(qos: .userInitiated).async {
-                if let apiCredentials = self.retrieveAPICredentials(audience: audience),
+                if let apiCredentials = self.retrieveAPICredentials(audience: audience, scope: scope),
                       !self.hasExpired(apiCredentials.expiresIn),
                       !self.willExpire(apiCredentials.expiresIn, within: minTTL),
-                      !self.hasScopeChanged(from: apiCredentials.scope, to: scope) {
+                   !self.hasScopeChanged(from: apiCredentials.scope, to: scope, ignoreOpenid: scope?.contains("openid") == false) {
                     dispatchGroup.leave()
                     return callback(.success(apiCredentials))
                 }
@@ -867,7 +885,7 @@ public struct CredentialsManager {
                             } else if !self.store(credentials: newCredentials) {
                                 dispatchGroup.leave()
                                 callback(.failure(CredentialsManagerError(code: .storeFailed)))
-                            } else if !self.store(apiCredentials: newAPICredentials, forAudience: audience) {
+                            } else if !self.store(apiCredentials: newAPICredentials, forAudience: audience, forScope: scope) {
                                 dispatchGroup.leave()
                                 callback(.failure(CredentialsManagerError(code: .storeFailed)))
                             } else {
@@ -893,14 +911,30 @@ public struct CredentialsManager {
         return expiresIn < Date()
     }
 
-    func hasScopeChanged(from lastScope: String?, to newScope: String?) -> Bool {
+    func hasScopeChanged(from lastScope: String?, to newScope: String?, ignoreOpenid: Bool = false) -> Bool {
+
         if let lastScope = lastScope, let newScope = newScope {
-            let lastScopeList = lastScope.lowercased().split(separator: " ").sorted()
-            let newScopeList = newScope.lowercased().split(separator: " ").sorted()
 
-            return lastScopeList != newScopeList
-        }
+            var storedScopes = Set(
+                    lastScope
+                    .split(separator: " ")
+                    .filter { !$0.isEmpty }
+                    .map { String($0).lowercased() }
+            )
 
+            if ignoreOpenid {
+                storedScopes.remove("openid")
+            }
+
+            let requiredScopes = Set(
+                    newScope
+                    .split(separator: " ")
+                    .filter { !$0.isEmpty }
+                    .map { String($0).lowercased() }
+            )
+
+            return storedScopes != requiredScopes
+        }
         return false
     }
 
 
@@ -14,14 +14,21 @@ public protocol Logger {
 
 }
 
+private let networkTraceQueue = DispatchQueue(label: "com.auth0.networkTrace", qos: .utility)
+
 protocol LoggerOutput {
     func log(message: String)
     func newLine()
 }
 
 struct DefaultOutput: LoggerOutput {
-    func log(message: String) { print(message) }
-    func newLine() { print() }
+    func log(message: String) {
+        Auth0Log.debug(.networkTracing, message)
+    }
+    
+    func newLine() {
+        Auth0Log.debug(.networkTracing, "")
+    }
 }
 
 struct DefaultLogger: Logger {
@@ -33,31 +40,37 @@ struct DefaultLogger: Logger {
     }
 
     func trace(request: URLRequest, session: URLSession) {
-        guard let method = request.httpMethod, let url = request.url?.absoluteString else { return }
-        output.log(message: "\(method) \(url) HTTP/1.1")
-        session.configuration.httpAdditionalHeaders?.forEach { key, value in output.log(message: "\(key): \(value)") }
-        request.allHTTPHeaderFields?.forEach { key, value in output.log(message: "\(key): \(value)") }
-        if let data = request.httpBody, let string = String(data: data, encoding: .utf8) {
+        networkTraceQueue.async { [output] in
+            guard let method = request.httpMethod, let url = request.url?.absoluteString else { return }
+            output.log(message: "\(method) \(url) HTTP/1.1")
+            session.configuration.httpAdditionalHeaders?.forEach { key, value in output.log(message: "\(key): \(value)") }
+            request.allHTTPHeaderFields?.forEach { key, value in output.log(message: "\(key): \(value)") }
+            if let data = request.httpBody, let string = String(data: data, encoding: .utf8) {
+                output.newLine()
+                output.log(message: string)
+            }
             output.newLine()
-            output.log(message: string)
         }
-        output.newLine()
     }
 
     func trace(response: URLResponse, data: Data?) {
-        if let http = response as? HTTPURLResponse {
-            output.log(message: "HTTP/1.1 \(http.statusCode)")
-            http.allHeaderFields.forEach { key, value in output.log(message: "\(key): \(value)") }
-            if let data = data, let string = String(data: data, encoding: .utf8) {
+        networkTraceQueue.async { [output] in
+            if let http = response as? HTTPURLResponse {
+                output.log(message: "HTTP/1.1 \(http.statusCode)")
+                http.allHeaderFields.forEach { key, value in output.log(message: "\(key): \(value)") }
+                if let data = data, let string = SensitiveDataRedactor.redact(data) {
+                    output.newLine()
+                    output.log(message: "API Response: \(string)")
+                }
                 output.newLine()
-                output.log(message: string)
             }
-            output.newLine()
         }
     }
 
     func trace(url: URL, source: String?) {
-        output.log(message: "\(source ?? "URL"): \(url.absoluteString)")
+        networkTraceQueue.async { [output] in
+            output.log(message: "\(source ?? "URL"): \(url.absoluteString)")
+        }
     }
 
 }