google
diff --git a/‎.github/workflows/unit_tests.yml‎
Lines changed: 2 additions & 3 deletions b/‎.github/workflows/unit_tests.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎GoogleSignIn.podspec‎
Lines changed: 3 additions & 2 deletions b/‎GoogleSignIn.podspec‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎GoogleSignIn/Sources/GIDAppAuthFetcherAuthorizationWithEMMSupport.m‎
Lines changed: 0 additions & 129 deletions b/‎GoogleSignIn/Sources/GIDAppAuthFetcherAuthorizationWithEMMSupport.m‎
Lines changed: 0 additions & 129 deletions
diff --git a/‎GoogleSignIn/Sources/GIDAuthStateMigration.h‎
Lines changed: 10 additions & 4 deletions b/‎GoogleSignIn/Sources/GIDAuthStateMigration.h‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎GoogleSignIn/Sources/GIDAuthStateMigration.m‎
Lines changed: 45 additions & 23 deletions b/‎GoogleSignIn/Sources/GIDAuthStateMigration.m‎
Lines changed: 45 additions & 23 deletions
diff --git a/‎GoogleSignIn/Sources/GIDEMMSupport.h‎
Lines changed: 9 additions & 5 deletions b/‎GoogleSignIn/Sources/GIDEMMSupport.h‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎GoogleSignIn/Sources/GIDEMMSupport.m‎
Lines changed: 34 additions & 0 deletions b/‎GoogleSignIn/Sources/GIDEMMSupport.m‎
Lines changed: 34 additions & 0 deletions
@@ -17,8 +17,7 @@ jobs:
         os: [macos-12]
         podspec: [GoogleSignIn.podspec, GoogleSignInSwiftSupport.podspec]
         flag: [
-          "", 
-          "--use-libraries", 
+          "",
           "--use-static-frameworks"
         ]
         include:
@@ -33,7 +32,7 @@ jobs:
     - name: Lint podspec using local source
       run: |
         pod lib lint ${{ matrix.podspec }} --verbose \
-           ${{ matrix.includePodspecFlag }}  ${{ matrix.flag }}
+           ${{ matrix.includePodspecFlag }} ${{ matrix.flag }}
 
   spm-build-test:
     runs-on: ${{ matrix.os }}
 
@@ -12,6 +12,7 @@ The Google Sign-In SDK allows users to sign in with their Google account from th
     :git => 'https://github.com/google/GoogleSignIn-iOS.git',
     :tag => s.version.to_s
   }
+  s.swift_version = '4.0'
   ios_deployment_target = '10.0'
   osx_deployment_target = '10.15'
   s.ios.deployment_target = ios_deployment_target
@@ -32,8 +33,8 @@ The Google Sign-In SDK allows users to sign in with their Google account from th
   ]
   s.ios.framework = 'UIKit'
   s.osx.framework = 'AppKit'
-  s.dependency 'AppAuth', '~> 1.5'
-  s.dependency 'GTMAppAuth', '>= 1.3', '< 3.0'
+  s.dependency 'AppAuth', '~> 1.6'
+  s.dependency 'GTMAppAuth', '~> 4.0'
   s.dependency 'GTMSessionFetcher/Core', '>= 1.1', '< 4.0'
   s.resource_bundle = {
     'GoogleSignIn' => ['GoogleSignIn/Sources/{Resources,Strings}/*']
 
@@ -16,14 +16,20 @@
 
 #import <Foundation/Foundation.h>
 
+@class GTMKeychainStore;
+@class GTMAuthSession;
+
 NS_ASSUME_NONNULL_BEGIN
 
-// A class providing migration support for auth state saved by older versions of the SDK.
+/// A class providing migration support for auth state saved by older versions of the SDK.
 @interface GIDAuthStateMigration : NSObject
 
-// Perform a one-time migration for auth state saved by GPPSignIn 1.x or GIDSignIn 1.0 - 4.x to the
-// GTMAppAuth storage introduced in GIDSignIn 5.0.
-+ (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
+/// Creates an instance of this migration type with the keychain storage wrapper it will use.
+- (instancetype)initWithKeychainStore:(GTMKeychainStore *)keychainStore NS_DESIGNATED_INITIALIZER;
+
+/// Perform a one-time migration for auth state saved by GPPSignIn 1.x or GIDSignIn 1.0 - 4.x to the
+/// GTMAppAuth storage introduced in GIDSignIn 5.0.
+- (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
                        callbackPath:(NSString *)callbackPath
                        keychainName:(NSString *)keychainName
                      isFreshInstall:(BOOL)isFreshInstall;
 
@@ -16,13 +16,12 @@
 
 #import "GoogleSignIn/Sources/GIDSignInCallbackSchemes.h"
 
+@import GTMAppAuth;
+
 #ifdef SWIFT_PACKAGE
 @import AppAuth;
-@import GTMAppAuth;
 #else
 #import <AppAuth/AppAuth.h>
-#import <GTMAppAuth/GTMAppAuth.h>
-#import <GTMAppAuth/GTMKeychain.h>
 #endif
 
 NS_ASSUME_NONNULL_BEGIN
@@ -39,9 +38,28 @@
 // Keychain service name used to store the last used fingerprint value.
 static NSString *const kFingerprintService = @"fingerprint";
 
+@interface GIDAuthStateMigration ()
+
+@property (nonatomic, strong) GTMKeychainStore *keychainStore;
+
+@end
+
 @implementation GIDAuthStateMigration
 
-+ (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
+- (instancetype)initWithKeychainStore:(GTMKeychainStore *)keychainStore {
+  self = [super init];
+  if (self) {
+    _keychainStore = keychainStore;
+  }
+  return self;
+}
+
+- (instancetype)init {
+  GTMKeychainStore *keychainStore = [[GTMKeychainStore alloc] initWithItemName:@"auth"];
+  return [self initWithKeychainStore:keychainStore];
+}
+
+- (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
                        callbackPath:(NSString *)callbackPath
                        keychainName:(NSString *)keychainName
                      isFreshInstall:(BOOL)isFreshInstall {
@@ -55,14 +73,15 @@ + (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
   // action and go on to mark the migration check as having been performed.
   if (!isFreshInstall) {
     // Attempt migration
-    GTMAppAuthFetcherAuthorization *authorization =
-        [self extractAuthorizationWithTokenURL:tokenURL callbackPath:callbackPath];
+    GTMAuthSession *authSession =
+        [self extractAuthSessionWithTokenURL:tokenURL callbackPath:callbackPath];
 
     // If migration was successful, save our migrated state to the keychain.
-    if (authorization) {
+    if (authSession) {
+      NSError *err;
+      [self.keychainStore saveAuthSession:authSession error:&err];
       // If we're unable to save to the keychain, return without marking migration performed.
-      if (![GTMAppAuthFetcherAuthorization saveAuthorization:authorization
-                                           toKeychainForName:keychainName]) {
+      if (err) {
         return;
       };
     }
@@ -72,19 +91,21 @@ + (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
   [defaults setBool:YES forKey:kMigrationCheckPerformedKey];
 }
 
-// Returns a |GTMAppAuthFetcherAuthorization| object containing any old auth state or |nil| if none
+// Returns a |GTMAuthSession| object containing any old auth state or |nil| if none
 // was found or the migration failed.
-+ (nullable GTMAppAuthFetcherAuthorization *)
-    extractAuthorizationWithTokenURL:(NSURL *)tokenURL callbackPath:(NSString *)callbackPath {
+- (nullable GTMAuthSession *)extractAuthSessionWithTokenURL:(NSURL *)tokenURL
+                                               callbackPath:(NSString *)callbackPath {
   // Retrieve the last used fingerprint.
   NSString *fingerprint = [GIDAuthStateMigration passwordForService:kFingerprintService];
   if (!fingerprint) {
     return nil;
   }
 
   // Retrieve the GTMOAuth2 persistence string.
-  NSString *GTMOAuth2PersistenceString = [GTMKeychain passwordFromKeychainForName:fingerprint];
-  if (!GTMOAuth2PersistenceString) {
+  NSError *passwordError;
+  NSString *GTMOAuth2PersistenceString =
+      [self.keychainStore.keychainHelper passwordForService:fingerprint error:&passwordError];
+  if (passwordError) {
     return nil;
   }
 
@@ -126,16 +147,17 @@ + (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
                          additionalTokenRequestParameters];
   }
 
-  // Use |GTMOAuth2KeychainCompatibility| to generate a |GTMAppAuthFetcherAuthorization| from the
+  // Use |GTMOAuth2Compatibility| to generate a |GTMAuthSession| from the
   // persistence string, redirect URI, client ID, and token endpoint URL.
-  GTMAppAuthFetcherAuthorization *authorization = [GTMOAuth2KeychainCompatibility
-      authorizeFromPersistenceString:persistenceString
-                            tokenURL:tokenURL
-                         redirectURI:redirectURI
-                            clientID:clientID
-                        clientSecret:nil];
-
-  return authorization;
+  GTMAuthSession *authSession =
+      [GTMOAuth2Compatibility authSessionForPersistenceString:persistenceString
+                                                     tokenURL:tokenURL
+                                                  redirectURI:redirectURI
+                                                     clientID:clientID
+                                                 clientSecret:nil
+                                                        error:nil];
+
+  return authSession;
 }
 
 // Returns the password string for a given service string stored by an old version of the SDK or
 
@@ -20,19 +20,23 @@
 
 #import <Foundation/Foundation.h>
 
+@import GTMAppAuth;
+
 NS_ASSUME_NONNULL_BEGIN
 
-// A class to support EMM (Enterprise Mobility Management).
-@interface GIDEMMSupport : NSObject
+/// A class to support EMM (Enterprise Mobility Management).
+@interface GIDEMMSupport : NSObject<GTMAuthSessionDelegate>
+
+- (instancetype)init NS_DESIGNATED_INITIALIZER;
 
-// Handles potential EMM error from token fetch response.
+/// Handles potential EMM error from token fetch response.
 + (void)handleTokenFetchEMMError:(nullable NSError *)error
                       completion:(void (^)(NSError *_Nullable))completion;
 
-// Gets a new set of URL parameters that contains updated EMM-related URL parameters if needed.
+/// Gets a new set of URL parameters that contains updated EMM-related URL parameters if needed.
 + (NSDictionary *)updatedEMMParametersWithParameters:(NSDictionary *)parameters;
 
-// Gets a new set of URL parameters that also contains EMM-related URL parameters if needed.
+/// Gets a new set of URL parameters that also contains EMM-related URL parameters if needed.
 + (NSDictionary *)parametersWithParameters:(NSDictionary *)parameters
                                 emmSupport:(nullable NSString *)emmSupport
                     isPasscodeInfoRequired:(BOOL)isPasscodeInfoRequired;
 
@@ -44,8 +44,26 @@
 // New UIDevice system name for iOS.
 static NSString *const kNewIOSSystemName = @"iOS";
 
+// The error key in the server response.
+static NSString *const kErrorKey = @"error";
+
+// Optional separator between error prefix and the payload.
+static NSString *const kErrorPayloadSeparator = @":";
+
+// A list for recognized error codes.
+typedef NS_ENUM(NSInteger, ErrorCode) {
+  ErrorCodeNone = 0,
+  ErrorCodeDeviceNotCompliant,
+  ErrorCodeScreenlockRequired,
+  ErrorCodeAppVerificationRequired,
+};
+
 @implementation GIDEMMSupport
 
+- (instancetype)init {
+  return [super init];
+}
+
 + (void)handleTokenFetchEMMError:(nullable NSError *)error
                       completion:(void (^)(NSError *_Nullable))completion {
   NSDictionary *errorJSON = error.userInfo[OIDOAuthErrorResponseErrorKey];
@@ -94,6 +112,22 @@ + (NSDictionary *)parametersWithParameters:(NSDictionary *)parameters
   return allParameters;
 }
 
+#pragma mark - GTMAuthSessionDelegate
+
+- (nullable NSDictionary<NSString *,NSString *> *)
+additionalTokenRefreshParametersForAuthSession:(GTMAuthSession *)authSession {
+  return [GIDEMMSupport updatedEMMParametersWithParameters:
+          authSession.authState.lastTokenResponse.additionalParameters];
+}
+
+- (void)updateErrorForAuthSession:(GTMAuthSession *)authSession
+                    originalError:(NSError *)originalError
+                       completion:(void (^)(NSError * _Nullable))completion {
+  [GIDEMMSupport handleTokenFetchEMMError:originalError completion:^(NSError *_Nullable error) {
+    completion(error);
+  }];
+}
+
 @end
 
 NS_ASSUME_NONNULL_END