Skip to content

refactor: Align nonce computation with other mobile SDKs #1118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NandanPrabhu merged 8 commits into from
Mar 18, 2026
Merged

refactor: Align nonce computation with other mobile SDKs #1118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
cee89c3
Fixes issue where in default nonce was not generated
NandanPrabhu Mar 13, 2026
36c84cd
nonce computed refactoring. default nonce assigned if nonce doesnt ha…
NandanPrabhu Mar 13, 2026
4ab3797
Updates unit tests
NandanPrabhu Mar 16, 2026
75e4414
code refactored
NandanPrabhu Mar 17, 2026
b6324f8
state, nonce will be same if user explicitly pass it else it will be …
NandanPrabhu Mar 17, 2026
3e48a45
Updates Unit tests
NandanPrabhu Mar 17, 2026
fad8fcb
GetRandomString() returns randomString instead of nonce
NandanPrabhu Mar 18, 2026
c6d3395
Merge branch 'master' into nonce_fixes
NandanPrabhu Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 22 additions & 19 deletions Auth0/Auth0WebAuth.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ final class Auth0WebAuth: WebAuth {
private(set) var ephemeralSession = false
private(set) var issuer: String
private(set) var leeway: Int = 60 * 1000 // Default leeway is 60 seconds
private(set) var nonce: String?
private(set) var maxAge: Int?
private(set) var organization: String?
private(set) var invitationURL: URL?
Expand All @@ -38,7 +37,11 @@ final class Auth0WebAuth: WebAuth {
private(set) var onCloseCallback: (() -> Void)?

var state: String {
return self.parameters["state"] ?? self.generateDefaultState()
return parameters["state"] ?? generateRandomString()
}

var nonce: String {
return parameters["nonce"] ?? generateRandomString()
}

lazy var redirectURL: URL? = {
Expand Down Expand Up @@ -91,6 +94,11 @@ final class Auth0WebAuth: WebAuth {
return self
}

func nonce(_ nonce: String) -> Self {
self.parameters["nonce"] = nonce
return self
}

func state(_ state: String) -> Self {
self.parameters["state"] = state
return self
Expand All @@ -117,11 +125,6 @@ final class Auth0WebAuth: WebAuth {
return self
}

func nonce(_ nonce: String) -> Self {
self.nonce = nonce
return self
}

func audience(_ audience: String) -> Self {
self.parameters["audience"] = audience
return self
Expand Down Expand Up @@ -181,13 +184,15 @@ final class Auth0WebAuth: WebAuth {
return callback(.failure(WebAuthError(code: .noBundleIdentifier)))
}

let handler = self.handler(redirectURL)
let state = self.state
let nonce = nonce
let state = state
let handler = self.handler(redirectURL, nonce: nonce)

let authorizeURL: URL
do {
authorizeURL = try self.buildAuthorizeURL(withRedirectURL: redirectURL,
defaults: handler.defaults,
nonce: nonce,
state: state)
} catch {
return callback(.failure(error))
Expand Down Expand Up @@ -249,7 +254,8 @@ final class Auth0WebAuth: WebAuth {

func buildAuthorizeURL(withRedirectURL redirectURL: URL,
defaults: [String: String],
state: String?) throws(WebAuthError) -> URL {
nonce: String,
state: String) throws(WebAuthError) -> URL {
guard let authorize = self.overrideAuthorizeURL ?? URL(string: "authorize", relativeTo: self.url),
var components = URLComponents(url: authorize, resolvingAgainstBaseURL: true) else {
let message = "Unable to build authorize URL with base URL: \(self.url.absoluteString)."
Expand All @@ -264,7 +270,7 @@ final class Auth0WebAuth: WebAuth {
entries["response_type"] = self.responseType
entries["redirect_uri"] = redirectURL.absoluteString
entries["state"] = state
entries["nonce"] = self.nonce
entries["nonce"] = nonce
entries["organization"] = self.organization

if let invitationURL = self.invitationURL {
Expand Down Expand Up @@ -297,21 +303,18 @@ final class Auth0WebAuth: WebAuth {
return components.url!
}

func generateDefaultState() -> String {
func generateRandomString() -> String {
let data = Data(count: 32)
var tempData = data

let result = tempData.withUnsafeMutableBytes {
SecRandomCopyBytes(kSecRandomDefault, data.count, $0.baseAddress!)
}

guard result == 0, let state = tempData.a0_encodeBase64URLSafe()
guard result == errSecSuccess, let randomString = tempData.a0_encodeBase64URLSafe()
else { return UUID().uuidString.replacingOccurrences(of: "-", with: "") }

return state
return randomString
}

private func handler(_ redirectURL: URL) -> OAuth2Grant {
private func handler(_ redirectURL: URL, nonce: String) -> OAuth2Grant {
var authentication = Auth0Authentication(clientId: self.clientId,
url: self.url,
session: self.session,
Expand All @@ -323,7 +326,7 @@ final class Auth0WebAuth: WebAuth {
issuer: self.issuer,
leeway: self.leeway,
maxAge: self.maxAge,
nonce: self.nonce,
nonce: nonce,
organization: self.organization)
}

Expand Down
Loading
Loading