/*! @file OIDServiceDiscovery.m @brief AppAuth iOS SDK @copyright Copyright 2015 Google Inc. All Rights Reserved. @copydetails Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ #import "OIDServiceDiscovery.h" #import "OIDDefines.h" #import "OIDErrorUtilities.h" NS_ASSUME_NONNULL_BEGIN /*! Field keys associated with an OpenID Connect Discovery Document. */ static NSString *const kIssuerKey = @"issuer"; static NSString *const kAuthorizationEndpointKey = @"authorization_endpoint"; static NSString *const kTokenEndpointKey = @"token_endpoint"; static NSString *const kUserinfoEndpointKey = @"userinfo_endpoint"; static NSString *const kJWKSURLKey = @"jwks_uri"; static NSString *const kRegistrationEndpointKey = @"registration_endpoint"; static NSString *const kEndSessionEndpointKey = @"end_session_endpoint"; static NSString *const kScopesSupportedKey = @"scopes_supported"; static NSString *const kResponseTypesSupportedKey = @"response_types_supported"; static NSString *const kResponseModesSupportedKey = @"response_modes_supported"; static NSString *const kGrantTypesSupportedKey = @"grant_types_supported"; static NSString *const kACRValuesSupportedKey = @"acr_values_supported"; static NSString *const kSubjectTypesSupportedKey = @"subject_types_supported"; static NSString *const kIDTokenSigningAlgorithmValuesSupportedKey = @"id_token_signing_alg_values_supported"; static NSString *const kIDTokenEncryptionAlgorithmValuesSupportedKey = @"id_token_encryption_alg_values_supported"; static NSString *const kIDTokenEncryptionEncodingValuesSupportedKey = @"id_token_encryption_enc_values_supported"; static NSString *const kUserinfoSigningAlgorithmValuesSupportedKey = @"userinfo_signing_alg_values_supported"; static NSString *const kUserinfoEncryptionAlgorithmValuesSupportedKey = @"userinfo_encryption_alg_values_supported"; static NSString *const kUserinfoEncryptionEncodingValuesSupportedKey = @"userinfo_encryption_enc_values_supported"; static NSString *const kRequestObjectSigningAlgorithmValuesSupportedKey = @"request_object_signing_alg_values_supported"; static NSString *const kRequestObjectEncryptionAlgorithmValuesSupportedKey = @"request_object_encryption_alg_values_supported"; static NSString *const kRequestObjectEncryptionEncodingValuesSupported = @"request_object_encryption_enc_values_supported"; static NSString *const kTokenEndpointAuthMethodsSupportedKey = @"token_endpoint_auth_methods_supported"; static NSString *const kTokenEndpointAuthSigningAlgorithmValuesSupportedKey = @"token_endpoint_auth_signing_alg_values_supported"; static NSString *const kDisplayValuesSupportedKey = @"display_values_supported"; static NSString *const kClaimTypesSupportedKey = @"claim_types_supported"; static NSString *const kClaimsSupportedKey = @"claims_supported"; static NSString *const kServiceDocumentationKey = @"service_documentation"; static NSString *const kClaimsLocalesSupportedKey = @"claims_locales_supported"; static NSString *const kUILocalesSupportedKey = @"ui_locales_supported"; static NSString *const kClaimsParameterSupportedKey = @"claims_parameter_supported"; static NSString *const kRequestParameterSupportedKey = @"request_parameter_supported"; static NSString *const kRequestURIParameterSupportedKey = @"request_uri_parameter_supported"; static NSString *const kRequireRequestURIRegistrationKey = @"require_request_uri_registration"; static NSString *const kOPPolicyURIKey = @"op_policy_uri"; static NSString *const kOPTosURIKey = @"op_tos_uri"; @implementation OIDServiceDiscovery { NSDictionary *_discoveryDictionary; } - (nonnull instancetype)init OID_UNAVAILABLE_USE_INITIALIZER(@selector(initWithDictionary:error:)) - (nullable instancetype)initWithJSON:(NSString *)serviceDiscoveryJSON error:(NSError **)error { NSData *jsonData = [serviceDiscoveryJSON dataUsingEncoding:NSUTF8StringEncoding]; return [self initWithJSONData:jsonData error:error]; } - (nullable instancetype)initWithJSONData:(NSData *)serviceDiscoveryJSONData error:(NSError **_Nullable)error { NSError *jsonError; NSDictionary *json = [NSJSONSerialization JSONObjectWithData:serviceDiscoveryJSONData options:0 error:&jsonError]; if (!json || jsonError) { *error = [OIDErrorUtilities errorWithCode:OIDErrorCodeJSONDeserializationError underlyingError:jsonError description:jsonError.localizedDescription]; return nil; } if (![json isKindOfClass:[NSDictionary class]]) { *error = [OIDErrorUtilities errorWithCode:OIDErrorCodeInvalidDiscoveryDocument underlyingError:nil description:@"Discovery document isn't a dictionary"]; return nil; } return [self initWithDictionary:json error:error]; } - (nullable instancetype)initWithDictionary:(NSDictionary *)serviceDiscoveryDictionary error:(NSError **_Nullable)error { if (![[self class] dictionaryHasRequiredFields:serviceDiscoveryDictionary error:error]) { return nil; } self = [super init]; if (self) { _discoveryDictionary = [serviceDiscoveryDictionary copy]; } return self; } #pragma mark - /*! @brief Checks to see if the specified dictionary contains the required fields. @discussion This test is not meant to provide semantic analysis of the document (eg. fields where the value @c none is not an allowed option would not cause this method to fail if their value was @c none.) We are just testing to make sure we can meet the nullability contract we promised in the header. */ + (BOOL)dictionaryHasRequiredFields:(NSDictionary *)dictionary error:(NSError **_Nullable)error { static NSString *const kMissingFieldErrorText = @"Missing field: %@"; static NSString *const kInvalidURLFieldErrorText = @"Invalid URL: %@"; NSArray *requiredFields = @[ kIssuerKey, kAuthorizationEndpointKey, kTokenEndpointKey, kJWKSURLKey, kResponseTypesSupportedKey, kSubjectTypesSupportedKey, kIDTokenSigningAlgorithmValuesSupportedKey ]; for (NSString *field in requiredFields) { if (!dictionary[field]) { if (error) { NSString *errorText = [NSString stringWithFormat:kMissingFieldErrorText, field]; *error = [OIDErrorUtilities errorWithCode:OIDErrorCodeInvalidDiscoveryDocument underlyingError:nil description:errorText]; } return NO; } } // Check required URL fields are valid URLs. NSArray *requiredURLFields = @[ kIssuerKey, kTokenEndpointKey, kJWKSURLKey ]; for (NSString *field in requiredURLFields) { if (![NSURL URLWithString:dictionary[field]]) { if (error) { NSString *errorText = [NSString stringWithFormat:kInvalidURLFieldErrorText, field]; *error = [OIDErrorUtilities errorWithCode:OIDErrorCodeInvalidDiscoveryDocument underlyingError:nil description:errorText]; } return NO; } } return YES; } #pragma mark - NSCopying - (instancetype)copyWithZone:(nullable NSZone *)zone { // The documentation for NSCopying specifically advises us to return a reference to the original // instance in the case where instances are immutable (as ours is): // "Implement NSCopying by retaining the original instead of creating a new copy when the class // and its contents are immutable." return self; } #pragma mark - NSSecureCoding + (BOOL)supportsSecureCoding { return YES; } - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder { NSError *error; NSDictionary *dictionary = [[NSDictionary alloc] initWithCoder:aDecoder]; self = [self initWithDictionary:dictionary error:&error]; if (error) { return nil; } return self; } - (void)encodeWithCoder:(NSCoder *)aCoder { [_discoveryDictionary encodeWithCoder:aCoder]; } #pragma mark - Properties - (NSDictionary *)discoveryDictionary { return _discoveryDictionary; } - (NSURL *)issuer { return [NSURL URLWithString:_discoveryDictionary[kIssuerKey]]; } - (NSURL *)authorizationEndpoint { return [NSURL URLWithString:_discoveryDictionary[kAuthorizationEndpointKey]]; } - (NSURL *)tokenEndpoint { return [NSURL URLWithString:_discoveryDictionary[kTokenEndpointKey]]; } - (nullable NSURL *)userinfoEndpoint { return [NSURL URLWithString:_discoveryDictionary[kUserinfoEndpointKey]]; } - (NSURL *)jwksURL { return [NSURL URLWithString:_discoveryDictionary[kJWKSURLKey]]; } - (nullable NSURL *)registrationEndpoint { return [NSURL URLWithString:_discoveryDictionary[kRegistrationEndpointKey]]; } - (nullable NSURL *)endSessionEndpoint { return [NSURL URLWithString:_discoveryDictionary[kEndSessionEndpointKey]]; } - (nullable NSArray *)scopesSupported { return _discoveryDictionary[kScopesSupportedKey]; } - (NSArray *)responseTypesSupported { return _discoveryDictionary[kResponseTypesSupportedKey]; } - (nullable NSArray *)responseModesSupported { return _discoveryDictionary[kResponseModesSupportedKey]; } - (nullable NSArray *)grantTypesSupported { return _discoveryDictionary[kGrantTypesSupportedKey]; } - (nullable NSArray *)acrValuesSupported { return _discoveryDictionary[kACRValuesSupportedKey]; } - (NSArray *)subjectTypesSupported { return _discoveryDictionary[kSubjectTypesSupportedKey]; } - (NSArray *) IDTokenSigningAlgorithmValuesSupported { return _discoveryDictionary[kIDTokenSigningAlgorithmValuesSupportedKey]; } - (nullable NSArray *)IDTokenEncryptionAlgorithmValuesSupported { return _discoveryDictionary[kIDTokenEncryptionAlgorithmValuesSupportedKey]; } - (nullable NSArray *)IDTokenEncryptionEncodingValuesSupported { return _discoveryDictionary[kIDTokenEncryptionEncodingValuesSupportedKey]; } - (nullable NSArray *)userinfoSigningAlgorithmValuesSupported { return _discoveryDictionary[kUserinfoSigningAlgorithmValuesSupportedKey]; } - (nullable NSArray *)userinfoEncryptionAlgorithmValuesSupported { return _discoveryDictionary[kUserinfoEncryptionAlgorithmValuesSupportedKey]; } - (nullable NSArray *)userinfoEncryptionEncodingValuesSupported { return _discoveryDictionary[kUserinfoEncryptionEncodingValuesSupportedKey]; } - (nullable NSArray *)requestObjectSigningAlgorithmValuesSupported { return _discoveryDictionary[kRequestObjectSigningAlgorithmValuesSupportedKey]; } - (nullable NSArray *) requestObjectEncryptionAlgorithmValuesSupported { return _discoveryDictionary[kRequestObjectEncryptionAlgorithmValuesSupportedKey]; } - (nullable NSArray *) requestObjectEncryptionEncodingValuesSupported { return _discoveryDictionary[kRequestObjectEncryptionEncodingValuesSupported]; } - (nullable NSArray *)tokenEndpointAuthMethodsSupported { return _discoveryDictionary[kTokenEndpointAuthMethodsSupportedKey]; } - (nullable NSArray *)tokenEndpointAuthSigningAlgorithmValuesSupported { return _discoveryDictionary[kTokenEndpointAuthSigningAlgorithmValuesSupportedKey]; } - (nullable NSArray *)displayValuesSupported { return _discoveryDictionary[kDisplayValuesSupportedKey]; } - (nullable NSArray *)claimTypesSupported { return _discoveryDictionary[kClaimTypesSupportedKey]; } - (nullable NSArray *)claimsSupported { return _discoveryDictionary[kClaimsSupportedKey]; } - (nullable NSURL *)serviceDocumentation { return [NSURL URLWithString:_discoveryDictionary[kServiceDocumentationKey]]; } - (nullable NSArray *)claimsLocalesSupported { return _discoveryDictionary[kClaimsLocalesSupportedKey]; } - (nullable NSArray *)UILocalesSupported { return _discoveryDictionary[kUILocalesSupportedKey]; } - (BOOL)claimsParameterSupported { return [_discoveryDictionary[kClaimsParameterSupportedKey] boolValue]; } - (BOOL)requestParameterSupported { return [_discoveryDictionary[kRequestParameterSupportedKey] boolValue]; } - (BOOL)requestURIParameterSupported { // Default is true/YES. if (!_discoveryDictionary[kRequestURIParameterSupportedKey]) { return YES; } return [_discoveryDictionary[kRequestURIParameterSupportedKey] boolValue]; } - (BOOL)requireRequestURIRegistration { return [_discoveryDictionary[kRequireRequestURIRegistrationKey] boolValue]; } - (nullable NSURL *)OPPolicyURI { return [NSURL URLWithString:_discoveryDictionary[kOPPolicyURIKey]]; } - (nullable NSURL *)OPTosURI { return [NSURL URLWithString:_discoveryDictionary[kOPTosURIKey]]; } @end NS_ASSUME_NONNULL_END