Resource Indicators for OAuth 2.0 (RFC 8707) (#26)

Author: DominikPalo

Sources/Base/OAuth2AuthRequest.swift

@@ -204,8 +204,8 @@ open class OAuth2AuthRequest {
 				else {
 					throw OAuth2Error.utf8EncodeError
 				}
-				finalParams.removeValue(forKey: "client_id")
-				finalParams.removeValue(forKey: "client_secret")
+				finalParams.removeValues(forKey: "client_id")
+				finalParams.removeValues(forKey: "client_secret")
 			}
 		}
 
@@ -251,23 +251,39 @@ public struct OAuth2RequestParams {
 
 	public subscript(key: String) -> String? {
 		get {
-			return params?[key]
+			return params?[key]?.split(separator: "\n").map(String.init).first
 		}
 		set(newValue) {
 			params = params ?? OAuth2StringDict()
 			params![key] = newValue
 		}
 	}
+
+	/**
+	Returns all the values associated with a given parameter as an array.
+	 
+	- parameter forKey: The name of the parameter to return.
+	- returns: An array of strings, which may be empty if no values for the given parameter are found.
+	*/
+	public func getMultiple(forKey key: String) -> [String] {
+		return params?[key]?.split(separator: "\n").map(String.init) ?? []
+	}
+	
+	public mutating func setMultiple(key: String, values: any Sequence<String>) {
+		params = params ?? OAuth2StringDict()
+		params![key] = values.sorted().joined(separator: "\n")
+	}
 
 	/**
-	Removes the given value from the receiver, if it is defined.
+	Removes the given values from the receiver, if it is defined.
 
-	- parameter forKey: The key for the value to be removed
-	- returns: The value that was removed, if any
+	- parameter forKey: The key for the values to be removed
+	- returns: The values that was removed, if any
 	*/
 	@discardableResult
-	public mutating func removeValue(forKey key: String) -> String? {
-		return params?.removeValue(forKey: key)
+	public mutating func removeValues(forKey key: String) -> [String] {
+		let removedValue = params?.removeValue(forKey: key)
+		return removedValue?.split(separator: "\n").map(String.init) ?? []
 	}
 
 	/// The number of items in the receiver.
@@ -320,7 +336,9 @@ public struct OAuth2RequestParams {
 	public static func formEncodedQueryStringFor(_ params: OAuth2StringDict) -> String {
 		var arr: [String] = []
 		for (key, val) in params {
-			arr.append("\(key)=\(val.wwwFormURLEncodedString)")
+			for subVal in val.split(separator: "\n").map(String.init) {
+                arr.append("\(key)=\(subVal.wwwFormURLEncodedString)")
+            }
 		}
 		return arr.joined(separator: "&")
 	}

Sources/Base/OAuth2ClientConfig.swift

@@ -38,8 +38,9 @@ open class OAuth2ClientConfig {
 	/// Where a logo/icon for the app can be found.
 	public final var logoURL: URL?
 
-	/// The URL used for constructing target for resource-aware tokens.
-	public final var resourceURL: URL?
+	/// The URIs of the target services or resources used for constructing resource-aware tokens.
+	/// See: https://datatracker.ietf.org/doc/html/rfc8707
+	public final var resourceURIs: Set<String>?
 
 	/// The scope currently in use.
 	open var scope: String?
@@ -136,8 +137,8 @@ open class OAuth2ClientConfig {
 		if let logo = settings["logo_uri"] as? String {
 			logoURL = URL(string: logo)
 		}
-		if let resource = settings["resource_uri"] as? String {
-			resourceURL = URL(string: resource)
+		if let resources = settings["resource_uris"] as? [String] {
+			resourceURIs = Set(resources)
 		}
 
 		// client authorization options

Sources/Base/OAuth2Error.swift

@@ -52,8 +52,8 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 	/// There is no redirect URL.
 	case noRedirectURL
 
-	/// There is no resource URL.
-	case noResourceURL
+	/// There is no resource URI.
+	case noResourceURI
 
 	/// There is no username.
 	case noUsername
@@ -178,6 +178,9 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 	/// The "device_code" has expired. Passes the underlying error_description.
 	case expiredToken(String?)
 
+	/// The requested resource is invalid, missing, unknown, or malformed.
+	case invalidTarget(String?)
+	
 	/// Other response error, as defined in its String.
 	case responseError(String)
 
@@ -214,6 +217,8 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 			return .slowDown(description)
 		case "expired_token":
 			return .expiredToken(description)
+		case "invalid_target":
+			return .invalidTarget(description)
 		default:
 			return .responseError(description ?? fallback ?? "Authorization error: \(code)")
 		}
@@ -237,8 +242,8 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 			return "Device code URL not set"
 		case .noRedirectURL:
 			return "Redirect URL not set"
-		case .noResourceURL:
-			return "Resource URL not set"
+		case .noResourceURI:
+			return "Resource URI not set"
 		case .noUsername:
 			return "No username"
 		case .noPassword:
@@ -318,6 +323,8 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 			return message ?? "The authorization request is still pending and polling should continue, but the interval must be increased by 5 seconds for this and all subsequent requests."
 		case .expiredToken(let message):
 			return message ?? "The \"device_code\" has expired, and the device authorization session has concluded."
+		case .invalidTarget(let message):
+			return message ?? "The requested resource is invalid, missing, unknown, or malformed."
 		case .responseError(let message):
 			return message
 		}
@@ -336,7 +343,7 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 		case (.noClientSecret, .noClientSecret):                     return true
 		case (.noDeviceCodeURL, .noDeviceCodeURL):                   return true
 		case (.noRedirectURL, .noRedirectURL):                       return true
-		case (.noResourceURL, .noResourceURL):                       return true
+		case (.noResourceURI, .noResourceURI):                       return true
 		case (.noUsername, .noUsername):                             return true
 		case (.noPassword, .noPassword):                             return true
 		case (.alreadyAuthorizing, .alreadyAuthorizing):             return true
@@ -374,6 +381,7 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 		case (.authorizationPending, .authorizationPending):         return true
 		case (.slowDown, .slowDown):                                 return true
 		case (.expiredToken, .expiredToken):                         return true
+		case (.invalidTarget, .invalidTarget):                       return true
 		case (.responseError(let lhm), .responseError(let rhm)):     return lhm == rhm
 		default:                                                     return false
 		}

Sources/Base/OAuth2Requestable.swift

@@ -197,14 +197,19 @@ open class OAuth2Requestable {
 	- returns: A dictionary full of strings with the key-value pairs found in the query
 	*/
 	public final class func params(fromQuery query: String) -> OAuth2StringDict {
-		let parts = query.split() { $0 == "&" }.map() { String($0) }
+		let parts = query.split(separator: "&")
 		var params = OAuth2StringDict(minimumCapacity: parts.count)
+
 		for part in parts {
-			let subparts = part.split() { $0 == "=" }.map() { String($0) }
-			if 2 == subparts.count {
-				params[subparts[0]] = subparts[1].wwwFormURLDecodedString
+			let subparts = part.split(separator: "=").map(String.init)
+			guard subparts.count == 2 else {
+				continue
 			}
+			
+			let (key, value) = (subparts[0], subparts[1].wwwFormURLDecodedString)
+			params[key] = [params[key], value].compactMap { $0 }.joined(separator: "\n")
 		}
+
 		return params
 	}
 }

Sources/Flows/OAuth2.swift

@@ -327,6 +327,9 @@ open class OAuth2: OAuth2Base {
 		if let clientId = clientId {
 			req.params["client_id"] = clientId
 		}
+		if let resourceURIs = clientConfig.resourceURIs {
+			req.params.setMultiple(key: "resource", values: resourceURIs)
+		}
 		req.add(params: params)
 
 		return req
@@ -450,21 +453,20 @@ open class OAuth2: OAuth2Base {
 
 	This will set "grant_type" to "urn:ietf:params:oauth:grant-type:token-exchange", add the access token, and take care of the remaining parameters.
 
-	- parameter resourcePath:     The path of the resource requesting for its own access token
 	- parameter params:           Additional parameters to pass during resource access token exchange
 	- returns:                    An `OAuth2AuthRequest` instance that is configured for resource access token exchange
 	*/
-	open func tokenRequestForExchangeAccessTokenForResource(resourcePath: String, params: OAuth2StringDict? = nil) throws -> OAuth2AuthRequest {
+	open func tokenRequestForExchangeAccessTokenForResource(params: OAuth2StringDict? = nil) throws -> OAuth2AuthRequest {
 		guard let accessToken = clientConfig.accessToken, !accessToken.isEmpty else {
 			throw OAuth2Error.noAccessToken
 		}
-		guard let resourceUrl = clientConfig.resourceURL else {
-			throw OAuth2Error.noResourceURL
+		guard let resourceURIs = clientConfig.resourceURIs, !resourceURIs.isEmpty else {
+			throw OAuth2Error.noResourceURI
 		}
 
 		let req = OAuth2AuthRequest(url: (clientConfig.tokenURL ?? clientConfig.authorizeURL))
 		req.params["grant_type"] = OAuth2GrantTypes.tokenExchange
-		req.params["resource"] = resourceUrl.appendingPathComponent(resourcePath).absoluteString
+		req.params.setMultiple(key: "resource", values: resourceURIs)
 		req.params["scope"] = clientConfig.scope
 		req.params["requested_token_type"] = OAuth2TokenTypeIdentifiers.accessToken
 		req.params["subject_token"] = accessToken
@@ -474,17 +476,21 @@ open class OAuth2: OAuth2Base {
 		return req
 	}
 
+	// TODO:
 	/**
 	Exchanges the access token for resource access token.
 
-	- parameter resourcePath: The path of the resource requesting for its own access token
 	- parameter params: Optional key/value pairs to pass during token exchange
 	- returns: Exchanged access token
 	*/
-	open func doExchangeAccessTokenForResource(resourcePath: String, params: OAuth2StringDict? = nil) async throws -> String {
+	open func doExchangeAccessTokenForResource(params: OAuth2StringDict? = nil) async throws -> String {
 		do {
-			let post = try tokenRequestForExchangeAccessTokenForResource(resourcePath: resourcePath, params: params).asURLRequest(for: self)
-			logger?.debug("OAuth2", msg: "Exchanging access token for resource \(resourcePath) from \(post.url?.description ?? "nil")")
+			guard let resourceURIs = clientConfig.resourceURIs, !resourceURIs.isEmpty else {
+				throw OAuth2Error.noResourceURI
+			}
+			
+			let post = try tokenRequestForExchangeAccessTokenForResource(params: params).asURLRequest(for: self)
+			logger?.debug("OAuth2", msg: "Exchanging access token for resource(s) \(resourceURIs) from \(post.url?.description ?? "nil")")
 
 			let response = await perform(request: post)
 			let data = try response.responseData()
@@ -498,7 +504,7 @@ open class OAuth2: OAuth2Base {
 			}
 			return exchangedAccessToken
 		} catch let error {
-			self.logger?.debug("OAuth2", msg: "Error exchanging access token for resource \(resourcePath): \(error)")
+			self.logger?.debug("OAuth2", msg: "Error exchanging access token for resource(s): \(error)")
 			throw error.asOAuth2Error
 		}
 	}

Sources/Flows/OAuth2CodeGrant.swift

@@ -72,6 +72,9 @@ open class OAuth2CodeGrant: OAuth2 {
 		if clientConfig.useProofKeyForCodeExchange {
 			req.params["code_verifier"] = context.codeVerifier
 		}
+		if let resourceURIs = clientConfig.resourceURIs {
+			req.params.setMultiple(key: "resource", values: resourceURIs)
+		}
 		return req
 	}
 

Tests/BaseTests/OAuth2AuthRequestTests.swift

@@ -77,14 +77,26 @@ class OAuth2AuthRequestTests: XCTestCase {
 		XCTAssertEqual("AA", req.params["a"])
 
 		req.params["c"] = "A complicated/surprising name & character=fun"
-		req.params.removeValue(forKey: "b")
+		req.params.removeValues(forKey: "b")
 		XCTAssertTrue(2 == req.params.count)
 		let str = req.params.percentEncodedQueryString()
 
 		let parts = Set(str.split(separator: "&"))
 		XCTAssertEqual(parts, Set(["a=AA", "c=A+complicated%2Fsurprising+name+%26+character%3Dfun"]))
 	}
 
+	func testMultipleParamsWithSameKey() {
+		let req = OAuth2AuthRequest(url: URL(string: "http://localhost")!)
+		req.params.setMultiple(key: "multiple", values: ["a", "b", "c"])
+		XCTAssertTrue(3 == req.params.getMultiple(forKey: "multiple").count)
+		XCTAssertEqual(["a", "b", "c"], req.params.getMultiple(forKey: "multiple"))
+
+		let removedValues = req.params.removeValues(forKey: "multiple")
+		XCTAssertTrue(3 == removedValues.count)
+		XCTAssertEqual(["a", "b", "c"], removedValues)
+		XCTAssertTrue(0 == req.params.getMultiple(forKey: "multiple").count)
+	}
+	
 	func testURLComponents() {
 		let reqNoTLS = OAuth2AuthRequest(url: URL(string: "http://not.tls.com")!)
 		do {

Tests/BaseTests/OAuth2Tests.swift

@@ -166,16 +166,23 @@ class OAuth2Tests: XCTestCase {
 		XCTAssertEqual(params3["access_token"]!, "xxx==")
 		XCTAssertEqual(params3["expires"]!, "2015-00-00")
 		XCTAssertEqual(params3["more"]!, "spacey stuff with a +")
+		
+		let params4 = OAuth2.params(fromQuery: "access_token=xxx&expires=2015-00-00&more=stuff1&more=stuff2")
+		XCTAssert(3 == params4.count, "Expecting 3 URL params") // Query parameters with the same key are treated as a single multi-value parameter
+		
+		XCTAssertEqual(params4["access_token"]!, "xxx")
+		XCTAssertEqual(params4["expires"]!, "2015-00-00")
+		XCTAssertEqual(params4["more"]!, "stuff1\nstuff2")
 	}
 
 	func testQueryParamConversion() {
-		let qry = OAuth2RequestParams.formEncodedQueryStringFor(["a": "AA", "b": "BB", "x": "yz"])
-		XCTAssertEqual(14, qry.count, "Expecting a 14 character string")
+		let qry = OAuth2RequestParams.formEncodedQueryStringFor(["a": "AA", "b": "BB", "x": "y\nz"])
+		XCTAssertEqual(17, qry.count, "Expecting a 17 character string")
 
 		let dict = OAuth2.params(fromQuery: qry)
 		XCTAssertEqual(dict["a"]!, "AA", "Must unpack `a`")
 		XCTAssertEqual(dict["b"]!, "BB", "Must unpack `b`")
-		XCTAssertEqual(dict["x"]!, "yz", "Must unpack `x`")
+		XCTAssertEqual(dict["x"]!, "y\nz", "Must unpack `x`")
 	}
 
 	func testQueryParamEncoding() {