Allow passing server metadata during OAuth2 initialization

Author: DominikPalo

Sources/Base/OAuth2Base.swift

@@ -181,17 +181,21 @@ open class OAuth2Base: OAuth2Securable {
 
 	- verbose (Bool, false by default, applies to client logging)
 	*/
-	override public init(settings: OAuth2JSON) {
-		clientConfig = OAuth2ClientConfig(settings: settings)
+	override public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata?) {
+		clientConfig = OAuth2ClientConfig(settings: settings, serverMetadata: serverMetadata)
 
 		// auth configuration options
 		if let ttl = settings["title"] as? String {
 			authConfig.ui.title = ttl
 		}
-		super.init(settings: settings)
+		
+		super.init(settings: settings, serverMetadata: serverMetadata)
+		
+		if let serverMetadata {
+			self.validateConfiguration(against: serverMetadata)
+		}
 	}
 
-	
 	// MARK: - Keychain Integration
 
 	/** Overrides base implementation to return the authorize URL. */
@@ -290,28 +294,39 @@ open class OAuth2Base: OAuth2Securable {
 	/**
 	Internally used on error, calls the callbacks on the main thread with the appropriate error message.
 
-	This method is only made public in case you want to create a subclass and need to call `didFail(error:)` at an override point. If you
-	call this method yourself on your OAuth2 instance you might screw things up royally.
+	This method handles authorization failures by cleaning up state, logging the error,
+	and notifying all registered callbacks. It ensures proper cleanup of async continuations
+	and maintains thread safety by dispatching callbacks to the main thread.
+	
+	This method is only made public in case you want to create a subclass and need to call 
+	`didFail(with:)` at an override point. If you call this method yourself on your OAuth2 
+	instance you might cause unexpected behavior.
 
-	- parameter error: The error that led to authorization failure; will use `.requestCancelled` on the callbacks if nil is passed
+	- parameter error: The error that led to authorization failure; will use `.requestCancelled` if nil is passed
 	*/
 	public final func didFail(with error: OAuth2Error?) {
-		var finalError = error
-		if let error = finalError {
-			logger?.debug("OAuth2", msg: "\(error)")
-		}
-		else {
-			finalError = OAuth2Error.requestCancelled
+		let finalError = error ?? OAuth2Error.requestCancelled
+		
+		// Log the error with appropriate level
+		if let error = error {
+			logger?.warn("OAuth2", msg: "Authorization failed with error: \(error)")
+		} else {
+			logger?.debug("OAuth2", msg: "Authorization was cancelled or aborted")
 		}
+		
+		// Dispatch callbacks to main thread with proper error handling
 		callOnMainThread() {
 			self.isAuthorizing = false
 			self.internalAfterAuthorizeOrFail?(true, finalError)
 			self.afterAuthorizeOrFail?(nil, finalError)
 		}
 
-		// Finish `doAuthorize` call
-		self.doAuthorizeContinuation?.resume(throwing: error ?? OAuth2Error.requestCancelled)
-		self.doAuthorizeContinuation = nil
+		// Complete async continuation if present
+		if let continuation = doAuthorizeContinuation {
+			continuation.resume(throwing: finalError)
+			doAuthorizeContinuation = nil
+			logger?.trace("OAuth2", msg: "Completed async authorization continuation with error")
+		}
 	}
 
 	/**
@@ -504,87 +519,27 @@ open class OAuth2Base: OAuth2Securable {
 	open func assureRefreshTokenParamsAreValid(_ params: OAuth2JSON) throws {
 	}
 
-}
-
-
-/**
-Class, internally used, to store current authorization context, such as state and redirect-url.
-*/
-open class OAuth2ContextStore {
-	
-	/// Currently used redirect_url.
-	open var redirectURL: String?
-	
-	/// Current code verifier used for PKCE
-	public internal(set) var codeVerifier: String?
-	public let codeChallengeMethod = "S256"
-
-	/// The current state.
-	internal var _state = ""
-	
 	/**
-	The state sent to the server when requesting a token.
+	Validates the current OAuth2 configuration against server metadata.
 
-	We internally generate a UUID and use the first 8 chars if `_state` is empty.
-	*/
-	open var state: String {
-		if _state.isEmpty {
-			_state = UUID().uuidString
-			_state = String(_state[_state.startIndex..<_state.index(_state.startIndex, offsetBy: 8)])        // only use the first 8 chars, should be enough
-		}
-		return _state
-	}
+	This method checks if the configured grant type and response type are supported
+	by the authorization server according to the provided metadata.
 
-	/**
-	Checks that given state matches the internal state.
-	
-	- parameter state: The state to check (may be nil)
-	- returns: true if state matches, false otherwise or if given state is nil.
+	- parameter serverMetadata: The server metadata to validate against
 	*/
-	func matchesState(_ state: String?) -> Bool {
-		if let st = state {
-			return st == _state
+	open func validateConfiguration(against serverMetadata: OAuth2ServerMetadata) {
+		// validate the grant type
+		let grantType = type(of: self).grantType
+		let grantTypesSupported = serverMetadata.grantTypesSupported ?? [OAuth2GrantTypes.authorizationCode, OAuth2GrantTypes.implicit]
+		if !grantTypesSupported.contains(grantType) {
+			logger?.warn("OAuth2", msg: "The authorization server doesn't support the \"\(grantType)\" grant type.")
 		}
-		return false
-	}
-	
-	/**
-	Resets current state so it gets regenerated next time it's needed.
-	*/
-	func resetState() {
-		_state = ""
-	}
-	
-	// MARK: - PKCE
-	
-	/**
-	Generates a new code verifier string
-	*/
-	open func generateCodeVerifier() {
-		var buffer = [UInt8](repeating: 0, count: 32)
-		_ = SecRandomCopyBytes(kSecRandomDefault, buffer.count, &buffer)
-		codeVerifier = Data(buffer).base64EncodedString()
-			.replacingOccurrences(of: "+", with: "-")
-			.replacingOccurrences(of: "/", with: "_")
-			.replacingOccurrences(of: "=", with: "")
-			.trimmingCharacters(in: .whitespaces)
-	}
-	
-	
-	open func codeChallenge() -> String? {
-		guard let verifier = codeVerifier, let data = verifier.data(using: .utf8) else { return nil }
-		var buffer = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))
-		data.withUnsafeBytes {
-			_ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &buffer)
+		
+		// validate the response type
+		if let responseType = type(of: self).responseType,
+		   !serverMetadata.responseTypesSupported.contains(responseType) {
+			logger?.warn("OAuth2", msg: "The authorization server doesn't support the \"\(responseType)\" response type.")
 		}
-		let hash = Data(buffer)
-		let challenge = hash.base64EncodedString()
-			.replacingOccurrences(of: "+", with: "-")
-			.replacingOccurrences(of: "/", with: "_")
-			.replacingOccurrences(of: "=", with: "")
-			.trimmingCharacters(in: .whitespaces)
-		return challenge
 	}
 
 }
-

Sources/Base/OAuth2ClientConfig.swift

@@ -120,22 +120,25 @@ open class OAuth2ClientConfig {
 	/**
 	Initializer to initialize properties from a settings dictionary.
 	*/
-	public init(settings: OAuth2JSON) {
+	public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata?) {
 		clientId = settings["client_id"] as? String
 		clientSecret = settings["client_secret"] as? String
 		clientName = settings["client_name"] as? String
-		
-		// authorize URL
+
 		var aURL: URL?
-		if let auth = settings["authorize_uri"] as? String {
-			aURL = URL(string: auth)
+		if let authorizeUri = settings["authorize_uri"] as? String {
+			aURL = URL(string: authorizeUri)
+		} else if let authorizationEndpoint = serverMetadata?.authorizationEndpoint {
+			aURL = URL(string: authorizationEndpoint)
 		}
 		authorizeURL = aURL ?? URL(string: "https://localhost/p2.OAuth2.defaultAuthorizeURI")!
 
-		// token, device code, registration and logo URLs
-		if let token = settings["token_uri"] as? String {
-			tokenURL = URL(string: token)
+		if let tokenUri = settings["token_uri"] as? String {
+			tokenURL = URL(string: tokenUri)
+		} else if let tokenEndpoint = serverMetadata?.tokenEndpoint {
+			tokenURL = URL(string: tokenEndpoint)
 		}
+		
 		if let deviceAuthorize = settings["device_authorize_uri"] as? String {
 			deviceAuthorizeURL = URL(string: deviceAuthorize)
 		}

Sources/Base/OAuth2Securable.swift

@@ -65,7 +65,7 @@ open class OAuth2Securable: OAuth2Requestable {
 
 	Looks at the `verbose`, `keychain`, `keychain_access_mode`, `keychain_access_group` `keychain_account_for_client_credentials` and `keychain_account_for_tokens`. Everything else is handled by subclasses.
 	*/
-	public init(settings: OAuth2JSON) {
+	public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata?) {
 		self.settings = settings
 
 		// keychain settings

Sources/Flows/OAuth2.swift

@@ -83,10 +83,10 @@ open class OAuth2: OAuth2Base {
 
 	- verbose (bool, false by default, applies to client logging)
 	*/
-	override public init(settings: OAuth2JSON) {
-		super.init(settings: settings)
-		self.authorizer = OAuth2Authorizer(oauth2: self)
-		
+	override public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata? = nil) {
+		super.init(settings: settings, serverMetadata: serverMetadata)
+		authorizer = OAuth2Authorizer(oauth2: self)
+
 		if (self.clientConfig.refreshTokenRotationIsEnabled) {
 			self.refreshTokenRotationSemaphore = AsyncSemaphore(value: 1)
 		}

Sources/Flows/OAuth2ClientCredentialsReddit.swift

@@ -47,9 +47,9 @@ public class OAuth2ClientCredentialsReddit: OAuth2ClientCredentials {
 
 	- parameter settings: The authorization settings
 	*/
-	override public init(settings: OAuth2JSON) {
+	override public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata? = nil) {
 		deviceId = settings["device_id"] as? String
-		super.init(settings: settings)
+		super.init(settings: settings, serverMetadata: serverMetadata)
 		clientConfig.clientSecret = ""
 	}
 

Sources/Flows/OAuth2CodeGrantAzure.swift

@@ -36,8 +36,8 @@ public class OAuth2CodeGrantAzure: OAuth2CodeGrant {
 	- parameter settings: The settings for this client
 	- parameter resource: The resource we want to use
 	*/
-	public init(settings: OAuth2JSON, resource: String) {
-		super.init(settings: settings)
+	public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata? = nil, resource: String) {
+		super.init(settings: settings, serverMetadata: serverMetadata)
 		clientConfig.secretInBody = true
 		clientConfig.customParameters = [
 			"resource": resource

Sources/Flows/OAuth2CodeGrantBasicAuth.swift

@@ -42,11 +42,11 @@ open class OAuth2CodeGrantBasicAuth: OAuth2CodeGrant {
 
 	- basic: takes precedence over client_id and client_secret for the token request Authorization header
 	*/
-	override public init(settings: OAuth2JSON) {
+	override public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata? = nil) {
 		if let basic = settings["basic"] as? String {
 			basicToken = basic
 		}
-		super.init(settings: settings)
+		super.init(settings: settings, serverMetadata: serverMetadata)
 	}
 
 	/**

Sources/Flows/OAuth2DeviceGrant.swift

@@ -32,7 +32,7 @@ open class OAuth2DeviceGrant: OAuth2 {
 	}
 
 	override open class var responseType: String? {
-		return ""
+		return nil
 	}
 
 	open func deviceAccessTokenRequest(with deviceCode: String) throws -> OAuth2AuthRequest {

Sources/Flows/OAuth2ImplicitGrant.swift

@@ -27,7 +27,7 @@ import Constants
 
 
 /**
-Class to handle OAuth2 requests for public clients, such as distributed Mac/iOS Apps.
+Class to handle OAuth2 requests for public clients, such as distributed macOS/iOS Apps.
 */
 open class OAuth2ImplicitGrant: OAuth2 {
 

Sources/Flows/OAuth2PasswordGrant.swift

@@ -86,10 +86,10 @@ open class OAuth2PasswordGrant: OAuth2 {
 	/**
 	Adds support for the "password" & "username" setting.
 	*/
-	override public init(settings: OAuth2JSON) {
+	override public init(settings: OAuth2JSON, serverMetadata: OAuth2ServerMetadata? = nil) {
 		username = settings["username"] as? String
 		password = settings["password"] as? String
-		super.init(settings: settings)
+		super.init(settings: settings, serverMetadata: serverMetadata)
 	}