Add setting allowing to configure it Refresh Token Rotation is enabled for auth client

DominikPalo · DominikPalo · commit 971dcc00dc63 · 2025-07-24T09:26:25.000+02:00
diff --git a/README.md b/README.md
@@ -483,6 +483,12 @@ PKCE
 PKCE support is controlled by the `useProofKeyForCodeExchange` property, and the `use_pkce` key in the settings dictionary.
 It is disabled by default. When enabled, a new code verifier string is generated for every authorization request. 
 
+Refresh Token Rotation
+----------------------
+
+Refresh Token Rotation setting is controlled by the `refreshTokenRotationIsEnabled` property, and the `refresh_token_rotation` key in the settings dictionary.
+It is enabled by default. When enabled, all calls that could rotate the refresh token are executed sequentially to ensure that only the most recently rotated refresh token is persisted.
+
 
 Keychain
 --------
diff --git a/Sources/Base/OAuth2ClientConfig.swift b/Sources/Base/OAuth2ClientConfig.swift
@@ -102,6 +102,17 @@ open class OAuth2ClientConfig {
 	/// See https://tools.ietf.org/html/rfc7636
 	///
 	open var useProofKeyForCodeExchange = false
+	
+	
+	/// If the refresh token rotation is enabled, the authorization server issues a new refresh token with every access token refresh response (the previous refresh token is invalidated).
+	///
+	/// We need to know whether this functionality is enabled on the auth server to prevent concurrent calls to any operations that could rotate the refresh token.
+	/// If the refresh token rotation is enabled, these calls must always be executed sequentially to ensure that only the most recently rotated refresh token is persisted.
+	///
+	/// Read more about it here:
+	/// https://datatracker.ietf.org/doc/html/rfc9700#name-refresh-token-protection
+	/// https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation
+	open var refreshTokenRotationIsEnabled = true
 
 	/// Optional custom User-Agent string for embedded mode.
 	open var customUserAgent: String?
@@ -172,6 +183,10 @@ open class OAuth2ClientConfig {
 			useProofKeyForCodeExchange = usePKCE
 		}
 		
+		if let refreshTokenRotation = settings["refresh_token_rotation"] as? Bool {
+			refreshTokenRotationIsEnabled = refreshTokenRotation
+		}
+		
 		customUserAgent = settings["custom_user_agent"] as? String
 	}
 	
diff --git a/Sources/Flows/OAuth2.swift b/Sources/Flows/OAuth2.swift
@@ -50,8 +50,8 @@ open class OAuth2: OAuth2Base {
 	/// The authorizer to use for UI handling, depending on platform.
 	open var authorizer: OAuth2AuthorizerUI!
 	
-	/// The semaphore preventing concurrent execution of `doExchangeRefreshToken()` function.
-	private let exchangeRefreshTokenSemaphore = AsyncSemaphore(value: 1)
+	/// The semaphore preventing concurrent execution of any function that could rotate the refresh token.
+	private var refreshTokenRotationSemaphore: AsyncSemaphore?
 	
 	
 	/**
@@ -85,7 +85,11 @@ open class OAuth2: OAuth2Base {
 	*/
 	override public init(settings: OAuth2JSON) {
 		super.init(settings: settings)
-		authorizer = OAuth2Authorizer(oauth2: self)
+		self.authorizer = OAuth2Authorizer(oauth2: self)
+		
+		if (self.clientConfig.refreshTokenRotationIsEnabled) {
+			self.refreshTokenRotationSemaphore = AsyncSemaphore(value: 1)
+		}
 	}
 	
 	
@@ -109,9 +113,6 @@ open class OAuth2: OAuth2Base {
 		guard !self.isAuthorizing else {
 			throw OAuth2Error.alreadyAuthorizing
 		}
-
-		/// Wait for all running exchanges to finish
-		await self.exchangeRefreshTokenSemaphore.wait()
 		
 		self.isAuthorizing = true
 		logger?.debug("OAuth2", msg: "Starting authorization")
@@ -347,6 +348,12 @@ open class OAuth2: OAuth2Base {
 	- returns: OAuth2 JSON dictionary
 	*/
 	open func doRefreshToken(params: OAuth2StringDict? = nil) async throws -> OAuth2JSON {
+		/// Wait for all running rotations to finish
+		await self.refreshTokenRotationSemaphore?.wait()
+		defer {
+			self.refreshTokenRotationSemaphore?.signal()
+		}
+		
 		do {
 			let post = try tokenRequestForTokenRefresh(params: params).asURLRequest(for: self)
 			logger?.debug("OAuth2", msg: "Using refresh token to receive access token from \(post.url?.description ?? "nil")")
@@ -407,10 +414,10 @@ open class OAuth2: OAuth2Base {
 	- returns: Exchanged refresh token
 	*/
 	open func doExchangeRefreshToken(audienceClientId: String, traceId: String, params: OAuth2StringDict? = nil) async throws -> String {
-		/// Make sure no two tasks can execute `doExchangeRefreshToken()` concurrently.
-		await exchangeRefreshTokenSemaphore.wait()
+		/// Wait for all running rotations to finish
+		await self.refreshTokenRotationSemaphore?.wait()
 		defer {
-			exchangeRefreshTokenSemaphore.signal()
+			self.refreshTokenRotationSemaphore?.signal()
 		}
 		
 		debugPrint("[doExchangeRefreshToken] Started for \(audienceClientId)")
@@ -481,14 +488,19 @@ open class OAuth2: OAuth2Base {
 		return req
 	}
 	
-	// TODO:
 	/**
 	Exchanges the access token for resource access token.
 
 	- parameter params: Optional key/value pairs to pass during token exchange
 	- returns: Exchanged access token
 	*/
 	open func doExchangeAccessTokenForResource(params: OAuth2StringDict? = nil) async throws -> String {
+		/// Wait for all running rotations to finish
+		await self.refreshTokenRotationSemaphore?.wait()
+		defer {
+			self.refreshTokenRotationSemaphore?.signal()
+		}
+		
 		do {
 			guard let resourceURIs = clientConfig.resourceURIs, !resourceURIs.isEmpty else {
 				throw OAuth2Error.noResourceURI
