Adds proper handling of ID token validation errors

NandanPrabhu · NandanPrabhu · commit b089ff50a8aa · 2026-02-25T19:17:33.000+05:30
diff --git a/App/ContentView.swift b/App/ContentView.swift
@@ -23,13 +23,11 @@ struct ContentView: View {
 
             Button {
                 Task {
-                    #if WEB_AUTH_PLATFORM
                     #if os(macOS)
                     await viewModel.webLogin(presentationWindow: currentWindow)
                     #else
                     await viewModel.webLogin(presentationWindow: window)
                     #endif
-                    #endif
                 }
             } label: {
                 VStack(spacing: 4) {
@@ -44,14 +42,11 @@ struct ContentView: View {
 
             Button {
                 Task {
-                    #if WEB_AUTH_PLATFORM
-
                     #if os(macOS)
                     await viewModel.logout(presentationWindow: currentWindow)
                     #else
                     await viewModel.logout(presentationWindow: window)
                     #endif
-                    #endif
                 }
             } label: {
                 Text("Logout")
diff --git a/App/ContentViewModel.swift b/App/ContentViewModel.swift
@@ -9,7 +9,6 @@ final class ContentViewModel: ObservableObject {
     @Published var isAuthenticated: Bool = false
     private let credentialsManager = CredentialsManager(authentication: Auth0.authentication())
 
-#if WEB_AUTH_PLATFORM
     func webLogin(presentationWindow window: Auth0WindowRepresentable? = nil) async {
         isLoading = true
         errorMessage = nil
@@ -66,9 +65,7 @@ final class ContentViewModel: ObservableObject {
 
         isLoading = false
     }
-    
-    #endif
-    
+
     func checkAuthentication() async {
         do {
             let credentials = try await credentialsManager.credentials()
diff --git a/Auth0/CredentialsManager.swift b/Auth0/CredentialsManager.swift
@@ -904,8 +904,11 @@ public struct CredentialsManager: Sendable {
                         }
                     case .failure(let error):
                         complete()
+                        // ID token validation failures are deterministic — do not retry them
+                        if let cause = error.cause, isIDTokenValidationError(cause) {
+                            callback(.failure(CredentialsManagerError(code: .renewFailed, cause: cause)))
                         // Check if we should retry based on error type and retry count
-                        if self.shouldRetryRenewal(for: error, retryCount: retryCount) {
+                        } else if self.shouldRetryRenewal(for: error, retryCount: retryCount) {
                             // Calculate exponential backoff delay: 0.5s, 1s, 2s, etc.
                             let delay = pow(2.0, Double(retryCount)) * 0.5
                             DispatchQueue.global(qos: .utility).asyncAfter(deadline: .now() + delay) {
@@ -979,7 +982,11 @@ public struct CredentialsManager: Sendable {
                         }
                     case .failure(let error):
                         complete()
-                        callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: error)))
+                        if let cause = error.cause, isIDTokenValidationError(cause) {
+                            callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: cause)))
+                        } else {
+                            callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: error)))
+                        }
                     }
                 }
         }
diff --git a/Auth0/IDTokenValidator.swift b/Auth0/IDTokenValidator.swift
@@ -46,6 +46,24 @@ enum IDTokenDecodingError: Auth0Error {
     }
 }
 
+/// Returns `true` if the given error is one of the known ID token validation error types.
+/// Use this instead of `cause is any Auth0Error` since many types (e.g. `AuthenticationError`,
+/// `CredentialsManagerError`) also conform to `Auth0Error` and would produce false positives.
+func isIDTokenValidationError(_ error: Error) -> Bool {
+    return error is IDTokenDecodingError
+        || error is IDTokenIssValidator.ValidationError
+        || error is IDTokenSubValidator.ValidationError
+        || error is IDTokenAudValidator.ValidationError
+        || error is IDTokenExpValidator.ValidationError
+        || error is IDTokenIatValidator.ValidationError
+        || error is IDTokenNonceValidator.ValidationError
+        || error is IDTokenAzpValidator.ValidationError
+        || error is IDTokenAuthTimeValidator.ValidationError
+        || error is IDTokenOrgIDValidator.ValidationError
+        || error is IDTokenOrgNameValidator.ValidationError
+        || error is IDTokenSignatureValidator.ValidationError
+}
+
 func validate(idToken: String,
               with context: IDTokenValidatorContext,
               signatureValidator: JWTAsyncValidator? = nil, // for testing
diff --git a/Auth0/MFA/Auth0MFAClient.swift b/Auth0/MFA/Auth0MFAClient.swift
@@ -196,7 +196,17 @@ private extension Auth0MFAClient {
                                nonce: nonce,
                                organization: organization,
                                from: result,
-                               callback: callback
+                               callback: { (verifyResult: Result<T, MFAVerifyError>) in
+                                   switch verifyResult {
+                                   case .failure(let error):
+                                       if let cause = error.cause, isIDTokenValidationError(cause) {
+                                           return callback(.failure(MFAVerifyError(cause: cause)))
+                                       }
+                                       callback(.failure(error))
+                                   case .success(let value):
+                                       callback(.success(value))
+                                   }
+                               }
                            )
                        },
                        parameters: payload,
diff --git a/Auth0/OAuth2Grant.swift b/Auth0/OAuth2Grant.swift
@@ -91,7 +91,7 @@ struct PKCE: OAuth2Grant {
         case .failure(let error):
             // ID token validation failures are wrapped in AuthenticationError(cause:) where the
             // cause is an Auth0Error from the validator. Map these to .idTokenValidationFailed.
-            if let cause = error.cause, cause is any Auth0Error {
+            if let cause = error.cause, isIDTokenValidationError(cause) {
                 return callback(.failure(WebAuthError(code: .idTokenValidationFailed, cause: cause)))
             }
             return callback(.failure(WebAuthError(code: .codeExchangeFailed, cause: error)))

Original file line number	Diff line number	Diff line change
`@@ -904,8 +904,11 @@ public struct CredentialsManager: Sendable {`
`904`	`904`	`}`
`905`	`905`	`case .failure(let error):`
`906`	`906`	`complete()`
	`907`	`+ // ID token validation failures are deterministic — do not retry them`
	`908`	`+ if let cause = error.cause, isIDTokenValidationError(cause) {`
	`909`	`+ callback(.failure(CredentialsManagerError(code: .renewFailed, cause: cause)))`
`907`	`910`	`// Check if we should retry based on error type and retry count`
`908`		`- if self.shouldRetryRenewal(for: error, retryCount: retryCount) {`
	`911`	`+ } else if self.shouldRetryRenewal(for: error, retryCount: retryCount) {`
`909`	`912`	`// Calculate exponential backoff delay: 0.5s, 1s, 2s, etc.`
`910`	`913`	`let delay = pow(2.0, Double(retryCount)) * 0.5`
`911`	`914`	`DispatchQueue.global(qos: .utility).asyncAfter(deadline: .now() + delay) {`
`@@ -979,7 +982,11 @@ public struct CredentialsManager: Sendable {`
`979`	`982`	`}`
`980`	`983`	`case .failure(let error):`
`981`	`984`	`complete()`
`982`		`- callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: error)))`
	`985`	`+ if let cause = error.cause, isIDTokenValidationError(cause) {`
	`986`	`+ callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: cause)))`
	`987`	`+ } else {`
	`988`	`+ callback(.failure(CredentialsManagerError(code: .ssoExchangeFailed, cause: error)))`
	`989`	`+ }`
`983`	`990`	`}`
`984`	`991`	`}`
`985`	`992`	`}`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ struct PKCE: OAuth2Grant {`
`91`	`91`	`case .failure(let error):`
`92`	`92`	`// ID token validation failures are wrapped in AuthenticationError(cause:) where the`
`93`	`93`	`// cause is an Auth0Error from the validator. Map these to .idTokenValidationFailed.`
`94`		`- if let cause = error.cause, cause is any Auth0Error {`
	`94`	`+ if let cause = error.cause, isIDTokenValidationError(cause) {`
`95`	`95`	`return callback(.failure(WebAuthError(code: .idTokenValidationFailed, cause: cause)))`
`96`	`96`	`}`
`97`	`97`	`return callback(.failure(WebAuthError(code: .codeExchangeFailed, cause: error)))`