Issue
My authConfig is something like so:
{
useNonce: true,
additionalParameters: {
nonce: myCustomNonce
}
}
When authorize is called, from Google I got: OAuth 2 parameters can only have a single value: nonce.
Looking into the source, on Android side, when nonce is set in additionalParameters, nonce is removed from additionalParameters after retrival:
|
if (additionalParametersMap.containsKey("nonce")) { |
|
authRequestBuilder.setNonce(additionalParametersMap.get("nonce")); |
|
additionalParametersMap.remove("nonce"); |
|
|
|
} |
However, on iOS, we have
|
NSString *nonce = useNonce ? additionalParameters[@"nonce"]? additionalParameters[@"nonce"]: [[self class] generateState] : nil ; |
And
nonce is not removed from
additionalParameters, whilst both
nonce and
additionalParameters are passed as parameters to
OIDAuthorizationRequest.initWithConfiguration:
|
OIDAuthorizationRequest *request = |
|
[[OIDAuthorizationRequest alloc] initWithConfiguration:configuration |
|
clientId:clientId |
|
|
|
clientSecret:clientSecret |
|
scope:[OIDScopeUtilities scopesWithArray:scopes] |
|
redirectURL:[NSURL URLWithString:redirectUrl] |
|
responseType:OIDResponseTypeCode |
|
state: additionalParameters[@"state"] ? additionalParameters[@"state"] : [[self class] generateState] |
|
nonce:nonce |
|
codeVerifier:codeVerifier |
|
codeChallenge:codeChallenge |
|
codeChallengeMethod: usePKCE ? OIDOAuthorizationRequestCodeChallengeMethodS256 : nil |
|
additionalParameters:additionalParameters]; |
AFAIK, AppAuth-iOS will then put both the nonce twice in the URL:
https://github.com/openid/AppAuth-iOS/blob/77e32a8bbfb973966692854c974c7599973a0f59/Sources/AppAuthCore/OIDAuthorizationRequest.m#L333-L365
The fix would be to align iOS with Android - nonce should be removed from additionalParamters.
Environment
- Your Identity Provider:
Google
- Platform that you're experiencing the issue on:
iOS
- Your
react-native Version: 0.83.6
- Your
react-native-app-auth Version: 8.1.0
- Are you using Expo?: Yes
Issue
My authConfig is something like so:
When
authorizeis called, from Google I got:OAuth 2 parameters can only have a single value: nonce.Looking into the source, on Android side, when
nonceis set inadditionalParameters,nonceis removed fromadditionalParametersafter retrival:react-native-app-auth/packages/react-native-app-auth/android/src/main/java/com/rnappauth/RNAppAuthModule.java
Lines 703 to 707 in 8fc717b
However, on iOS, we have
react-native-app-auth/packages/react-native-app-auth/ios/RNAppAuth.m
Line 340 in 8fc717b
And
nonceis not removed fromadditionalParameters, whilst bothnonceandadditionalParametersare passed as parameters toOIDAuthorizationRequest.initWithConfiguration:react-native-app-auth/packages/react-native-app-auth/ios/RNAppAuth.m
Lines 343 to 356 in 8fc717b
The fix would be to align iOS with Android -
nonceshould be removed fromadditionalParamters.Environment
GoogleiOSreact-nativeVersion:0.83.6react-native-app-authVersion:8.1.0