Always execute concurrent calls to exchange the refresh token serially (#30)

Author: DominikPalo

.github/workflows/build.yml

@@ -112,13 +112,23 @@ jobs:
         -scheme '${{ matrix.scheme }}'
         -configuration Debug
         -destination 'platform=${{ matrix.platform }}'
-        -resultBundlePath ${{ env.TEST_RESULTS_PATH }}
         -showBuildTimingSummary
-        build test
+        build
+
+    - name: test
+      if: success()
+      continue-on-error: true
+      run: >
+        xcodebuild
+        -scheme '${{ matrix.scheme }}'
+        -configuration Debug
+        -destination 'platform=${{ matrix.platform }}'
+        -resultBundlePath ${{ env.TEST_RESULTS_PATH }}
+        test
 
     - name: run xcresulttool
       uses: slidoapp/[email protected]
-      if: success() || failure()
+      if: always()
       with:
         title: 'results-xcode-tests-${{ matrix.platform }}'
         path: ${{ env.TEST_RESULTS_PATH }}

OAuth2.xcodeproj/project.pbxproj

@@ -34,6 +34,9 @@
 		871279832DB152BB00A5AF72 /* SwiftKeychain in Frameworks */ = {isa = PBXBuildFile; productRef = 871279822DB152BB00A5AF72 /* SwiftKeychain */; };
 		871279852DB7DD1B00A5AF72 /* OAuth2ExchangeAccessTokenForResourceTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 871279842DB7DD1B00A5AF72 /* OAuth2ExchangeAccessTokenForResourceTests.swift */; };
 		8760AE592E15335E00020465 /* OAuth2MockPerformer.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8760AE582E15335A00020465 /* OAuth2MockPerformer.swift */; };
+		8760AE5C2E16C77700020465 /* Semaphore in Frameworks */ = {isa = PBXBuildFile; productRef = 8760AE5B2E16C77700020465 /* Semaphore */; };
+		8760AE5E2E16C77C00020465 /* Semaphore in Frameworks */ = {isa = PBXBuildFile; productRef = 8760AE5D2E16C77C00020465 /* Semaphore */; };
+		8760AE602E16C78000020465 /* Semaphore in Frameworks */ = {isa = PBXBuildFile; productRef = 8760AE5F2E16C78000020465 /* Semaphore */; };
 		8793811929D483EC00DC4EBC /* OAuth2DeviceGrant.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8793811829D483EC00DC4EBC /* OAuth2DeviceGrant.swift */; };
 		8793811A29D483EC00DC4EBC /* OAuth2DeviceGrant.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8793811829D483EC00DC4EBC /* OAuth2DeviceGrant.swift */; };
 		8793811B29D483EC00DC4EBC /* OAuth2DeviceGrant.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8793811829D483EC00DC4EBC /* OAuth2DeviceGrant.swift */; };
@@ -261,6 +264,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				871279812DB152B300A5AF72 /* SwiftKeychain in Frameworks */,
+				8760AE602E16C78000020465 /* Semaphore in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -269,6 +273,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				8712797F2DB152AE00A5AF72 /* SwiftKeychain in Frameworks */,
+				8760AE5E2E16C77C00020465 /* Semaphore in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -277,6 +282,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				8712797D2DB152A800A5AF72 /* SwiftKeychain in Frameworks */,
+				8760AE5C2E16C77700020465 /* Semaphore in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -654,6 +660,7 @@
 			mainGroup = EEDB861A193FAAE500C4EEA1;
 			packageReferences = (
 				8712797A2DB151ED00A5AF72 /* XCRemoteSwiftPackageReference "SwiftKeychain" */,
+				8760AE5A2E16C5E800020465 /* XCRemoteSwiftPackageReference "Semaphore" */,
 			);
 			productRefGroup = EEDB8625193FAAE500C4EEA1 /* Products */;
 			projectDirPath = "";
@@ -1274,6 +1281,14 @@
 				minimumVersion = 2.1.0;
 			};
 		};
+		8760AE5A2E16C5E800020465 /* XCRemoteSwiftPackageReference "Semaphore" */ = {
+			isa = XCRemoteSwiftPackageReference;
+			repositoryURL = "https://github.com/groue/Semaphore";
+			requirement = {
+				kind = upToNextMinorVersion;
+				minimumVersion = 0.1.0;
+			};
+		};
 /* End XCRemoteSwiftPackageReference section */
 
 /* Begin XCSwiftPackageProductDependency section */
@@ -1297,6 +1312,21 @@
 			package = 8712797A2DB151ED00A5AF72 /* XCRemoteSwiftPackageReference "SwiftKeychain" */;
 			productName = SwiftKeychain;
 		};
+		8760AE5B2E16C77700020465 /* Semaphore */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 8760AE5A2E16C5E800020465 /* XCRemoteSwiftPackageReference "Semaphore" */;
+			productName = Semaphore;
+		};
+		8760AE5D2E16C77C00020465 /* Semaphore */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 8760AE5A2E16C5E800020465 /* XCRemoteSwiftPackageReference "Semaphore" */;
+			productName = Semaphore;
+		};
+		8760AE5F2E16C78000020465 /* Semaphore */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 8760AE5A2E16C5E800020465 /* XCRemoteSwiftPackageReference "Semaphore" */;
+			productName = Semaphore;
+		};
 /* End XCSwiftPackageProductDependency section */
 	};
 	rootObject = EEDB861B193FAAE500C4EEA1 /* Project object */;

OAuth2.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -31,11 +31,12 @@ let package = Package(
 	],
 	dependencies: [
 		.package(url: "https://github.com/slidoapp/SwiftKeychain.git", .upToNextMinor(from: "2.1.0")),
+		.package(url: "https://github.com/groue/Semaphore.git", .upToNextMinor(from: "0.1.0"))
 	],
 	targets: [
 		.target(name: "OAuth2",
 			dependencies: ["Base", "Flows", "DataLoader"]),
-		.target(name: "Base", dependencies: ["SwiftKeychain"]),
+		.target(name: "Base", dependencies: ["SwiftKeychain", "Semaphore"]),
 		.target(name: "macOS", dependencies: [.target(name: "Base")]),
 		.target(name: "iOS", dependencies: [.target(name: "Base")]),
 		.target(name: "tvOS", dependencies: [.target(name: "Base")]),

Package.resolved

@@ -483,6 +483,12 @@ PKCE
 PKCE support is controlled by the `useProofKeyForCodeExchange` property, and the `use_pkce` key in the settings dictionary.
 It is disabled by default. When enabled, a new code verifier string is generated for every authorization request. 
 
+Refresh Token Rotation
+----------------------
+
+Refresh Token Rotation setting is controlled by the `refreshTokenRotationIsEnabled` property, and the `refresh_token_rotation` key in the settings dictionary.
+It is enabled by default. When enabled, all calls that could rotate the refresh token are executed sequentially to ensure that only the most recently rotated refresh token is persisted.
+
 
 Keychain
 --------

Package.swift

@@ -134,9 +134,6 @@ open class OAuth2Base: OAuth2Securable {
 	/// Returns true if the receiver is currently authorizing.
 	public final var isAuthorizing: Bool = false
 
-	/// Returns true if the receiver is currently exchanging the refresh token.
-	public final var isExchangingRefreshToken: Bool = false
-	
 	/**
 	Closure called after the regular authorization callback, on the main thread. You can use this callback when you're performing
 	authorization manually and/or for cleanup operations.

README.md

@@ -102,6 +102,17 @@ open class OAuth2ClientConfig {
 	/// See https://tools.ietf.org/html/rfc7636
 	///
 	open var useProofKeyForCodeExchange = false
+	
+	
+	/// If the refresh token rotation is enabled, the authorization server issues a new refresh token with every access token refresh response (the previous refresh token is invalidated).
+	///
+	/// We need to know whether this functionality is enabled on the auth server to prevent concurrent calls to any operations that could rotate the refresh token.
+	/// If the refresh token rotation is enabled, these calls must always be executed sequentially to ensure that only the most recently rotated refresh token is persisted.
+	///
+	/// Read more about it here:
+	/// https://datatracker.ietf.org/doc/html/rfc9700#name-refresh-token-protection
+	/// https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation
+	open var refreshTokenRotationIsEnabled = true
 
 	/// Optional custom User-Agent string for embedded mode.
 	open var customUserAgent: String?
@@ -172,6 +183,10 @@ open class OAuth2ClientConfig {
 			useProofKeyForCodeExchange = usePKCE
 		}
 
+		if let refreshTokenRotation = settings["refresh_token_rotation"] as? Bool {
+			refreshTokenRotationIsEnabled = refreshTokenRotation
+		}
+		
 		customUserAgent = settings["custom_user_agent"] as? String
 	}
 

Sources/Base/OAuth2Base.swift

@@ -64,9 +64,6 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 	/// The client is already authorizing.
 	case alreadyAuthorizing
 
-	/// The client is already exchanging the refresh token.
-	case alreadyExchangingRefreshToken
-	
 	/// There is no authorization context.
 	case noAuthorizationContext
 
@@ -254,8 +251,6 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 			return "The password grant flow needs to be set a delegate to present the login controller."
 		case .alreadyAuthorizing:
 			return "The client is already authorizing, wait for it to finish or abort authorization before trying again"
-		case .alreadyExchangingRefreshToken:
-			return "The client is already exchanging the refresh token, wait for it to finish before trying again"
 		case .noAuthorizationContext:
 			return "No authorization context present"
 		case .invalidAuthorizationContext:
@@ -347,7 +342,6 @@ public enum OAuth2Error: Error, CustomStringConvertible, Equatable {
 		case (.noUsername, .noUsername):                             return true
 		case (.noPassword, .noPassword):                             return true
 		case (.alreadyAuthorizing, .alreadyAuthorizing):             return true
-		case (.alreadyExchangingRefreshToken, .alreadyExchangingRefreshToken):   return true
 		case (.noAuthorizationContext, .noAuthorizationContext):                 return true
 		case (.invalidAuthorizationContext, .invalidAuthorizationContext):       return true
 		case (.invalidAuthorizationConfiguration(let l), .invalidAuthorizationConfiguration(let r)):	return l == r