Add support for Multi-Resource Refresh Token (MRRT) (#912)

Author: Widcket

Auth0.xcodeproj/project.pbxproj

@@ -201,6 +201,15 @@
 		5CF539292836FB0C0073F623 /* ClearSessionTransactionSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF539272836FB0C0073F623 /* ClearSessionTransactionSpec.swift */; };
 		5CF5392B283835470073F623 /* ASProviderSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF5392A283835460073F623 /* ASProviderSpec.swift */; };
 		5CF5392C283835470073F623 /* ASProviderSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF5392A283835460073F623 /* ASProviderSpec.swift */; };
+		5CFB82502D5BF324009FD237 /* APICredentials.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB824F2D5BF31D009FD237 /* APICredentials.swift */; };
+		5CFB82512D5BF324009FD237 /* APICredentials.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB824F2D5BF31D009FD237 /* APICredentials.swift */; };
+		5CFB82522D5BF324009FD237 /* APICredentials.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB824F2D5BF31D009FD237 /* APICredentials.swift */; };
+		5CFB82532D5BF324009FD237 /* APICredentials.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB824F2D5BF31D009FD237 /* APICredentials.swift */; };
+		5CFB82542D5BF324009FD237 /* APICredentials.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB824F2D5BF31D009FD237 /* APICredentials.swift */; };
+		5CFB82562D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */; };
+		5CFB82572D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */; };
+		5CFB82582D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */; };
+		5CFB82592D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */; };
 		5CFB82612D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
 		5CFB82622D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
 		5CFB82632D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
@@ -722,6 +731,8 @@
 		5CF539232836DCC10073F623 /* SafariProviderSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SafariProviderSpec.swift; sourceTree = "<group>"; };
 		5CF539272836FB0C0073F623 /* ClearSessionTransactionSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClearSessionTransactionSpec.swift; sourceTree = "<group>"; };
 		5CF5392A283835460073F623 /* ASProviderSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ASProviderSpec.swift; sourceTree = "<group>"; };
+		5CFB824F2D5BF31D009FD237 /* APICredentials.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = APICredentials.swift; sourceTree = "<group>"; };
+		5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = APICredentialsSpec.swift; sourceTree = "<group>"; };
 		5CFB82602D6D221C009FD237 /* Barrier.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Barrier.swift; sourceTree = "<group>"; };
 		5CFB826F2D6E640B009FD237 /* SSOCredentials.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSOCredentials.swift; sourceTree = "<group>"; };
 		5CFB82752D6FD287009FD237 /* SSOCredentialsSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSOCredentialsSpec.swift; sourceTree = "<group>"; };
@@ -1248,6 +1259,7 @@
 			children = (
 				5FBBF0421CCA90300024D2AF /* AuthenticationSpec.swift */,
 				5FE2F8A51CCA9C17003628F4 /* CredentialsSpec.swift */,
+				5CFB82552D5E9F94009FD237 /* APICredentialsSpec.swift */,
 				5CFB82752D6FD287009FD237 /* SSOCredentialsSpec.swift */,
 				5B2860D41EEF20F300C75D54 /* UserInfoSpec.swift */,
 				5C3D88672DC2CCA100AACC34 /* PasskeyLoginChallenge.swift */,
@@ -1320,6 +1332,7 @@
 				5C4F552223C8FBA100C89615 /* JWKS.swift */,
 				5B2860CD1EEAC30500C75D54 /* UserInfo.swift */,
 				5FDE874E1D8A424700EA27DC /* Credentials.swift */,
+				5CFB824F2D5BF31D009FD237 /* APICredentials.swift */,
 				5CFB826F2D6E640B009FD237 /* SSOCredentials.swift */,
 				5FDE874F1D8A424700EA27DC /* Handlers.swift */,
 			);
@@ -2126,6 +2139,7 @@
 				5F06DDC91CC66B710011842B /* Auth0.swift in Sources */,
 				5C3D87E92DB99C5C00AACC34 /* PasskeySignupChallenge.swift in Sources */,
 				5B1748741EF2D3A40060E653 /* Helpers.swift in Sources */,
+				5CFB82542D5BF324009FD237 /* APICredentials.swift in Sources */,
 				5FDE87691D8A424700EA27DC /* Credentials.swift in Sources */,
 				5FE2F8B21CCEAED8003628F4 /* Requestable.swift in Sources */,
 				5C4F551E23C8FB8E00C89615 /* Array+Encode.swift in Sources */,
@@ -2163,6 +2177,7 @@
 				5C0AF09E2833420200162044 /* WebAuthentication.swift in Sources */,
 				5FDE876A1D8A424700EA27DC /* Credentials.swift in Sources */,
 				5C354C05276CE1A500ADBC86 /* PasswordlessType.swift in Sources */,
+				5CFB82512D5BF324009FD237 /* APICredentials.swift in Sources */,
 				5C3D88262DC1509800AACC34 /* LoginPasskey.swift in Sources */,
 				5F28B4621D8216180000EB23 /* Loggable.swift in Sources */,
 				5C41F6D4244F974100252548 /* OAuth2Grant.swift in Sources */,
@@ -2246,6 +2261,7 @@
 				5FADB60F1CED7E5200D4BB50 /* UserPatchAttributesSpec.swift in Sources */,
 				5C3D880E2DBE7F3D00AACC34 /* PasskeySignupChallengeSpec.swift in Sources */,
 				5C4F553523C9124200C89615 /* JWKSpec.swift in Sources */,
+				5CFB82592D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */,
 				5FA250541D4A85A200C544FA /* WebAuthErrorSpec.swift in Sources */,
 				5CB41D7623D0C15000074024 /* IDTokenValidatorBaseSpec.swift in Sources */,
 				5B9262C31ECF0CC200F4F6D3 /* BioAuthenticationSpec.swift in Sources */,
@@ -2304,6 +2320,7 @@
 				C177D7762C2BE00D0094C657 /* StubURLProtocol.swift in Sources */,
 				5CE775AF244FD66D00D054A0 /* OAuth2GrantSpec.swift in Sources */,
 				5FD255B21D14A9E000387ECB /* AuthenticationErrorSpec.swift in Sources */,
+				5CFB82582D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */,
 				5C53A7E92703A23200A7C0A3 /* UserInfoSpec.swift in Sources */,
 				C177D7712C2BDFE40094C657 /* NetworkStub.swift in Sources */,
 				5CF539252836DCC10073F623 /* SafariProviderSpec.swift in Sources */,
@@ -2355,6 +2372,7 @@
 				5CFB82712D6E640F009FD237 /* SSOCredentials.swift in Sources */,
 				5F23E6E41D4ACD8500C3F2D9 /* JSONObjectPayload.swift in Sources */,
 				5C4F551C23C8FB8E00C89615 /* String+URLSafe.swift in Sources */,
+				5CFB82502D5BF324009FD237 /* APICredentials.swift in Sources */,
 				5F23E6DC1D4ACD6100C3F2D9 /* NSData+URLSafe.swift in Sources */,
 				5F23E6E61D4ACD8500C3F2D9 /* Requestable.swift in Sources */,
 				5C354C07276CE1A500ADBC86 /* PasswordlessType.swift in Sources */,
@@ -2395,6 +2413,7 @@
 				5CFB82722D6E640F009FD237 /* SSOCredentials.swift in Sources */,
 				5C4F552623C8FBA100C89615 /* JWKS.swift in Sources */,
 				5B0893E620F8A52100FBF962 /* CredentialsManager.swift in Sources */,
+				5CFB82532D5BF324009FD237 /* APICredentials.swift in Sources */,
 				5F23E7061D4B88EA00C3F2D9 /* NSData+URLSafe.swift in Sources */,
 				5F23E70F1D4B88FC00C3F2D9 /* Requestable.swift in Sources */,
 				5C354C06276CE1A500ADBC86 /* PasswordlessType.swift in Sources */,
@@ -2420,6 +2439,7 @@
 				5F28B4691D8300D50000EB23 /* LoggerSpec.swift in Sources */,
 				5F1FBB9A1D8A44C0006B0B85 /* ResponseSpec.swift in Sources */,
 				5F331B0C1D4BB7F900AE4382 /* UsersSpec.swift in Sources */,
+				5CFB82572D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */,
 				C12BFE442C352DD700D1CC00 /* StubURLProtocol.swift in Sources */,
 				5F331B0E1D4BB80700AE4382 /* Matchers.swift in Sources */,
 				5F331B0A1D4BB7F900AE4382 /* ManagementSpec.swift in Sources */,
@@ -2464,6 +2484,7 @@
 				5C3D87E42DB8276000AACC34 /* PublicKeyCredentialCreationOptions.swift in Sources */,
 				5C3D881D2DC148C600AACC34 /* PasskeyLoginChallenge.swift in Sources */,
 				C1B3B9F32C24B6D4004A32A4 /* JWKS.swift in Sources */,
+				5CFB82522D5BF324009FD237 /* APICredentials.swift in Sources */,
 				C1B3B9F42C24B6D4004A32A4 /* UserInfo.swift in Sources */,
 				C1B3B9F52C24B6D4004A32A4 /* Credentials.swift in Sources */,
 				C1B3B9F62C24B6D4004A32A4 /* Handlers.swift in Sources */,
@@ -2555,6 +2576,7 @@
 				C1B3BA452C24BA36004A32A4 /* IDTokenValidatorMocks.swift in Sources */,
 				C1B3BA462C24BA36004A32A4 /* IDTokenValidatorSpec.swift in Sources */,
 				C1B3BA472C24BA36004A32A4 /* IDTokenSignatureValidatorSpec.swift in Sources */,
+				5CFB82562D5E9F9B009FD237 /* APICredentialsSpec.swift in Sources */,
 				C1B3BA482C24BA36004A32A4 /* ClaimValidatorsSpec.swift in Sources */,
 				C1B3BA492C24BA37004A32A4 /* BioAuthenticationSpec.swift in Sources */,
 				5C3D886B2DC2CCA200AACC34 /* PasskeyLoginChallenge.swift in Sources */,

Auth0/APICredentials.swift

@@ -0,0 +1,101 @@
+import Foundation
+
+private struct _A0APICredentials {
+    let accessToken: String
+    let tokenType: String
+    let expiresIn: Date
+    let scope: String
+}
+
+/// User's credentials obtained from Auth0 for a specific API as the result of exchanging a refresh token.
+public struct APICredentials: CustomStringConvertible {
+
+    /// Token that can be used to make authenticated requests to the API.
+    ///
+    /// ## See Also
+    ///
+    /// - [Access Tokens](https://auth0.com/docs/secure/tokens/access-tokens)
+    public let accessToken: String
+
+    /// Indicates how the access token should be used. For example, as a bearer token.
+    public let tokenType: String
+
+    /// When the access token expires.
+    public let expiresIn: Date
+
+    /// The scopes that have been granted by Auth0.
+    ///
+    /// ## See Also
+    ///
+    /// - [Scopes](https://auth0.com/docs/get-started/apis/scopes)
+    public let scope: String
+
+    /// Custom description that redacts the access token with `<REDACTED>`.
+    public var description: String {
+        let redacted = "<REDACTED>"
+        let values = _A0APICredentials(accessToken: redacted,
+                                       tokenType: self.tokenType,
+                                       expiresIn: self.expiresIn,
+                                       scope: self.scope)
+        return String(describing: values).replacingOccurrences(of: "_A0APICredentials", with: "APICredentials")
+    }
+
+    // MARK: - Initializer
+
+    /// Default initializer.
+    public init(accessToken: String,
+                tokenType: String,
+                expiresIn: Date,
+                scope: String) {
+        self.accessToken = accessToken
+        self.tokenType = tokenType
+        self.expiresIn = expiresIn
+        self.scope = scope
+    }
+}
+
+// MARK: - Codable
+
+extension APICredentials: Codable {
+
+    enum CodingKeys: String, CodingKey {
+        case accessToken = "access_token"
+        case tokenType = "token_type"
+        case expiresIn = "expires_in"
+        case scope
+    }
+
+    private static let jsonEncoder: JSONEncoder = {
+        let encoder = JSONEncoder()
+        encoder.dateEncodingStrategy = .secondsSince1970
+        return encoder
+    }()
+
+    private static let jsonDecoder: JSONDecoder = {
+        let decoder = JSONDecoder()
+        decoder.dateDecodingStrategy = .secondsSince1970
+        return decoder
+    }()
+
+    internal func encode() throws -> Data {
+        return try Self.jsonEncoder.encode(self)
+    }
+
+    internal init(from data: Data) throws {
+        self = try Self.jsonDecoder.decode(Self.self, from: data)
+    }
+
+}
+
+// MARK: - Internal Initializer
+
+extension APICredentials {
+
+    init(from credentials: Credentials) {
+        self.accessToken = credentials.accessToken
+        self.tokenType = credentials.tokenType
+        self.expiresIn = credentials.expiresIn
+        self.scope = credentials.scope ?? ""
+    }
+
+}

Auth0/Auth0Authentication.swift

@@ -418,19 +418,28 @@ struct Auth0Authentication: Authentication {
         ])
     }
 
-    func renew(withRefreshToken refreshToken: String, scope: String? = nil) -> Request<Credentials, AuthenticationError> {
+    func renew(withRefreshToken refreshToken: String, audience: String? = nil, scope: String? = nil) -> Request<Credentials, AuthenticationError> {
         var payload: [String: Any] = [
             "refresh_token": refreshToken,
             "grant_type": "refresh_token",
             "client_id": self.clientId
         ]
-        payload["scope"] = scope
         let oauthToken = URL(string: "oauth/token", relativeTo: self.url)!
+
+        if let audience = audience {
+            // Make sure to always include the 'openid' scope if we're trying to get a new set of credentials for an
+            // API like My Account API. This way, we'll always get an ID token, matching the existing login behavior.
+            payload["scope"] = includeRequiredScope(in: scope)
+            payload["audience"] = audience
+        } else {
+            payload["scope"] = scope
+        }
+
         return Request(session: session,
                        url: oauthToken,
                        method: "POST",
                        handle: codable,
-                       parameters: payload, // Initializer does not enforce 'openid' scope
+                       parameters: payload,
                        logger: self.logger,
                        telemetry: self.telemetry)
     }

Auth0/Authentication.swift

@@ -987,19 +987,22 @@ public protocol Authentication: Trackable, Loggable {
          }
      ```
 
-     You can get a downscoped access token by requesting fewer scopes than were originally requested on login:
+     You can request credentials for a specific API by passing its audience value. The default scopes configured for
+     the API will be granted if you don't request any specific scopes.
 
      ```swift
      Auth0
          .authentication()
          .renew(withRefreshToken: credentials.refreshToken,
-                scope: "openid offline_access")
+                audience: "http://example.com/api",
+                scope: "read:todos update:todos")
          .start { print($0) }
      ```
 
      - Parameters:
        - refreshToken: The refresh token.
-       - scope:        Space-separated list of scope values to request. Defaults to `nil`, which will ask for the same scopes that were originally requested on login.
+       - audience:     Identifier of the API that your application is requesting access to. Defaults to `nil`.
+       - scope:        Space-separated list of scope values to request. Defaults to `nil`.
      - Returns: A request that will yield Auth0 user's credentials.
 
      ## See Also
@@ -1008,7 +1011,7 @@ public protocol Authentication: Trackable, Loggable {
      - [Refresh Tokens](https://auth0.com/docs/secure/tokens/refresh-tokens)
      - <doc:RefreshTokens>
      */
-    func renew(withRefreshToken refreshToken: String, scope: String?) -> Request<Credentials, AuthenticationError>
+    func renew(withRefreshToken refreshToken: String, audience: String?, scope: String?) -> Request<Credentials, AuthenticationError>
 
     /**
      Revokes a user's refresh token by performing a request to the `/oauth/revoke` endpoint.
@@ -1153,8 +1156,8 @@ public extension Authentication {
         return self.startPasswordless(phoneNumber: phoneNumber, type: type, connection: connection)
     }
 
-    func renew(withRefreshToken refreshToken: String, scope: String? = nil) -> Request<Credentials, AuthenticationError> {
-        return self.renew(withRefreshToken: refreshToken, scope: scope)
+    func renew(withRefreshToken refreshToken: String, audience: String? = nil, scope: String? = nil) -> Request<Credentials, AuthenticationError> {
+        return self.renew(withRefreshToken: refreshToken, audience: audience, scope: scope)
     }
 
 }

Auth0/Credentials.swift

@@ -1,6 +1,6 @@
 import Foundation
 
-private struct _StructCredentials {
+private struct _A0Credentials {
     let accessToken: String
     let tokenType: String
     let idToken: String
@@ -72,14 +72,14 @@ public final class Credentials: NSObject, Sendable {
     /// Custom description that redacts the tokens with `<REDACTED>`.
     public override var description: String {
         let redacted = "<REDACTED>"
-        let values = _StructCredentials(accessToken: redacted,
-                                       tokenType: self.tokenType,
-                                       idToken: redacted,
-                                       refreshToken: (self.refreshToken != nil) ? redacted : nil,
-                                       expiresIn: self.expiresIn,
-                                       scope: self.scope,
-                                       recoveryCode: (self.recoveryCode != nil) ? redacted : nil)
-        return String(describing: values).replacingOccurrences(of: "_StructCredentials", with: "Credentials")
+        let values = _A0Credentials(accessToken: redacted,
+                                    tokenType: self.tokenType,
+                                    idToken: redacted,
+                                    refreshToken: (self.refreshToken != nil) ? redacted : nil,
+                                    expiresIn: self.expiresIn,
+                                    scope: self.scope,
+                                    recoveryCode: (self.recoveryCode != nil) ? redacted : nil)
+        return String(describing: values).replacingOccurrences(of: "_A0Credentials", with: "Credentials")
     }
 
     // MARK: - Initializer