feat: allow custom nonce in OIDAuthorizationRequest (#788)

vonovak · web-flow · commit 8b437c47f46d · 2023-10-18T11:11:59.000-07:00
diff --git a/Source/AppAuthCore/OIDAuthorizationRequest.h b/Source/AppAuthCore/OIDAuthorizationRequest.h
@@ -159,6 +159,29 @@ extern NSString *const OIDOAuthorizationRequestCodeChallengeMethodS256;
              responseType:(NSString *)responseType
      additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @brief Creates an authorization request with custom nonce, a secure @c state,
+        and PKCE with S256 as the @c code_challenge_method.
+    @param configuration The service's configuration.
+    @param clientID The client identifier.
+    @param scopes An array of scopes to combine into a single scope string per the OAuth2 spec.
+    @param redirectURL The client's redirect URI.
+    @param responseType The expected response type.
+    @param nonce String value used to associate a Client session with an ID Token. Can be set to nil
+        if not using OpenID Connect, although pure OAuth servers should ignore params they don't
+        understand anyway.
+    @param additionalParameters The client's additional authorization parameters.
+    @remarks This convenience initializer generates a state parameter and PKCE challenges
+        automatically.
+ */
+- (instancetype)
+    initWithConfiguration:(OIDServiceConfiguration *)configuration
+                 clientId:(NSString *)clientID
+                   scopes:(nullable NSArray<NSString *> *)scopes
+              redirectURL:(NSURL *)redirectURL
+             responseType:(NSString *)responseType
+                    nonce:(nullable NSString *)nonce
+     additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
+
 /*! @brief Creates an authorization request with opinionated defaults (a secure @c state, @c nonce,
         and PKCE with S256 as the @c code_challenge_method).
     @param configuration The service's configuration.
diff --git a/Source/AppAuthCore/OIDAuthorizationRequest.m b/Source/AppAuthCore/OIDAuthorizationRequest.m
@@ -202,6 +202,32 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                 additionalParameters:additionalParameters];
 }
 
+- (instancetype)
+    initWithConfiguration:(OIDServiceConfiguration *)configuration
+                 clientId:(NSString *)clientID
+                   scopes:(nullable NSArray<NSString *> *)scopes
+              redirectURL:(NSURL *)redirectURL
+             responseType:(NSString *)responseType
+                    nonce:(nullable NSString *)nonce
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters {
+  // generates PKCE code verifier and challenge
+  NSString *codeVerifier = [[self class] generateCodeVerifier];
+  NSString *codeChallenge = [[self class] codeChallengeS256ForVerifier:codeVerifier];
+
+  return [self initWithConfiguration:configuration
+                            clientId:clientID
+                        clientSecret:nil
+                               scope:[OIDScopeUtilities scopesWithArray:scopes]
+                         redirectURL:redirectURL
+                        responseType:responseType
+                               state:[[self class] generateState]
+                               nonce:nonce
+                        codeVerifier:codeVerifier
+                       codeChallenge:codeChallenge
+                 codeChallengeMethod:OIDOAuthorizationRequestCodeChallengeMethodS256
+                additionalParameters:additionalParameters];
+}
+
 #pragma mark - NSCopying
 
 - (instancetype)copyWithZone:(nullable NSZone *)zone {
diff --git a/UnitTests/OIDAuthorizationRequestTests.m b/UnitTests/OIDAuthorizationRequestTests.m
@@ -223,6 +223,29 @@ - (void)testScopeInitializerWithManyScopesAndNoClientSecret {
                         kTestAdditionalParameterValue, @"");
 }
 
+
+/*! @brief Tests the initializer which takes a nonce
+ */
+- (void)testNonceInitializer {
+  OIDServiceConfiguration *configuration = [OIDServiceConfigurationTests testInstance];
+  OIDAuthorizationRequest *request =
+      [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
+                                                    clientId:kTestClientID
+                                                      scopes:@[]
+                                                 redirectURL:[NSURL URLWithString:kTestRedirectURL]
+                                                responseType:OIDResponseTypeCode
+                                                       nonce:kTestNonce
+                                        additionalParameters:nil];
+
+  XCTAssertEqualObjects(request.nonce, kTestNonce);
+  XCTAssertEqualObjects(request.responseType, @"code");
+  XCTAssertEqualObjects(request.scope, @"");
+  XCTAssertEqualObjects(request.clientID, kTestClientID);
+  XCTAssertNil(request.clientSecret);
+  XCTAssertEqualObjects(request.redirectURL, [NSURL URLWithString:kTestRedirectURL]);
+  XCTAssertEqualObjects(@(request.additionalParameters.count), @0);
+}
+
 - (void)testScopeInitializerWithManyScopesAndClientSecret {
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
