Represents an authorization request. More...
#import <OIDAuthorizationRequest.h>
Inheritance diagram for OIDAuthorizationRequest:
Instance Methods | |
| (instancetype) | - initWithConfiguration:clientId:scopes:redirectURL:responseType:additionalParameters: |
Creates an authorization request with opinionated defaults (a secure state, and PKCE with S256 as the code_challenge_method). More... | |
| (instancetype) | - initWithConfiguration:clientId:clientSecret:scopes:redirectURL:responseType:additionalParameters: |
Creates an authorization request with opinionated defaults (a secure state, nonce, and PKCE with S256 as the code_challenge_method). More... | |
| (instancetype) | - initWithConfiguration:clientId:clientSecret:scope:redirectURL:responseType:state:nonce:codeVerifier:codeChallenge:codeChallengeMethod:additionalParameters: |
| Designated initializer. More... | |
| (NSURL *) | - authorizationRequestURL |
| Constructs the request URI by adding the request parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format. More... | |
 Instance Methods inherited from <OIDExternalUserAgentRequest> | |
| (NSURL *) | - externalUserAgentRequestURL |
| Method to create and return the complete request URL instance. More... | |
| (NSString *) | - redirectScheme |
| If this external user-agent request has a redirect URL, this should return its scheme. Since some external requests have optional callbacks (such as the end session endpoint), the return value of this method is nullable. More... | |
Class Methods | |
| (nullable NSString *) | + generateState |
| Generates an OAuth state param using a random source. More... | |
| (nullable NSString *) | + generateCodeVerifier |
| Constructs a PKCE-compliant code verifier. More... | |
| (nullable NSString *) | + codeChallengeS256ForVerifier: |
| Creates a PKCE S256 codeChallenge from the codeVerifier. More... | |
Properties | |
| OIDServiceConfiguration * | configuration |
| The service's configuration. More... | |
| NSString * | responseType |
| The expected response type. More... | |
| NSString * | clientID |
| The client identifier. More... | |
| NSString * | clientSecret |
| The client secret. More... | |
| NSString * | scope |
| The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. More... | |
| NSURL * | redirectURL |
| The client's redirect URI. More... | |
| NSString * | state |
| An opaque value used by the client to maintain state between the request and callback. More... | |
| NSString * | nonce |
| String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. More... | |
| NSString * | codeVerifier |
| The PKCE code verifier. More... | |
| NSString * | codeChallenge |
| The PKCE code challenge, derived from codeVerifier. More... | |
| NSString * | codeChallengeMethod |
The method used to compute the codeChallenge. More... | |
| NSDictionary< NSString *, NSString * > * | additionalParameters |
| The client's additional authorization parameters. More... | |
Detailed Description
Represents an authorization request.
Method Documentation
◆ authorizationRequestURL()
| - (NSURL *) authorizationRequestURL |
Constructs the request URI by adding the request parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format.
- Returns
- A URL representing the authorization request.
◆ codeChallengeS256ForVerifier:()
| + (nullable NSString *) codeChallengeS256ForVerifier: | (nullable NSString *) | codeVerifier |
Creates a PKCE S256 codeChallenge from the codeVerifier.
- Parameters
-
codeVerifier The code verifier from which the code challenge will be derived.
- Returns
- The generated code challenge.
Generate a secure code verifier to pass into this method with generateCodeVerifier. The matching codeChallengeMethod for codeChallenges created by this method is OIDOAuthorizationRequestCodeChallengeMethodS256.
◆ generateCodeVerifier()
| + (nullable NSString *) generateCodeVerifier |
Constructs a PKCE-compliant code verifier.
- Returns
- The generated code verifier.
◆ generateState()
| + (nullable NSString *) generateState |
Generates an OAuth state param using a random source.
- Returns
- The generated state.
◆ initWithConfiguration:clientId:clientSecret:scope:redirectURL:responseType:state:nonce:codeVerifier:codeChallenge:codeChallengeMethod:additionalParameters:()
| - (instancetype) initWithConfiguration: | (OIDServiceConfiguration *) | configuration | |
| clientId: | (NSString *) | clientID | |
| clientSecret: | (nullable NSString *) | clientSecret | |
| scope: | (nullable NSString *) | scope | |
| redirectURL: | (nullable NSURL *) | redirectURL | |
| responseType: | (NSString *) | responseType | |
| state: | (nullable NSString *) | state | |
| nonce: | (nullable NSString *) | nonce | |
| codeVerifier: | (nullable NSString *) | codeVerifier | |
| codeChallenge: | (nullable NSString *) | codeChallenge | |
| codeChallengeMethod: | (nullable NSString *) | codeChallengeMethod | |
| additionalParameters: | (nullable NSDictionary< NSString *, NSString * > *) | NS_DESIGNATED_INITIALIZER | |
Designated initializer.
- Parameters
-
configuration The service's configuration. clientID The client identifier. scope A scope string per the OAuth2 spec (a space-delimited set of scopes). redirectURL The client's redirect URI. responseType The expected response type. state An opaque value used by the client to maintain state between the request and callback. nonce String value used to associate a Client session with an ID Token. Can be set to nil if not using OpenID Connect, although pure OAuth servers should ignore params they don't understand anyway. codeVerifier The PKCE code verifier. See generateCodeVerifier.codeChallenge The PKCE code challenge, calculated from the code verifier such as with codeChallengeS256ForVerifier:.codeChallengeMethod The PKCE code challenge method. OIDOAuthorizationRequestCodeChallengeMethodS256 when codeChallengeS256ForVerifier:is used to create the code challenge.additionalParameters The client's additional authorization parameters.
◆ initWithConfiguration:clientId:clientSecret:scopes:redirectURL:responseType:additionalParameters:()
| - (instancetype) initWithConfiguration: | (OIDServiceConfiguration *) | configuration | |
| clientId: | (NSString *) | clientID | |
| clientSecret: | (nullable NSString *) | clientSecret | |
| scopes: | (nullable NSArray< NSString * > *) | scopes | |
| redirectURL: | (NSURL *) | redirectURL | |
| responseType: | (NSString *) | responseType | |
| additionalParameters: | (nullable NSDictionary< NSString *, NSString * > *) | additionalParameters | |
Creates an authorization request with opinionated defaults (a secure state, nonce, and PKCE with S256 as the code_challenge_method).
- Parameters
-
configuration The service's configuration. clientID The client identifier. clientSecret The client secret. scopes An array of scopes to combine into a single scope string per the OAuth2 spec. redirectURL The client's redirect URI. responseType The expected response type. additionalParameters The client's additional authorization parameters.
- Remarks
- This convenience initializer generates a state parameter and PKCE challenges automatically.
◆ initWithConfiguration:clientId:scopes:redirectURL:responseType:additionalParameters:()
| - (instancetype) initWithConfiguration: | (OIDServiceConfiguration *) | configuration | |
| clientId: | (NSString *) | clientID | |
| scopes: | (nullable NSArray< NSString * > *) | scopes | |
| redirectURL: | (NSURL *) | redirectURL | |
| responseType: | (NSString *) | responseType | |
| additionalParameters: | (nullable NSDictionary< NSString *, NSString * > *) | additionalParameters | |
Creates an authorization request with opinionated defaults (a secure state, and PKCE with S256 as the code_challenge_method).
- Parameters
-
configuration The service's configuration. clientID The client identifier. scopes An array of scopes to combine into a single scope string per the OAuth2 spec. redirectURL The client's redirect URI. responseType The expected response type. additionalParameters The client's additional authorization parameters.
- Remarks
- This convenience initializer generates a state parameter and PKCE challenges automatically.
Property Documentation
◆ additionalParameters
|
readnonatomicassign |
The client's additional authorization parameters.
◆ clientID
|
readnonatomicassign |
◆ clientSecret
|
readnonatomicassign |
The client secret.
- Remarks
- client_secret @discussion The client secret is used to prove that identity of the client when exchaning an authorization code for an access token. The client secret is not passed in the authorizationRequestURL. It is only used when exchanging the authorization code for an access token.
◆ codeChallenge
|
readnonatomicassign |
The PKCE code challenge, derived from codeVerifier.
- Remarks
- code_challenge
◆ codeChallengeMethod
|
readnonatomicassign |
The method used to compute the codeChallenge.
- Remarks
- code_challenge_method
◆ codeVerifier
|
readnonatomicassign |
The PKCE code verifier.
- Remarks
- code_verifier @discussion The code verifier itself is not included in the authorization request that is sent on the wire, but needs to be in the token exchange request.
tokenExchangeRequest (OIDAuthorizationResponse)will create aOIDTokenRequestthat includes this parameter automatically.
◆ configuration
|
readnonatomicassign |
The service's configuration.
- Remarks
- This configuration specifies how to connect to a particular OAuth provider. Configurations may be created manually, or via an OpenID Connect Discovery Document.
◆ nonce
|
readnonatomicassign |
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
- Remarks
- nonce @discussion If this value is not explicitly set, this library will automatically add nonce and perform appropriate validation of the nonce in the ID Token.
◆ redirectURL
|
readnonatomicassign |
The client's redirect URI.
- Remarks
- redirect_uri
◆ responseType
|
readnonatomicassign |
The expected response type.
- Remarks
- response_type @discussion Generally 'code' if pure OAuth, otherwise a space-delimited list of of response types including 'code', 'token', and 'id_token' for OpenID Connect.
◆ scope
|
readnonatomicassign |
The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.
- Remarks
- scope
◆ state
|
readnonatomicassign |
An opaque value used by the client to maintain state between the request and callback.
- Remarks
- state @discussion If this value is not explicitly set, this library will automatically add state and perform appropriate validation of the state in the authorization response. It is recommended that the default implementation of this parameter be used wherever possible. Typically used to prevent CSRF attacks, as recommended in RFC6819 Section 5.3.5.
The documentation for this class was generated from the following file:
- Source/OIDAuthorizationRequest.h
