Add OIDC nonce support (#4051)

Author: renkelvin

Example/Auth/Sample/MainViewController+Apple.h

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2019 Google
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import "MainViewController.h"
+
+#import "StaticContentTableViewManager.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface MainViewController (Apple)
+
+- (StaticContentTableViewSection *)appleAuthSection;
+
+@end
+
+NS_ASSUME_NONNULL_END

Example/Auth/Sample/MainViewController+Apple.m

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2019 Google
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#import "MainViewController+Apple.h"
+
+#import <AuthenticationServices/AuthenticationServices.h>
+
+#import "AppManager.h"
+#import "FirebaseAuth.h"
+#import "MainViewController+Internal.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface MainViewController () <ASAuthorizationControllerDelegate, ASAuthorizationControllerPresentationContextProviding> {
+
+}
+
+@end
+
+@implementation MainViewController (Apple)
+
+- (StaticContentTableViewSection *)appleAuthSection API_AVAILABLE(ios(13.0)) {
+  __weak typeof(self) weakSelf = self;
+  return [StaticContentTableViewSection sectionWithTitle:@"Apple Auth" cells:@[
+    [StaticContentTableViewCell cellWithTitle:@"Sign in with Apple"
+                                       action:^{ [weakSelf signInWithApple]; }],
+    [StaticContentTableViewCell cellWithTitle:@"Link with Apple"
+                                       action:^{ [weakSelf linkWithApple]; }],
+    [StaticContentTableViewCell cellWithTitle:@"Unlink with Apple"
+                                       action:^{ [weakSelf unlinkFromProvider:@"apple.com" completion:nil]; }],
+    [StaticContentTableViewCell cellWithTitle:@"Reauthenticate with Apple"
+                                       action:^{ [weakSelf reauthenticateWithApple]; }],
+  ]];
+}
+
+- (void)signInWithApple API_AVAILABLE(ios(13.0)) {
+  ASAuthorizationAppleIDProvider* provider = [[ASAuthorizationAppleIDProvider alloc] init];
+  ASAuthorizationAppleIDRequest* request = [provider createRequest];
+  request.requestedScopes = @[ASAuthorizationScopeEmail, ASAuthorizationScopeFullName];
+  request.nonce = @"c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2";
+  request.state = @"signIn";
+
+  ASAuthorizationController* controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
+  controller.delegate = self;
+  controller.presentationContextProvider = self;
+  [controller performRequests];
+}
+
+- (void)linkWithApple API_AVAILABLE(ios(13.0)) {
+  ASAuthorizationAppleIDProvider* provider = [[ASAuthorizationAppleIDProvider alloc] init];
+  ASAuthorizationAppleIDRequest* request = [provider createRequest];
+  request.requestedScopes = @[ASAuthorizationScopeEmail, ASAuthorizationScopeFullName];
+  request.nonce = @"c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2";
+  request.state = @"link";
+
+  ASAuthorizationController* controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
+  controller.delegate = self;
+  controller.presentationContextProvider = self;
+  [controller performRequests];
+}
+
+- (void)reauthenticateWithApple API_AVAILABLE(ios(13.0)) {
+  ASAuthorizationAppleIDProvider* provider = [[ASAuthorizationAppleIDProvider alloc] init];
+  ASAuthorizationAppleIDRequest* request = [provider createRequest];
+  request.requestedScopes = @[ASAuthorizationScopeEmail, ASAuthorizationScopeFullName];
+  request.nonce = @"c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2";
+  request.state = @"reauth";
+
+  ASAuthorizationController* controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
+  controller.delegate = self;
+  controller.presentationContextProvider = self;
+  [controller performRequests];
+}
+
+- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithAuthorization:(ASAuthorization *)authorization API_AVAILABLE(ios(13.0)) {
+  ASAuthorizationAppleIDCredential* appleIDCredential = authorization.credential;
+  NSString *idToken = [NSString stringWithUTF8String:[appleIDCredential.identityToken bytes]];
+  FIROAuthCredential *credential = [FIROAuthProvider credentialWithProviderID:@"apple.com"
+                                                                      IDToken:idToken
+                                                                     rawNonce:@"foobar"
+                                                                  accessToken:nil];
+
+  if ([appleIDCredential.state isEqualToString:@"signIn"]) {
+    [FIRAuth.auth signInWithCredential:credential completion:^(FIRAuthDataResult * _Nullable authResult, NSError * _Nullable error) {
+      if (!error) {
+        NSLog(@"%@", authResult.description);
+      } else {
+        NSLog(@"%@", error.description);
+      }
+    }];
+  } else if ([appleIDCredential.state isEqualToString:@"link"]) {
+    [FIRAuth.auth.currentUser linkWithCredential:credential completion:^(FIRAuthDataResult * _Nullable authResult, NSError * _Nullable error) {
+      if (!error) {
+        NSLog(@"%@", authResult.description);
+      } else {
+        NSLog(@"%@", error.description);
+      }
+    }];
+  } else if ([appleIDCredential.state isEqualToString:@"reauth"]) {
+    [FIRAuth.auth.currentUser reauthenticateWithCredential:credential completion:^(FIRAuthDataResult * _Nullable authResult, NSError * _Nullable error) {
+      if (!error) {
+        NSLog(@"%@", authResult.description);
+      } else {
+        NSLog(@"%@", error.description);
+      }
+    }];
+  }
+}
+
+- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithError:(NSError *)error API_AVAILABLE(ios(13.0)) {
+  NSLog(@"%@", error.description);
+}
+
+@end
+
+NS_ASSUME_NONNULL_END

Example/Auth/Sample/MainViewController.m

@@ -16,6 +16,7 @@
 
 #import "MainViewController.h"
 #import "MainViewController+App.h"
+#import "MainViewController+Apple.h"
 #import "MainViewController+Auth.h"
 #import "MainViewController+AutoTests.h"
 #import "MainViewController+Custom.h"
@@ -244,6 +245,8 @@ - (void)updateTable {
       [weakSelf googleAuthSection],
       // Facebook Auth
       [weakSelf facebookAuthSection],
+      // Apple Auth
+      [weakSelf appleAuthSection],
       // OAuth
       [weakSelf oAuthSection],
       // Custom Auth

Example/Firebase.xcodeproj/project.pbxproj

@@ -117,6 +117,7 @@
 		40CC5510221B9B4700032423 /* CustomAuthTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 40CC5508221B9B4700032423 /* CustomAuthTests.m */; };
 		40CC5512221B9B4700032423 /* AnonymousAuthTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 40CC550A221B9B4700032423 /* AnonymousAuthTests.m */; };
 		40CC5513221B9B4700032423 /* FacebookAuthTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 40CC550B221B9B4700032423 /* FacebookAuthTests.m */; };
+		40DED7BE2350F60300768D88 /* MainViewController+Apple.m in Sources */ = {isa = PBXBuildFile; fileRef = 40DED7BD2350F60200768D88 /* MainViewController+Apple.m */; };
 		40EE3B822256B23200BE59CE /* MainViewController+GameCenter.m in Sources */ = {isa = PBXBuildFile; fileRef = 40EE3B812256B23200BE59CE /* MainViewController+GameCenter.m */; };
 		40EE3B862256B5A000BE59CE /* MainViewController+Phone.m in Sources */ = {isa = PBXBuildFile; fileRef = 40EE3B852256B5A000BE59CE /* MainViewController+Phone.m */; };
 		40EE3B892256B9A600BE59CE /* MainViewController+User.m in Sources */ = {isa = PBXBuildFile; fileRef = 40EE3B882256B9A600BE59CE /* MainViewController+User.m */; };
@@ -1082,6 +1083,8 @@
 		40CC550A221B9B4700032423 /* AnonymousAuthTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AnonymousAuthTests.m; sourceTree = "<group>"; };
 		40CC550B221B9B4700032423 /* FacebookAuthTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = FacebookAuthTests.m; sourceTree = "<group>"; };
 		40CC550C221B9B4700032423 /* FIRAuthApiTestsBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FIRAuthApiTestsBase.h; sourceTree = "<group>"; };
+		40DED7BC2350F60200768D88 /* MainViewController+Apple.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "MainViewController+Apple.h"; sourceTree = "<group>"; };
+		40DED7BD2350F60200768D88 /* MainViewController+Apple.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "MainViewController+Apple.m"; sourceTree = "<group>"; };
 		40EE3B802256B23200BE59CE /* MainViewController+GameCenter.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "MainViewController+GameCenter.h"; sourceTree = "<group>"; };
 		40EE3B812256B23200BE59CE /* MainViewController+GameCenter.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "MainViewController+GameCenter.m"; sourceTree = "<group>"; };
 		40EE3B832256B39800BE59CE /* MainViewController+Internal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "MainViewController+Internal.h"; sourceTree = "<group>"; };
@@ -2303,6 +2306,8 @@
 				DE26D1E81F70333E004AE1D3 /* MainViewController.xib */,
 				40EE3B8D2256C0AD00BE59CE /* MainViewController+App.h */,
 				40EE3B8E2256C0AD00BE59CE /* MainViewController+App.m */,
+				40DED7BC2350F60200768D88 /* MainViewController+Apple.h */,
+				40DED7BD2350F60200768D88 /* MainViewController+Apple.m */,
 				40EE3BA22256C8DD00BE59CE /* MainViewController+Auth.h */,
 				40EE3BA32256C8DE00BE59CE /* MainViewController+Auth.m */,
 				40EE3B902256C2E800BE59CE /* MainViewController+AutoTests.h */,
@@ -4814,6 +4819,7 @@
 				DE26D24E1F7039BC004AE1D3 /* UIViewController+Alerts.m in Sources */,
 				DE26D24B1F7039BC004AE1D3 /* MainViewController.m in Sources */,
 				40EE3BA02256C77200BE59CE /* MainViewController+Custom.m in Sources */,
+				40DED7BE2350F60300768D88 /* MainViewController+Apple.m in Sources */,
 				40EE3B8C2256BBB200BE59CE /* MainViewController+OOB.m in Sources */,
 				DE26D24A1F7039BC004AE1D3 /* main.m in Sources */,
 				DE26D2481F7039BC004AE1D3 /* FacebookAuthProvider.m in Sources */,
@@ -6853,7 +6859,7 @@
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				DEVELOPMENT_TEAM = 4ANB9W7R3P;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
-				INFOPLIST_FILE = "$SRCROOT/DynamicLinks/FDLBuilderTestAppObjC/Info.plist";
+				INFOPLIST_FILE = $SRCROOT/DynamicLinks/FDLBuilderTestAppObjC/Info.plist;
 				IPHONEOS_DEPLOYMENT_TARGET = 11.4;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				MTL_ENABLE_DEBUG_INFO = YES;
@@ -6887,7 +6893,7 @@
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				DEVELOPMENT_TEAM = 4ANB9W7R3P;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
-				INFOPLIST_FILE = "$SRCROOT/DynamicLinks/FDLBuilderTestAppObjC/Info.plist";
+				INFOPLIST_FILE = $SRCROOT/DynamicLinks/FDLBuilderTestAppObjC/Info.plist;
 				IPHONEOS_DEPLOYMENT_TARGET = 11.4;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				MTL_ENABLE_DEBUG_INFO = NO;

Firebase/Auth/Source/AuthProvider/OAuth/FIROAuthCredential.m

@@ -26,6 +26,8 @@
 
 @interface FIROAuthCredential ()
 
+@property(nonatomic, nullable) NSString *rawNonce;
+
 - (nullable instancetype)initWithProvider:(NSString *)provider NS_UNAVAILABLE;
 
 @end
@@ -40,12 +42,14 @@ - (nullable instancetype)initWithProvider:(NSString *)provider {
 
 - (instancetype)initWithProviderID:(NSString *)providerID
                            IDToken:(nullable NSString *)IDToken
+                          rawNonce:(nullable NSString *)rawNonce
                        accessToken:(nullable NSString *)accessToken
                             secret:(nullable NSString *)secret
                       pendingToken:(nullable NSString *)pendingToken {
   self = [super initWithProvider:providerID];
   if (self) {
     _IDToken = IDToken;
+    _rawNonce = rawNonce;
     _accessToken = accessToken;
     _pendingToken = pendingToken;
     _secret = secret;
@@ -56,8 +60,12 @@ - (instancetype)initWithProviderID:(NSString *)providerID
 - (instancetype)initWithProviderID:(NSString *)providerID
                          sessionID:(NSString *)sessionID
             OAuthResponseURLString:(NSString *)OAuthResponseURLString {
-  self =
-      [self initWithProviderID:providerID IDToken:nil accessToken:nil secret:nil pendingToken:nil];
+  self = [self initWithProviderID:providerID
+                          IDToken:nil
+                         rawNonce:nil
+                      accessToken:nil
+                           secret:nil
+                     pendingToken:nil];
   if (self) {
     _OAuthResponseURLString = OAuthResponseURLString;
     _sessionID = sessionID;
@@ -71,6 +79,7 @@ - (nullable instancetype)initWithVerifyAssertionResponse:(FIRVerifyAssertionResp
       response.oauthSecretToken.length) {
     return [self initWithProviderID:response.providerID
                             IDToken:response.oauthIDToken
+                           rawNonce:nil
                         accessToken:response.oauthAccessToken
                              secret:response.oauthSecretToken
                        pendingToken:response.pendingToken];
@@ -80,6 +89,7 @@ - (nullable instancetype)initWithVerifyAssertionResponse:(FIRVerifyAssertionResp
 
 - (void)prepareVerifyAssertionRequest:(FIRVerifyAssertionRequest *)request {
   request.providerIDToken = _IDToken;
+  request.providerRawNonce = _rawNonce;
   request.providerAccessToken = _accessToken;
   request.requestURI = _OAuthResponseURLString;
   request.sessionID = _sessionID;
@@ -95,11 +105,13 @@ + (BOOL)supportsSecureCoding {
 
 - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {
   NSString *IDToken = [aDecoder decodeObjectOfClass:[NSString class] forKey:@"IDToken"];
+  NSString *rawNonce = [aDecoder decodeObjectOfClass:[NSString class] forKey:@"rawNonce"];
   NSString *accessToken = [aDecoder decodeObjectOfClass:[NSString class] forKey:@"accessToken"];
   NSString *pendingToken = [aDecoder decodeObjectOfClass:[NSString class] forKey:@"pendingToken"];
   NSString *secret = [aDecoder decodeObjectOfClass:[NSString class] forKey:@"secret"];
   self = [self initWithProviderID:self.provider
                           IDToken:IDToken
+                         rawNonce:rawNonce
                       accessToken:accessToken
                            secret:secret
                      pendingToken:pendingToken];
@@ -108,6 +120,7 @@ - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {
 
 - (void)encodeWithCoder:(NSCoder *)aCoder {
   [aCoder encodeObject:self.IDToken forKey:@"IDToken"];
+  [aCoder encodeObject:self.IDToken forKey:@"rawNonce"];
   [aCoder encodeObject:self.accessToken forKey:@"accessToken"];
   [aCoder encodeObject:self.pendingToken forKey:@"pendingToken"];
   [aCoder encodeObject:self.secret forKey:@"secret"];

Firebase/Auth/Source/AuthProvider/OAuth/FIROAuthCredential_Internal.h

@@ -46,12 +46,14 @@ NS_ASSUME_NONNULL_BEGIN
     @brief Designated initializer.
     @param providerID The provider ID associated with the credential being created.
     @param IDToken The ID Token associated with the credential being created.
+    @param rawNonce The raw nonce associated with the Auth credential being created.
     @param accessToken The access token associated with the credential being created.
     @param secret The secret associated with the credential being created.
     @param pendingToken The pending token associated with the credential being created.
  */
 - (instancetype)initWithProviderID:(NSString *)providerID
                            IDToken:(nullable NSString *)IDToken
+                          rawNonce:(nullable NSString *)rawNonce
                        accessToken:(nullable NSString *)accessToken
                             secret:(nullable NSString *)secret
                       pendingToken:(nullable NSString *)pendingToken NS_DESIGNATED_INITIALIZER;

Firebase/Auth/Source/AuthProvider/OAuth/FIROAuthProvider.m

@@ -71,6 +71,7 @@ + (FIROAuthCredential *)credentialWithProviderID:(NSString *)providerID
                                     accessToken:(nullable NSString *)accessToken {
   return [[FIROAuthCredential alloc] initWithProviderID:providerID
                                                 IDToken:IDToken
+                                               rawNonce:nil
                                             accessToken:accessToken
                                                  secret:nil
                                            pendingToken:nil];
@@ -80,11 +81,35 @@ + (FIROAuthCredential *)credentialWithProviderID:(NSString *)providerID
                                      accessToken:(NSString *)accessToken {
   return [[FIROAuthCredential alloc] initWithProviderID:providerID
                                                 IDToken:nil
+                                               rawNonce:nil
                                             accessToken:accessToken
                                                  secret:nil
                                            pendingToken:nil];
 }
 
++ (FIROAuthCredential *)credentialWithProviderID:(NSString *)providerID
+                                         IDToken:(NSString *)IDToken
+                                        rawNonce:(nullable NSString *)rawNonce
+                                     accessToken:(nullable NSString *)accessToken {
+  return [[FIROAuthCredential alloc] initWithProviderID:providerID
+                                                IDToken:IDToken
+                                               rawNonce:rawNonce
+                                            accessToken:accessToken
+                                                 secret:nil
+                                           pendingToken:nil];
+}
+
++ (FIROAuthCredential *)credentialWithProviderID:(NSString *)providerID
+                                         IDToken:(NSString *)IDToken
+                                        rawNonce:(nullable NSString *)rawNonce {
+  return [[FIROAuthCredential alloc] initWithProviderID:providerID
+                                                IDToken:IDToken
+                                               rawNonce:rawNonce
+                                            accessToken:nil
+                                                 secret:nil
+                                           pendingToken:nil];
+}
+
 + (instancetype)providerWithProviderID:(NSString *)providerID {
   return [[self alloc]initWithProviderID:providerID auth:[FIRAuth auth]];
 }

Firebase/Auth/Source/Backend/FIRAuthBackend.m

@@ -342,6 +342,11 @@
  */
 static NSString *const kSessionExpiredErrorMessage = @"SESSION_EXPIRED";
 
+/** @var kMissingOrInvalidNonceErrorMessage
+    @brief This is the error message the server will respond with if the nonce is missing or invalid.
+ */
+static NSString *const kMissingOrInvalidNonceErrorMessage = @"MISSING_OR_INVALID_NONCE";
+
 /** @var kMissingAppTokenErrorMessage
     @brief This is the error message the server will respond with if the APNS token is missing in a
         verifyClient request.
@@ -1176,6 +1181,10 @@ + (nullable NSError *)clientErrorWithServerErrorMessage:(NSString *)serverErrorM
     return [FIRAuthErrorUtils captchaCheckFailedErrorWithMessage:serverErrorMessage];
   }
 
+  if ([shortErrorMessage isEqualToString:kMissingOrInvalidNonceErrorMessage]) {
+    return [FIRAuthErrorUtils missingOrInvalidNonceErrorWithMessage:serverDetailErrorMessage];
+  }
+
   // In this case we handle an error that might be specified in the underlying errors dictionary,
   // the error message in determined based on the @c reason key in the dictionary.
   if (errorDictionary[kErrorsKey]) {