Class

PKCEAuthorizationFlow

The Proof Key for Code Exchange (PKCE) extension to the OAuth 2.0 Authorization Code Grant according to RFC 7636.

Declaration

class PKCEAuthorizationFlow

Overview

Conforms to the Swauthable protocol.

See init(clientID:authorizationEndpoint:tokenEndpoint:redirectURI:keychain:) and/or init(clientID:authorizationEndpoint:tokenEndpoint:redirectURI:keychain:scopes:) for initialization examples.

Getting Started

To use the PKCE Authorization Code Flow, first create an instance of Keychain and then create an instance of PKCEAuthorizationFlow by filling in the information of the Web API you wish to utilize. Spotify will be used as an example.


let keychain = Keychain(service: "com.your.bundleID",
                        accessGroup: "appIdentifierPrefix.com.your.bundleID").label("Your App Name")


var spotify = PKCEAuthorizationFlow(clientID: "YourClientID",
                                    authorizationEndpoint: URL(string: "https://accounts.spotify.com/authorize")!,
                                    tokenEndpoint: URL(string: "https://accounts.spotify.com/api/token")!,
                                    redirectURI: "someapp://callback",
                                    keychain: keychain)
spotify.additionalRefreshTokenBodyParams = ["client_id": "YourClientID"] // Spotify specifically requires the client ID to be included in the refresh token's body parameters.

I can now get the authorization URL my user will follow like so:


let authURL = spotify.authorizationURL

SwiftUI users, I recommend using BetterSafariView’s ASWebAuthenticationSession for following the authorization URL.

Assuming the user authorizes your application, pass the callback URL into authorizationResponseHandler(for:) (but of course take into account proper error handling):


try await spotify.authorizationResponseHandler(for: callbackURL)

Assuming no errors were thrown, you can now successfully make an authorized HTTP request to the endpoint of your choice and print the resulting JSON:


let request = HTTPRequest(endpoint: URL(string: "https://api.spotify.com/v1/browse/new-releases")!)


let response = try await spotify.authenticatedRequest(for: request)


// Assuming no errors were thrown
print(response.json())

Topics

Initialization

init(clientID: String, authorizationEndpoint: URL, tokenEndpoint: URL, redirectURI: String, keychain: Keychain)
Initializes a PKCEAuthorizationFlow object.
convenience init(clientID: String, authorizationEndpoint: URL, tokenEndpoint: URL, redirectURI: String, keychain: Keychain, scopes: String)
Initializes a PKCEAuthorizationFlow object, with scopes.

Options

Additional options can be configured for the instance, for example:

Discussion


authFlowInstance.additionalAuthorizationParams = ["Additional Key": "Value for Additional Key"]
var additionalAuthorizationParams: [String : String]?
Additional authorization parameters.
var additionalTokenRequestParams: [String : String]?
Any additional parameters for the token request.
var additionalRefreshTokenBodyParams: [String : String]?
Ignore if the Web API does not provide a refresh token. Any additional HTTP body parameters for the token refresh request. The key/value pairs for “refresh_token” and “grant_type” are handled internally when a authenticatedRequest(for:numberOfRetries:) is made.
var scopes: String?
The scopes you want your app to be authorized for, separated by spaces.
var authHeaderTokenType: String?
Some servers may use a different key for their authorization header’s token type than the one provided by the token request response.

Handle the Callback

func authorizationResponseHandler(for: Response) async throws
Handles the callback URL from an ASWebAuthenticationSession and sends a HTTP request to the initialized token endpoint for the tokens.

Read-only Properties

var authorizationURL: URL
A URL constructed from the authorizationEndpoint and authorizationParams for use with an ASWebAuthenticationSession. Read-only.
var authorizationParams: [String : String]
The parameters for the authorizationURL. Read-only.
var tokenRequestParams: [String : String]
The HTTP body parameters for the token request. Read-only.

Initialized Properties

let authorizationEndpoint: URL
The server authorization endpoint URL. Is initialized.
let clientID: String
The client identifier issued by the server. Is initialized.
let keychain: Keychain
Instance of KeychainAccess. Is initialized.
let redirectURI: String
The application’s redirect URI. Is initialized.
let tokenEndpoint: URL
The server’s token endpoint URL. Is initialized.

Default Implementations

Swauthable Implementations

Relationships

Inherited By

Conforms To

See Also

The Authorization Flows

class AuthorizationCodeFlow
The OAuth 2.0 Authorization Code Grant according to RFC 6749/6750.
class DeviceAuthorizationFlow
The Device Authorization Grant extension to the OAuth 2.0 Authorization Code Grant according to to RFC 8628.