Skip to content

Commit

Permalink
Added ID Token parsing.
Browse files Browse the repository at this point in the history
– The 5 required fields are exposes as params.
– Token exchange now validates the ID Token iss, aud, and iat claims.
  • Loading branch information
WilliamDenniss committed Mar 26, 2017
1 parent 294b992 commit beb4b67
Show file tree
Hide file tree
Showing 9 changed files with 386 additions and 2 deletions.
28 changes: 28 additions & 0 deletions AppAuth.xcodeproj/project.pbxproj
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,18 @@
347424101E7F4BA000D3E6D6 /* OIDTokenResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 341741D41C5D8243000EF209 /* OIDTokenResponse.m */; };
347424111E7F4BA000D3E6D6 /* OIDTokenUtilities.m in Sources */ = {isa = PBXBuildFile; fileRef = 341741D61C5D8243000EF209 /* OIDTokenUtilities.m */; };
347424121E7F4BA000D3E6D6 /* OIDURLQueryComponent.m in Sources */ = {isa = PBXBuildFile; fileRef = 341741D81C5D8243000EF209 /* OIDURLQueryComponent.m */; };
34A663291E871DD40060B664 /* OIDIDToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 34A663261E871DD40060B664 /* OIDIDToken.h */; settings = {ATTRIBUTES = (Public, ); }; };
34A6632A1E871DD40060B664 /* OIDIDToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 34A663261E871DD40060B664 /* OIDIDToken.h */; settings = {ATTRIBUTES = (Public, ); }; };
34A6632B1E871DD40060B664 /* OIDIDToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 34A663261E871DD40060B664 /* OIDIDToken.h */; settings = {ATTRIBUTES = (Public, ); }; };
34A6632C1E871DD40060B664 /* OIDIDToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 34A663261E871DD40060B664 /* OIDIDToken.h */; settings = {ATTRIBUTES = (Public, ); }; };
34A6632D1E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A6632E1E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A6632F1E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A663301E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A663311E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A663321E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A663331E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34A663341E871DD40060B664 /* OIDIDToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 34A663271E871DD40060B664 /* OIDIDToken.m */; };
34D5EC451E6D1AD900814354 /* OIDSwiftTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 34D5EC441E6D1AD900814354 /* OIDSwiftTests.swift */; };
34FEA6AE1DB6E083005C9212 /* OIDLoopbackHTTPServer.h in Headers */ = {isa = PBXBuildFile; fileRef = 34FEA6AC1DB6E083005C9212 /* OIDLoopbackHTTPServer.h */; };
34FEA6AF1DB6E083005C9212 /* OIDLoopbackHTTPServer.m in Sources */ = {isa = PBXBuildFile; fileRef = 34FEA6AD1DB6E083005C9212 /* OIDLoopbackHTTPServer.m */; };
Expand Down Expand Up @@ -531,6 +543,8 @@
343AAAC21E8348A900F9D36E /* AppAuth.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = AppAuth.framework; sourceTree = BUILT_PRODUCTS_DIR; };
343AAACA1E8348AA00F9D36E /* AppAuth_macOSTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = AppAuth_macOSTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
347423F61E7F4B5600D3E6D6 /* libAppAuth-watchOS.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libAppAuth-watchOS.a"; sourceTree = BUILT_PRODUCTS_DIR; };
34A663261E871DD40060B664 /* OIDIDToken.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDIDToken.h; sourceTree = "<group>"; };
34A663271E871DD40060B664 /* OIDIDToken.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDIDToken.m; sourceTree = "<group>"; };
34D5EC431E6D1AD900814354 /* OIDAppAuthTests-Bridging-Header.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "OIDAppAuthTests-Bridging-Header.h"; sourceTree = "<group>"; };
34D5EC441E6D1AD900814354 /* OIDSwiftTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = OIDSwiftTests.swift; sourceTree = "<group>"; };
34FEA6AC1DB6E083005C9212 /* OIDLoopbackHTTPServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDLoopbackHTTPServer.h; sourceTree = "<group>"; };
Expand Down Expand Up @@ -744,6 +758,8 @@
60140F7B1DE42E1000DA0DC3 /* OIDRegistrationRequest.m */,
341741C51C5D8243000EF209 /* OIDGrantTypes.h */,
341741C61C5D8243000EF209 /* OIDGrantTypes.m */,
34A663261E871DD40060B664 /* OIDIDToken.h */,
34A663271E871DD40060B664 /* OIDIDToken.m */,
341741C71C5D8243000EF209 /* OIDResponseTypes.h */,
341741C81C5D8243000EF209 /* OIDResponseTypes.m */,
341741C91C5D8243000EF209 /* OIDScopes.h */,
Expand Down Expand Up @@ -861,6 +877,7 @@
343AAAE81E83499000F9D36E /* OIDAuthStateChangeDelegate.h in Headers */,
343AAA6B1E83465500F9D36E /* AppAuth.h in Headers */,
343AAA6E1E83466B00F9D36E /* OIDAuthorizationUICoordinatorIOS.h in Headers */,
34A663291E871DD40060B664 /* OIDIDToken.h in Headers */,
343AAAF21E83499000F9D36E /* OIDResponseTypes.h in Headers */,
343AAAF71E83499000F9D36E /* OIDTokenRequest.h in Headers */,
343AAAF41E83499000F9D36E /* OIDScopeUtilities.h in Headers */,
Expand Down Expand Up @@ -901,6 +918,7 @@
343AAB9B1E834A8800F9D36E /* AppAuth.h in Headers */,
343AAB001E83499100F9D36E /* OIDAuthStateChangeDelegate.h in Headers */,
343AAB081E83499100F9D36E /* OIDRegistrationRequest.h in Headers */,
34A6632A1E871DD40060B664 /* OIDIDToken.h in Headers */,
343AAB101E83499100F9D36E /* OIDTokenResponse.h in Headers */,
343AAAFC1E83499100F9D36E /* OIDAuthorizationResponse.h in Headers */,
343AAB0C1E83499100F9D36E /* OIDScopeUtilities.h in Headers */,
Expand Down Expand Up @@ -929,6 +947,7 @@
343AAB9C1E834A8900F9D36E /* AppAuth.h in Headers */,
343AAB181E83499200F9D36E /* OIDAuthStateChangeDelegate.h in Headers */,
343AAB201E83499200F9D36E /* OIDRegistrationRequest.h in Headers */,
34A6632B1E871DD40060B664 /* OIDIDToken.h in Headers */,
343AAB281E83499200F9D36E /* OIDTokenResponse.h in Headers */,
343AAB141E83499200F9D36E /* OIDAuthorizationResponse.h in Headers */,
343AAB241E83499200F9D36E /* OIDScopeUtilities.h in Headers */,
Expand Down Expand Up @@ -964,6 +983,7 @@
343AAB311E83499200F9D36E /* OIDAuthStateErrorDelegate.h in Headers */,
343AAB2F1E83499200F9D36E /* OIDAuthState.h in Headers */,
343AAB3E1E83499200F9D36E /* OIDServiceDiscovery.h in Headers */,
34A6632C1E871DD40060B664 /* OIDIDToken.h in Headers */,
343AAADE1E83494400F9D36E /* OIDAuthorizationService+Mac.h in Headers */,
343AAB2E1E83499200F9D36E /* OIDAuthorizationUICoordinator.h in Headers */,
343AAB301E83499200F9D36E /* OIDAuthStateChangeDelegate.h in Headers */,
Expand Down Expand Up @@ -1417,6 +1437,7 @@
340DAE581D5821A100EC285B /* OIDAuthorizationUICoordinatorMac.m in Sources */,
340DAE5A1D5821AB00EC285B /* OIDAuthorizationRequest.m in Sources */,
347423E41E7F3C4000D3E6D6 /* OIDAuthorizationResponse.m in Sources */,
34A6632E1E871DD40060B664 /* OIDIDToken.m in Sources */,
340DAE591D5821A100EC285B /* OIDAuthState+Mac.m in Sources */,
341310D01E6F944B00D5DEE5 /* OIDURLQueryComponent.m in Sources */,
341310C81E6F944B00D5DEE5 /* OIDResponseTypes.m in Sources */,
Expand All @@ -1429,6 +1450,7 @@
buildActionMask = 2147483647;
files = (
341741E01C5D8243000EF209 /* OIDErrorUtilities.m in Sources */,
34A6632D1E871DD40060B664 /* OIDIDToken.m in Sources */,
341741EA1C5D8243000EF209 /* OIDTokenUtilities.m in Sources */,
341741E21C5D8243000EF209 /* OIDGrantTypes.m in Sources */,
60140F7C1DE42E1000DA0DC3 /* OIDRegistrationRequest.m in Sources */,
Expand Down Expand Up @@ -1527,6 +1549,7 @@
341310D71E6F944D00D5DEE5 /* OIDRegistrationRequest.m in Sources */,
341310DD1E6F944D00D5DEE5 /* OIDServiceDiscovery.m in Sources */,
341E70991DE18796004353C1 /* OIDAuthorizationResponse.m in Sources */,
34A6632F1E871DD40060B664 /* OIDIDToken.m in Sources */,
341310DB1E6F944D00D5DEE5 /* OIDScopeUtilities.m in Sources */,
341310D61E6F944D00D5DEE5 /* OIDRegistrationResponse.m in Sources */,
341310D31E6F944D00D5DEE5 /* OIDError.m in Sources */,
Expand All @@ -1548,6 +1571,7 @@
buildActionMask = 2147483647;
files = (
343AAA881E83478900F9D36E /* OIDFieldMapping.m in Sources */,
34A663311E871DD40060B664 /* OIDIDToken.m in Sources */,
343AAA841E83478900F9D36E /* OIDAuthState.m in Sources */,
343AAA701E83467D00F9D36E /* OIDAuthState+IOS.m in Sources */,
343AAA921E83478900F9D36E /* OIDTokenResponse.m in Sources */,
Expand Down Expand Up @@ -1605,6 +1629,7 @@
343AAB741E8349B000F9D36E /* OIDRegistrationRequest.m in Sources */,
343AAB7A1E8349B000F9D36E /* OIDServiceDiscovery.m in Sources */,
343AAB6C1E8349B000F9D36E /* OIDAuthorizationResponse.m in Sources */,
34A663321E871DD40060B664 /* OIDIDToken.m in Sources */,
343AAB781E8349B000F9D36E /* OIDScopeUtilities.m in Sources */,
343AAB731E8349B000F9D36E /* OIDRegistrationResponse.m in Sources */,
343AAB701E8349B000F9D36E /* OIDError.m in Sources */,
Expand Down Expand Up @@ -1632,6 +1657,7 @@
343AAB601E8349B000F9D36E /* OIDRegistrationRequest.m in Sources */,
343AAB661E8349B000F9D36E /* OIDServiceDiscovery.m in Sources */,
343AAB581E8349B000F9D36E /* OIDAuthorizationResponse.m in Sources */,
34A663331E871DD40060B664 /* OIDIDToken.m in Sources */,
343AAB641E8349B000F9D36E /* OIDScopeUtilities.m in Sources */,
343AAB5F1E8349B000F9D36E /* OIDRegistrationResponse.m in Sources */,
343AAB5C1E8349B000F9D36E /* OIDError.m in Sources */,
Expand Down Expand Up @@ -1694,6 +1720,7 @@
343AAB491E8349AF00F9D36E /* OIDErrorUtilities.m in Sources */,
343AAADB1E83493D00F9D36E /* OIDAuthorizationUICoordinatorMac.m in Sources */,
343AAB471E8349AF00F9D36E /* OIDClientMetadataParameters.m in Sources */,
34A663341E871DD40060B664 /* OIDIDToken.m in Sources */,
343AAB461E8349AF00F9D36E /* OIDAuthState.m in Sources */,
343AAB561E8349AF00F9D36E /* OIDURLQueryComponent.m in Sources */,
343AAB4E1E8349AF00F9D36E /* OIDResponseTypes.m in Sources */,
Expand Down Expand Up @@ -1733,6 +1760,7 @@
347424081E7F4BA000D3E6D6 /* OIDRegistrationRequest.m in Sources */,
3474240E1E7F4BA000D3E6D6 /* OIDServiceDiscovery.m in Sources */,
347424001E7F4BA000D3E6D6 /* OIDAuthorizationResponse.m in Sources */,
34A663301E871DD40060B664 /* OIDIDToken.m in Sources */,
3474240C1E7F4BA000D3E6D6 /* OIDScopeUtilities.m in Sources */,
347424071E7F4BA000D3E6D6 /* OIDRegistrationResponse.m in Sources */,
347424041E7F4BA000D3E6D6 /* OIDError.m in Sources */,
Expand Down
1 change: 1 addition & 0 deletions Source/AppAuth.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
#import "OIDError.h"
#import "OIDErrorUtilities.h"
#import "OIDGrantTypes.h"
#import "OIDIDToken.h"
#import "OIDRegistrationRequest.h"
#import "OIDRegistrationResponse.h"
#import "OIDResponseTypes.h"
Expand Down
1 change: 1 addition & 0 deletions Source/Framework/AppAuth.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ FOUNDATION_EXPORT const unsigned char AppAuthVersionString[];
#import <AppAuth/OIDError.h>
#import <AppAuth/OIDErrorUtilities.h>
#import <AppAuth/OIDGrantTypes.h>
#import <AppAuth/OIDIDToken.h>
#import <AppAuth/OIDRegistrationRequest.h>
#import <AppAuth/OIDRegistrationResponse.h>
#import <AppAuth/OIDResponseTypes.h>
Expand Down
64 changes: 64 additions & 0 deletions Source/OIDAuthorizationService.m
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
#import "OIDAuthorizationUICoordinator.h"
#import "OIDDefines.h"
#import "OIDErrorUtilities.h"
#import "OIDIDToken.h"
#import "OIDRegistrationRequest.h"
#import "OIDRegistrationResponse.h"
#import "OIDServiceConfiguration.h"
Expand Down Expand Up @@ -344,6 +345,69 @@ + (void)performTokenRequest:(OIDTokenRequest *)request callback:(OIDTokenCallbac
return;
}

// Validates ID Token if it exists
if (tokenResponse.idToken) {
OIDIDToken *idToken = [[OIDIDToken alloc] initWithIDTokenString:tokenResponse.idToken];
if (!idToken) {
NSError *invalidIDToken =
[OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenParsingError
underlyingError:nil
description:@"ID Token parsing failed"];
dispatch_async(dispatch_get_main_queue(), ^{
callback(nil, invalidIDToken);
});
return;
}

NSURL *issuer = tokenResponse.request.configuration.issuer;
if (![idToken.issuer isEqual:issuer]) {
NSError *invalidIDToken =
[OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
underlyingError:nil
description:@"Issuer mismatch"];
dispatch_async(dispatch_get_main_queue(), ^{
callback(nil, invalidIDToken);
});
return;
}

NSString *clientID = tokenResponse.request.clientID;
if (![idToken.audience containsObject:clientID]) {
NSError *invalidIDToken =
[OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
underlyingError:nil
description:@"Audience mismatch"];
dispatch_async(dispatch_get_main_queue(), ^{
callback(nil, invalidIDToken);
});
return;
}

NSTimeInterval issuedAtDifference = [idToken.issuedAt timeIntervalSinceNow];
if (issuedAtDifference > 300) {
NSError *invalidIDToken =
[OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
underlyingError:nil
description:@"Issued at time is too far in the future"];
dispatch_async(dispatch_get_main_queue(), ^{
callback(nil, invalidIDToken);
});
return;
}

NSTimeInterval expiresAtDifference = [idToken.expiresAt timeIntervalSinceNow];
if (expiresAtDifference < -60) {
NSError *invalidIDToken =
[OIDErrorUtilities errorWithCode:OIDErrorCodeIDTokenFailedValidationError
underlyingError:nil
description:@"ID Token expired"];
dispatch_async(dispatch_get_main_queue(), ^{
callback(nil, invalidIDToken);
});
return;
}
}

// Success
dispatch_async(dispatch_get_main_queue(), ^{
callback(tokenResponse, nil);
Expand Down
7 changes: 7 additions & 0 deletions Source/OIDError.h
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,13 @@ typedef NS_ENUM(NSInteger, OIDErrorCode) {
*/
OIDErrorCodeJSONSerializationError = -13,

/*! @brief The ID Token did not parse.
*/
OIDErrorCodeIDTokenParsingError = -14,

/*! @brief The ID Token did not pass validation (e.g. issuer, audience checks).
*/
OIDErrorCodeIDTokenFailedValidationError = -15,
};

/*! @brief Enum of all possible OAuth error codes as defined by RFC6749
Expand Down
83 changes: 83 additions & 0 deletions Source/OIDIDToken.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*! @file OIDIDToken.h
@brief AppAuth iOS SDK
@copyright
Copyright 2017 Google Inc. All Rights Reserved.
@copydetails
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#import <Foundation/Foundation.h>

NS_ASSUME_NONNULL_BEGIN

/*! @brief A convenience class that parses _but not validates_ and ID Token.
*/
@interface OIDIDToken : NSObject

/*! @internal
@brief Unavailable. Please use @c initWithAuthorizationResponse:.
*/
- (instancetype)init NS_UNAVAILABLE;

/*! @brief Parses the given ID Token string.
@param idToken The ID Token spring.
*/
- (nullable instancetype)initWithIDTokenString:(NSString *)idToken;

/*! @brief The header JWT values.
*/
@property(nonatomic, readonly) NSDictionary *header;

/*! @brief All ID Token claims.
*/
@property(nonatomic, readonly) NSDictionary *claims;

/*! @brief Issuer Identifier for the Issuer of the response.
@remarks iss
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSURL *issuer;

/*! @brief Subject Identifier.
@remarks sub
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSString *subject;

/*! @brief Audience(s) that this ID Token is intended for.
@remarks aud
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSArray *audience;

/*! @brief Expiration time on or after which the ID Token MUST NOT be accepted for processing.
@remarks exp
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSDate *expiresAt;

/*! @brief Time at which the JWT was issued.
@remarks iat
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSDate *issuedAt;

/*! @brief String value used to associate a Client session with an ID Token, and to mitigate replay
attacks.
@remarks nonce
@see http://openid.net/specs/openid-connect-core-1_0.html#IDToken
*/
@property(nonatomic, readonly) NSString *nonce;

@end

NS_ASSUME_NONNULL_END
Loading

0 comments on commit beb4b67

Please sign in to comment.