OAuth2 for iOS
OpenAuth is a light framework for iOS written in swift 4. It provides an easy way to integrate OAuth2.0 in your iOS apps.
Installation
Installation with CocoaPods
We recommend using CocoaPods which automates and simplifies the process of using 3rd-party libraries like OpenAuth in your projects. You can install it with the following command:
$ gem install cocoapodsPodfile
To integrate OpenAuth into your Xcode project using CocoaPods, specify it in your Podfile:
pod 'OpenAuth'Then, run the following command:
$ pod installManual installation
Skip this section if you used CocoaPods to link OpenAuth to your project.
- Download the SDK located under OpenAuth/OpenAuth.framework
- Add
OpenAuth.frameworkfile to your project and add it toEmbedded Binaries.
Congratulations, the framework is fully integrated to the app and you can start using it.
Supported grant flows
OpenAuth uses generic types for GrantType, OpenAuth is an authorization manager that implements the Code Grant flow. The following is the list of all implemented flows:
| Flow | Class |
|---|---|
| Code Grant Flow | OpenAuth<CodeGrant> |
| Code Grant without token type | OpenAuth<CodeGrantNoTokenType> |
| Code Grant Flow with Basic Auth | OpenAuth<CodeGrantBasicAuth> |
| Implicit Grant Flow | OpenAuth<ImplicitGrant> |
| Implicit Grant Flow with query parameters | OpenAuth<ImplicitGrantWithQueryParams> |
| Client Credentials | OpenAuth<ClientCredentials> |
At this point, once you pick the Grant Flow your app will implement, all requests to OpenAuth should be specified using a Grant Type flow. You can declare a typealias on top of OpenAuth specifying the Grant flow you want to use. For the rest of documentation, we will use the Code Grant Flow:
typealias Auth = OpenAuth<CodeGrant>Enable the logger
Optionally, you can enable to the logger. Use the following code to set a logging level to the logger:
Auth.logger.level = .verboseYou can choose one of the following logging levels:
- verbose
- info
- warning
- error
- none
Add your OAuth2 configuration
Info.plist file
OpenAuth loads automatically your OAuth2 configuration from your app Info.plist file. Add a new row in Info.plist. Name it OpenAuthConfiguration and set its type to Dictionary.
The following is a description of all configurations you can put in the created dictionary
| Key | Type | Required | Description |
|---|---|---|---|
CLIENT_ID |
String | Yes | The client id |
CLIENT_SECRET |
String | No | The client secret, usually only needed for code grant. |
CLIENT_NAME |
String | No | The name of the client, used during dynamic client registration. |
LOGO_URI |
String | No | An URL of the logo/icon of the app. |
AUTHORIZE_URI |
String | Yes | The URL to authorize against. |
TOKEN_URI |
String | Yes | The URL to exchange a code for a token. |
REGISTRATION_URI |
String | No | The URL to register a client. Used during dynamic client registration. |
REDIRECT_URIS |
Array of String | Yes | The list of redirect URIs. |
SCOPE |
String | No | The scope currently in use. |
SECRET_IN_BODY |
Bool | No | Whether the receiver should use the request body instead of the Authorization header for the client secret; defaults to false. |
HEADERS |
Dictionary | No | Contains special authorization request headers, can be used to override defaults |
PARAMETERS |
Dictionary | No | Add custom parameters to the authorization request. |
TOKEN_ASSUME_UNEXPIRED |
Bool | No | If set to true (the default), uses a keychain-supplied access token even if no "expires_in" parameter was supplied. |
ENABLE_KEYCHAIN |
Bool | No | If set to false (the default), Keychain support will be disabled. |
TOKENS_KEYCHAIN_ACCOUNT |
String | No | The keychain account to use to store tokens. Defaults to currentTokens. |
CLIENT_KEYCHAIN_ACCOUNT |
String | No | The keychain account name to use to store client credentials. Defaults to clientCredentials. |
KEYCHAIN_ACCESS_MODE |
String | No | Defines the keychain access mode. Defaults to kSecAttrAccessibleWhenUnlocked |
KEYCHAIN_ACCESS_GROUP |
String | No | Defines the keychain access group identifier allowing token exchange between different apps of the same group. None is defined as default. |
Note
For KEYCHAIN_ACCESS_MODE, possible values are:
- kSecAttrAccessibleWhenUnlocked: Item data can only be accessed while the device is unlocked. This is recommended for items that only need be accesible while the application is in the foreground. Items with this attribute will migrate to a new device when using encrypted backups.
- kSecAttrAccessibleAfterFirstUnlock: Item data can only be accessed once the device has been unlocked after a restart. This is recommended for items that need to be accesible by background applications. Items with this attribute will migrate to a new device when using encrypted backups.
- kSecAttrAccessibleAlways: Item data can always be accessed regardless of the lock state of the device. This is not recommended for anything except system use. Items with this attribute will migrate to a new device when using encrypted backups.
- kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly: Item data can only be accessed while the device is unlocked. This is recommended for items that only need to be accessible while the application is in the foreground and requires a passcode to be set on the device. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing. This attribute will not be available on devices without a passcode. Disabling the device passcode will cause all previously protected items to be deleted.
- kSecAttrAccessibleWhenUnlockedThisDeviceOnly: Item data can only be accessed while the device is unlocked. This is recommended for items that only need be accesible while the application is in the foreground. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing.
- kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly: Item data can only be accessed once the device has been unlocked after a restart. This is recommended for items that need to be accessible by background applications. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device these items will be missing.
- kSecAttrAccessibleAlwaysThisDeviceOnly: Item data can always be accessed regardless of the lock state of the device. This option is not recommended for anything except system use. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing.
Minimal Viable Configuration
You can download here a plist file with the minimum required configuration or copy the XML in your Project Info.plist resource
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OpenAuthConfiguration</key>
<dict>
<key>CLIENT_ID</key>
<string></string>
<key>AUTHORIZE_URI</key>
<string></string>
<key>TOKEN_URI</key>
<string></string>
<key>REDIRECT_URIS</key>
<array>
<string></string>
</array>
</dict>
</dict>
</plist>
Full Configuration
You can download here a plist file with all available keys for an advanced configuration or copy the XML in your Project Info.plist resource
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OpenAuthConfiguration</key>
<dict>
<key>CLIENT_ID</key>
<string></string>
<key>AUTHORIZE_URI</key>
<string></string>
<key>TOKEN_URI</key>
<string></string>
<key>REDIRECT_URIS</key>
<array>
<string></string>
</array>
<key>CLIENT_SECRET</key>
<string></string>
<key>CLIENT_NAME</key>
<string></string>
<key>LOGO_URI</key>
<string></string>
<key>REGISTRATION_URI</key>
<string></string>
<key>SCOPE</key>
<string></string>
<key>SECRET_IN_BODY</key>
<false/>
<key>HEADERS</key>
<dict/>
<key>PARAMETERS</key>
<dict/>
<key>TOKEN_ASSUME_UNEXPIRED</key>
<true/>
<key>ENABLE_KEYCHAIN</key>
<false/>
<key>TOKENS_KEYCHAIN_ACCOUNT</key>
<string></string>
<key>CLIENT_KEYCHAIN_ACCOUNT</key>
<string></string>
<key>KEYCHAIN_ACCESS_MODE</key>
<string>kSecAttrAccessibleWhenUnlocked</string>
<key>KEYCHAIN_ACCESS_GROUP</key>
<string></string>
</dict>
</dict>
</plist>
Handle Redirect URL
On your AppDelegate.swift file, import OpenAuth and implement the following method
func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool {
Auth.shared.handleRedirect(url: url)
return true
}Acquire the token
To acquire the access token, import OpenAuth in your code and call the following function
Auth.acquireToken(success: { (token: String) in
//Use your token here
}) { (error: Error) in
//Handle error here
}To force OpenAuth to display a safari view controller embedded in your app, set the embedded Boolean attribute to true and provide a context from which OpenAuth will display the safari controller. The context can be the current view controller, a navigation view controller or any other view controller based objects
Auth.acquireToken(authorizeContext: context, embedded: true, success: { (token: String) in
//Use your token here
}) { (error: Error) in
//Handle error here
}Optionally, you can pass custom parameters to be added to the Authorize request:
let params = ["key1": "value1",
"key2": "value2"]
Auth.acquireToken(success: { (token: String) in
//use your token here
}, failure: { (error: Error) in
//handle error here
}, params: params,
embedded: false,
authorizeContext: nil)Logout
To logout, use the logout function as indicated in the following snippet code. OpenAuth will forget all tokens and remove any stored cookies related to its flows.
Auth.logout()Credit
All credits go to Pascal Pfiffner. Most of the SDK is inspired by p2.OAuth2 swift librairy.
License
OpenAuth is released under an Apache 2.0 license. See LICENSE for more details.